Privacy

Update on Chadam v. Palo Alto Unified School District

About a year ago we reported on a case involving allegations of genetic discrimination by a school district in California. According to the allegations, in fall 2012 the Palo Alto Unified School District used genetic information regarding cystic fibrosis in deciding to transfer a student away from his neighborhood school to another school.

Genetic nondiscrimination laws are stronger in California than anywhere else in the United States. CalGINA (S.B. 559), which took effect five years ago, extended genetic nondiscrimination rights beyond the narrow scope of the federal statute known as GINA, the Genetic Information Nondiscrimination Act of 2008, which prohibits genetic discrimination in employment and health insurance contexts. However, this case was interesting to Genomics Law Report largely because the plaintiffs did not rely on CalGINA in their complaint against PAUSD but instead focused on protections against “perceived disability” provided under the Americans with Disabilities Act or ADA (42 U.S.C.A. §§12131 et seq.) and Section 504 of the Rehabilitation Act of 1973 (29 U.S.C.A. § 794). The school district had convinced a federal district court to dismiss the complaint, but the plaintiffs filed an appeal in January 2016.

• Previous coverage of CalGINA is available here
• Previous coverage of Chadam v. PAUSD is available here

What’s happened since the appeal was filed in January 2016?
The U.S. Court of Appeals for the Ninth Circuit heard arguments on October 19, 2016, and issued a decision on November 15, 2016. The court’s ruling overturned the district court’s dismissal of the ADA and Section 504 claims and remanded the case to the district court for further proceedings. While the court issued an unpublished judgment, which “is not precedent except as provided by Ninth Circuit Rule 36-3,” the plaintiffs’ attorney, Stephen R. Jaffe, publicly announced on LinkedIn that it was “a great victory for personal privacy.” The Ninth Circuit Court of Appeals is allowing the ADA and Section 504 genetic discrimination claims to move forward, all based on the student’s genetic information being a “perceived disability.”

The court made its decision by determining that the district court erred in two ways. The first error was the district court’s finding that there was a “direct threat” defense available under the facts presented in the complaint. The school district had argued that it made its decision out of concern for the health or safety of other students at the school who do have cystic fibrosis and that it had made a reasonable judgment that the student posed a “direct threat” to those other students. According to the Ninth Circuit, the error in allowing a direct threat defense was twofold: (1) such a defense requires an individual assessment of the threat but, as per the facts in the complaint (which must be taken as true in evaluating a motion to dismiss), no such individual assessment was made; and (2) the school district’s decision that the student posed a direct threat was contrary to “reasonable judgment” with “best available objective evidence.” The district court’s second error was finding that the plaintiff had not shown the requisite intent to establish a claim for discrimination. Establishing a claim for discrimination, the Court of Appeals noted in its decision, does not require the plaintiff to show “bad motive, will, or animosity” or even an intent to cause harm. Rather, the action or decision to exclude someone categorically (e.g., because of protected class status) is “facial discrimination” and sufficient, even if no harm or injury was intended.

The case moves forward
The Ninth Circuit’s rejection of the motion to dismiss means that the case is back on track toward eventual trial. There are no apparent signs that the school district will settle the case. On December 21, 2016, the school district’s attorneys filed an answer to the amended complaint and raised a litany of affirmative defenses, including:

• failure to state a claim,
• lack of jurisdiction,
• lack of intent,
• immunity,
• defendant acted in conformity with law,
• equity (e.g., unclean hands and equitable estoppel),
• res judicata,
• statute of limitations,
• lack of standing,
• waiver/release,
• remedies not supported by claims, and
• no damages attributable to the defendant.

The defendant did not provide any details about these affirmative defenses to explain how or why they might be applicable. Because some affirmative defenses can be waived if not asserted, it is reasonable to treat these defenses for the moment as mere boilerplate—that is, inserted as a matter of lawyerly self-protection.

The court has ordered mediation to resume before March 14, 2017 and has since appointed a mediator to the case.

Keep this case on your watch list
Courts have never directly acknowledged a person’s genotype or carrier status as sufficient to pursue a “perceived disability” claim under the ADA or Section 504 protections against discrimination. A plaintiff’s victory would clarify (at least for people who live in the Ninth Circuit—CA, WA, OR, ID, MT, NV, AZ, AK, and HI) that those who are victims of genetic discrimination in areas of society other than employment or health insurance (the areas covered by GINA) are not left unprotected by federal law and are able to seek remedies under the Americans with Disabilities Act and Section 504.

The case is an important reminder that even if the PAUSD’s actions were permissible under federal law, state law (CalGINA) applicable at the time and applicable today prohibits school districts in California from using genetic information to make decisions about its students. The PAUSD’s decision to continue defending this case signals one or both of two things. The first is that defense attorneys believe that they can successfully slam the door on a broad ADA precedent that would allow “perceived disability” claims against those who discriminate based on genetic information. That seems somewhat unlikely, given the willingness of the Ninth Circuit to allow the case to proceed and the strength of the facts alleged by the plaintiff’s attorneys. The second is that the school district is focused solely on the money—either trying to minimize the size of any settlement or court award or trying to make sure an insurer is responsible for covering the payment of that settlement or award. Perhaps the PAUSD is showing its willingness to roll the dice if a reasonable court award is perceived as having a good chance of being substantially lower than any settlement amounts under consideration.

There has been very little public discussion of the case since initial interest when the appeal was filed last year. The plaintiff’s case has now survived a motion to dismiss, but the case has yet to be decided on the merits. For genetic rights advocates, this case should remain high on the watch list in 2017 with the Ninth Circuit Court of Appeals poised to strengthen genetic nondiscrimination rights through ADA and Section 504 case law.

Comments Off on Update on Chadam v. Palo Alto Unified School District
Filed under Genomic Policymaking, Genomics & Medicine, Genomics & Society, Pending Litigation, Privacy

FTC Muscles in on Health Privacy

600px-US-FederalTradeCommission-Seal.svgIn its July 29, 2016 decision in LabMD, Inc., the Federal Trade Commission clearly signaled its intent to get more involved in the regulation of health privacy. Specifically, the case indicates that the agency intends to go well beyond its traditional role of protecting consumers against deception and to begin scrutinizing the nuts and bolts of companies’ health data security practices.

In most cases, the privacy of individually identifiable health information is protected by HIPAA’s Privacy Rule, which is enforced by the Department of Health and Human Services. But HIPAA covers only data transactions between “covered entities” (providers, health plans, and health care clearinghouses) and their “business associates” (various kinds of service providers). A lot falls through the HIPAA cracks, including the communication of individual patient information between treating physicians and testing laboratories, which is not covered by the HIPAA Privacy Rule. (However, HHS has used HIPAA to determine that patients must be given access to their genetic testing data; see our prior coverage.) This is the crack that the FTC sought to fill in LabMD.

As I noted above, one piece of news in this case is the FTC’s move into the health privacy area. LabMD was in the clinical laboratory business from 2001 until 2014, when it suspended its testing business. However, it has retained its previously collected patient samples and data and continues to provide past test results to providers. Therefore, one lesson to be drawn from the decision is that if you are in the health business but not covered by HIPAA, you cannot assume that you are unregulated—the FTC will be watching, even if no one else is, for as long as you keep individual health data.

The second piece of news is how far the FTC is going in its regulatory efforts. The agency has long claimed a mandate to regulate privacy under section 5 of the FTC Act, which authorizes it to police “unfair or deceptive acts or practices in or affecting commerce.” Until the last few years, the FTC focused on the word “deceptive” in scrutinizing privacy practices. It said, in effect, “we won’t tell you what to do, but if you disclose a privacy policy to consumers, you have to live up to it”—to do otherwise would be deceptive.

Now the FTC is telling you what you have to do. In a series of recent business cases (involving, for example, car dealers and hotels), the FTC has gone beyond posted privacy policies to closely examine just what companies are doing to protect consumers’ personal and financial information. The agency is insisting that privacy and data security practices be reasonable, a loosely defined and evolving standard that seems to focus on industry best practices. The regulatory algorithm is that unreasonable privacy practices=unfair trade practices, and thus violate section 5. (The most comprehensive—albeit somewhat dated—statement of the FTC’s outlook can be found in its 2012 report on consumer privacy.)

This is precisely the approach the FTC took in the LabMD case. Among the data security practices deemed unreasonable were: failing to use an intrusion detection system, neglecting to monitor file integrity or traffic coming across the firewalls, never deleting any data, and not training employees. One consequence of this inattention was that employees installed P2P file-sharing software that exposed thousands of health records to the outside electronic world.

Exposed is a key word here: there was no evidence of any actual data theft. The FTC found this irrelevant, however. Its decision relied on the rarely cited section 5(n) of the FTC Act, which provides that an act or practice can be held unfair if it “causes or is likely to cause substantial harm to consumers.” So the threat of harm is enough, and the absence of actual harm is no defense.

A couple of other legal issues in the LabMD case are worth mentioning. The first concerns the FTC’s authority to judge the substantive adequacy of privacy practices, as opposed to merely ensuring that companies live up to their privacy policies. A number of FTC targets have challenged this authority, including LabMD, which asked both the FTC itself and two different federal courts to rule that the agency was going too far. Its requests were rejected, as has happened in every other case. The leading case is Wyndham Hotels (2015), where the U.S. Court of Appeals upheld the FTC’s authority to regulate the substance of cybersecurity.

A second point concerns remedies. While the FTC has the power to fine offenders, it did not seek a monetary penalty against LabMD. Instead, it imposed (via injunction) detailed requirements for improved security practices. Prospective targets should not take much comfort from this: he agency can seek fines, and LabMD complained bitterly about the burden imposed by the injunction. One piece of good news for targets is that private parties cannot sue for violations of the FTC Act, although they may have comparable rights under similarly worded state “Little FTC Acts” (e.g., North Carolina’s).

Practical Advice
Companies that collect, transfer, store, or use individual health information should keep these points in mind:

• The fact that you’re not a covered entity or business associate under HIPAA does not mean that you’re free from federal regulation—the FTC is aggressively asserting its authority in the interstices of privacy law.
• The FTC clearly believes that in privacy and data security, unreasonable=unfair and is thus illegal.
• Reasonableness is a fluid and evolving concept, likely to be tied to best practices in a given industry.
• To get a more specific idea of what the FTC thinks is and isn’t reasonable in the health context, read the full LabMD decision carefully, paying close attention to the technical details. In designing your own practices, avoid LabMD’s specific pitfalls, and whatever you do, do it better than LabMD did.
• The LabMD decision doesn’t mention this, but the FTC does not have jurisdiction to regulate nonprofits. Someone else—including your state government—will, however, and the FTC’s privacy standards are likely to provide a model for other regulators.

Comments Off on FTC Muscles in on Health Privacy
Filed under Legal & Regulatory, Pending Regulation, Privacy, Privacy

EU Adopts New Privacy Shield for Data Transfers to U.S.

Back in April, we reported on some new developments in European Union law that have implications for the life sciences industry. One of these developments was in the privacy area—the final approval of the EU’s new General Data Protection Regulation (GDPR). The GDPR will have enormous significance for medical research and practice, since it will govern the collection and use of health data related to EU citizens. This month has brought a complementary and equally significant development, this time dealing with the transfer of personal data—including health data—from the EU to the U.S.

On July 12, 2016, the European Union announced that it had formally adopted the long-awaited EU-U.S. Privacy Shield to permit the transfer of personal data from EU countries to the United States.
Read the rest of this entry »

Comments Off on EU Adopts New Privacy Shield for Data Transfers to U.S.
Filed under International Developments, Privacy, Privacy, Privacy

The EEOC’s Final Rule on GINA and Employer-Sponsored Wellness Programs to Take Effect This Month

Gina name tagOn May 17, 2016, the Equal Employment Opportunity Commission (EEOC), which is the agency charged with enforcing Title II of the Genetic Information Nondiscrimination Act (GINA), issued a final rule changing how employers can set up incentives for the wellness programs they sponsor for their employees.

As previously reported on Genomics Law Report, on October 30, 2015 the EEOC had issued a proposed rule to amend the GINA regulations in an attempt to harmonize them with the Affordable Care Act’s promotion of employer wellness programs to lower health care costs. The EEOC indicated it had received more than 3000 public comments before the close of the comment period on January 28, 2016.

In short, the final rule allows employers to offer financial and in-kind incentives for an employee’s spouse to provide information about the spouse’s current or former health status as part of a health risk assessment in connection with a voluntary employer-sponsored wellness program so long as certain requirements are met.
Read the rest of this entry »

Comments Off on The EEOC’s Final Rule on GINA and Employer-Sponsored Wellness Programs to Take Effect This Month
Filed under Genomic Policymaking, Genomics & Medicine, GINA, Legal & Regulatory, Privacy, Privacy, Privacy

Recent Developments in European Law with Implications for the U.S. Life Sciences Industry

Safe HarborThe last several months have seen several developments in European privacy and intellectual property that have significant implications for life sciences interests—both commercial and academic—in this country. Here is a brief review:

1. Final Approval of Pending EU General Data Protection Regulation

On April 14, 2016, the Parliament of the European Union gave final approval to the long-discussed GDPR. It will replace the current regime of country-by-country laws under the 1995 Data Protection Directive. Whereas an EU Directive requires implementation by individual EU member states, the GDPR is a Regulation (much like a federal law in this country) that will take immediate effect in all EU countries in the spring of 2018.
Read the rest of this entry »

Comments Off on Recent Developments in European Law with Implications for the U.S. Life Sciences Industry
Filed under General Interest, International Developments, Legal & Regulatory, Pending Regulation, Privacy, Privacy, Privacy

Genetic Discrimination Case Against School District is Appealed to Ninth Circuit

classroom-1534186As Stephanie M. Lee reported for Buzzfeed in a well-written account (which contains links to the relevant court documents), an appeal was filed in January with the Ninth Circuit Court of Appeals in the case of Chadam v. Palo Alto Unified School District (4:13-CV-04129-CW). At issue in the case is whether the school district violated a boy’s rights when it decided to force him to transfer schools. The student’s parents allege the transfer decision was because he is a carrier of a genetic variant associated with Cystic Fibrosis or CF (although he has not exhibited symptoms of the disease), and the appeal argues the trial court erred in dismissing the complaint that the school district’s decision to transfer violated his rights under Title II of the American’s with Disabilities Act or ADA (42 U.S.C.A. §12131 et seq.), Section 504 of the Rehabilitation Act of 1973 (29 U.S.C.A. § 794), and the First Amendment of the U.S. Constitution. At the trial court level, the school district successfully defended its decision to transfer the boy by arguing it relied on medical advice and made the decision in an attempt to protect other children at the school who have CF.
Read the rest of this entry »

Comments Off on Genetic Discrimination Case Against School District is Appealed to Ninth Circuit
Filed under Badges, Genomics & Medicine, Genomics & Society, GINA, Privacy

EEOC Tries to Harmonize ACA’s Promotion of Employer Wellness Programs with GINA’s Ban Against Employer Access to Genetic Information of Employees and Employees’ Family Members

Gina name tagThe Equal Employment Opportunity Commission (EEOC) is responsible for enforcing Title II of the Genetic Information Nondiscrimination Act (GINA), which prohibits employers from requesting genetic information (defined broadly) from their prospective, current, or former employees. GINA contains only six limited exceptions to this prohibition, one of which is an exception for wellness programs in which the employee’s participation is voluntary.

On October 30, 2015 the EEOC issued a proposed rule to amend GINA regulations in an attempt to harmonize them with the Affordable Care Act’s promotion of employer wellness programs to lower health care costs.
Read the rest of this entry »

Comments Off on EEOC Tries to Harmonize ACA’s Promotion of Employer Wellness Programs with GINA’s Ban Against Employer Access to Genetic Information of Employees and Employees’ Family Members
Filed under Badges, General Interest, GINA, Legal & Regulatory, Privacy, Privacy, Privacy