Privacy

FTC Muscles in on Health Privacy

600px-US-FederalTradeCommission-Seal.svgIn its July 29, 2016 decision in LabMD, Inc., the Federal Trade Commission clearly signaled its intent to get more involved in the regulation of health privacy. Specifically, the case indicates that the agency intends to go well beyond its traditional role of protecting consumers against deception and to begin scrutinizing the nuts and bolts of companies’ health data security practices.

In most cases, the privacy of individually identifiable health information is protected by HIPAA’s Privacy Rule, which is enforced by the Department of Health and Human Services. But HIPAA covers only data transactions between “covered entities” (providers, health plans, and health care clearinghouses) and their “business associates” (various kinds of service providers). A lot falls through the HIPAA cracks, including the communication of individual patient information between treating physicians and testing laboratories, which is not covered by the HIPAA Privacy Rule. (However, HHS has used HIPAA to determine that patients must be given access to their genetic testing data; see our prior coverage.) This is the crack that the FTC sought to fill in LabMD.

As I noted above, one piece of news in this case is the FTC’s move into the health privacy area. LabMD was in the clinical laboratory business from 2001 until 2014, when it suspended its testing business. However, it has retained its previously collected patient samples and data and continues to provide past test results to providers. Therefore, one lesson to be drawn from the decision is that if you are in the health business but not covered by HIPAA, you cannot assume that you are unregulated—the FTC will be watching, even if no one else is, for as long as you keep individual health data.

The second piece of news is how far the FTC is going in its regulatory efforts. The agency has long claimed a mandate to regulate privacy under section 5 of the FTC Act, which authorizes it to police “unfair or deceptive acts or practices in or affecting commerce.” Until the last few years, the FTC focused on the word “deceptive” in scrutinizing privacy practices. It said, in effect, “we won’t tell you what to do, but if you disclose a privacy policy to consumers, you have to live up to it”—to do otherwise would be deceptive.

Now the FTC is telling you what you have to do. In a series of recent business cases (involving, for example, car dealers and hotels), the FTC has gone beyond posted privacy policies to closely examine just what companies are doing to protect consumers’ personal and financial information. The agency is insisting that privacy and data security practices be reasonable, a loosely defined and evolving standard that seems to focus on industry best practices. The regulatory algorithm is that unreasonable privacy practices=unfair trade practices, and thus violate section 5. (The most comprehensive—albeit somewhat dated—statement of the FTC’s outlook can be found in its 2012 report on consumer privacy.)

This is precisely the approach the FTC took in the LabMD case. Among the data security practices deemed unreasonable were: failing to use an intrusion detection system, neglecting to monitor file integrity or traffic coming across the firewalls, never deleting any data, and not training employees. One consequence of this inattention was that employees installed P2P file-sharing software that exposed thousands of health records to the outside electronic world.

Exposed is a key word here: there was no evidence of any actual data theft. The FTC found this irrelevant, however. Its decision relied on the rarely cited section 5(n) of the FTC Act, which provides that an act or practice can be held unfair if it “causes or is likely to cause substantial harm to consumers.” So the threat of harm is enough, and the absence of actual harm is no defense.

A couple of other legal issues in the LabMD case are worth mentioning. The first concerns the FTC’s authority to judge the substantive adequacy of privacy practices, as opposed to merely ensuring that companies live up to their privacy policies. A number of FTC targets have challenged this authority, including LabMD, which asked both the FTC itself and two different federal courts to rule that the agency was going too far. Its requests were rejected, as has happened in every other case. The leading case is Wyndham Hotels (2015), where the U.S. Court of Appeals upheld the FTC’s authority to regulate the substance of cybersecurity.

A second point concerns remedies. While the FTC has the power to fine offenders, it did not seek a monetary penalty against LabMD. Instead, it imposed (via injunction) detailed requirements for improved security practices. Prospective targets should not take much comfort from this: he agency can seek fines, and LabMD complained bitterly about the burden imposed by the injunction. One piece of good news for targets is that private parties cannot sue for violations of the FTC Act, although they may have comparable rights under similarly worded state “Little FTC Acts” (e.g., North Carolina’s).

Practical Advice
Companies that collect, transfer, store, or use individual health information should keep these points in mind:

• The fact that you’re not a covered entity or business associate under HIPAA does not mean that you’re free from federal regulation—the FTC is aggressively asserting its authority in the interstices of privacy law.
• The FTC clearly believes that in privacy and data security, unreasonable=unfair and is thus illegal.
• Reasonableness is a fluid and evolving concept, likely to be tied to best practices in a given industry.
• To get a more specific idea of what the FTC thinks is and isn’t reasonable in the health context, read the full LabMD decision carefully, paying close attention to the technical details. In designing your own practices, avoid LabMD’s specific pitfalls, and whatever you do, do it better than LabMD did.
• The LabMD decision doesn’t mention this, but the FTC does not have jurisdiction to regulate nonprofits. Someone else—including your state government—will, however, and the FTC’s privacy standards are likely to provide a model for other regulators.

Comments Off on FTC Muscles in on Health Privacy
Filed under Legal & Regulatory, Pending Regulation, Privacy, Privacy

EU Adopts New Privacy Shield for Data Transfers to U.S.

Back in April, we reported on some new developments in European Union law that have implications for the life sciences industry. One of these developments was in the privacy area—the final approval of the EU’s new General Data Protection Regulation (GDPR). The GDPR will have enormous significance for medical research and practice, since it will govern the collection and use of health data related to EU citizens. This month has brought a complementary and equally significant development, this time dealing with the transfer of personal data—including health data—from the EU to the U.S.

On July 12, 2016, the European Union announced that it had formally adopted the long-awaited EU-U.S. Privacy Shield to permit the transfer of personal data from EU countries to the United States.
Read the rest of this entry »

Comments Off on EU Adopts New Privacy Shield for Data Transfers to U.S.
Filed under International Developments, Privacy, Privacy, Privacy

The EEOC’s Final Rule on GINA and Employer-Sponsored Wellness Programs to Take Effect This Month

Gina name tagOn May 17, 2016, the Equal Employment Opportunity Commission (EEOC), which is the agency charged with enforcing Title II of the Genetic Information Nondiscrimination Act (GINA), issued a final rule changing how employers can set up incentives for the wellness programs they sponsor for their employees.

As previously reported on Genomics Law Report, on October 30, 2015 the EEOC had issued a proposed rule to amend the GINA regulations in an attempt to harmonize them with the Affordable Care Act’s promotion of employer wellness programs to lower health care costs. The EEOC indicated it had received more than 3000 public comments before the close of the comment period on January 28, 2016.

In short, the final rule allows employers to offer financial and in-kind incentives for an employee’s spouse to provide information about the spouse’s current or former health status as part of a health risk assessment in connection with a voluntary employer-sponsored wellness program so long as certain requirements are met.
Read the rest of this entry »

Comments Off on The EEOC’s Final Rule on GINA and Employer-Sponsored Wellness Programs to Take Effect This Month
Filed under Genomic Policymaking, Genomics & Medicine, GINA, Legal & Regulatory, Privacy, Privacy, Privacy

Recent Developments in European Law with Implications for the U.S. Life Sciences Industry

Safe HarborThe last several months have seen several developments in European privacy and intellectual property that have significant implications for life sciences interests—both commercial and academic—in this country. Here is a brief review:

1. Final Approval of Pending EU General Data Protection Regulation

On April 14, 2016, the Parliament of the European Union gave final approval to the long-discussed GDPR. It will replace the current regime of country-by-country laws under the 1995 Data Protection Directive. Whereas an EU Directive requires implementation by individual EU member states, the GDPR is a Regulation (much like a federal law in this country) that will take immediate effect in all EU countries in the spring of 2018.
Read the rest of this entry »

Comments Off on Recent Developments in European Law with Implications for the U.S. Life Sciences Industry
Filed under General Interest, International Developments, Legal & Regulatory, Pending Regulation, Privacy, Privacy, Privacy

EEOC Tries to Harmonize ACA’s Promotion of Employer Wellness Programs with GINA’s Ban Against Employer Access to Genetic Information of Employees and Employees’ Family Members

Gina name tagThe Equal Employment Opportunity Commission (EEOC) is responsible for enforcing Title II of the Genetic Information Nondiscrimination Act (GINA), which prohibits employers from requesting genetic information (defined broadly) from their prospective, current, or former employees. GINA contains only six limited exceptions to this prohibition, one of which is an exception for wellness programs in which the employee’s participation is voluntary.

On October 30, 2015 the EEOC issued a proposed rule to amend GINA regulations in an attempt to harmonize them with the Affordable Care Act’s promotion of employer wellness programs to lower health care costs.
Read the rest of this entry »

Comments Off on EEOC Tries to Harmonize ACA’s Promotion of Employer Wellness Programs with GINA’s Ban Against Employer Access to Genetic Information of Employees and Employees’ Family Members
Filed under Badges, General Interest, GINA, Legal & Regulatory, Privacy, Privacy, Privacy

How Privacy Law Affects Medical and Scientific Research

eyeball_nOver the last five or so years my law practice has focused increasingly on privacy law, both domestic and international. In hindsight, this was a predictable outcome: as an intellectual property lawyer, many of my clients do business on the Internet or are engaged in scientific research and development, with many of the latter in the health care area. These are the very kinds of people who need to worry about privacy—of their customers, users, patients, and subjects. As they started on focusing on privacy concerns, these clients turned to their IP lawyers for help, and my Robinson Bradshaw colleagues and I have tried to stay ahead of their needs.

As a consequence of my growing privacy practice, I am regularly called on to give overviews to other lawyers as well as non-lawyers in the scientific and business communities. I thought it might be useful to devote a GLR post to a privacy law summary targeted at readers who conduct medical and other scientific research. Privacy law is a transnational mess, so this will be a bit longer than I’d like—my apologies, and please don’t shoot the messenger—but I’ll try to cut through the legal jargon.
Read the rest of this entry »

Comments Off on How Privacy Law Affects Medical and Scientific Research
Filed under International Developments, Legal & Regulatory, Privacy