HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Today the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) released two regulations relating to the Medicare and Medicaid incentives authorized by the American Recovery and Reinvestment Act of 2009 (ARRA).  Both rules have public comment periods of 60 days and are scheduled to be published in the Federal Register on January 13, 2010.  Final rules are expected to be issued in the spring of 2010.

EHR Incentives for “Meaningful Use”

The CMS Proposed Rule defines the criteria for “meaningful use” of certified electronic health record (EHR) technology. “Eligible professionals” (EPs) and hospitals that meet this criteria will be eligible for incentive payments beginning in 2011.

CMS proposes to phase in meaningful use criteria in three stages. The Proposed Rule focuses on the Stage 1 criteria, and CMS plans to propose Stage 2 and Stage 3 criteria in future rulemaking, with a goal of issuing proposed Stage 2 standards by the end of 2011 and proposed Stage 3 standards by the end of 2013. 

For Stage 1, which begins in 2011, CMS has proposed 25 objectives, or measures, for EPs and 23 objectives for eligible hospitals, all of which must be met in order for a provider to be deemed a meaningful EHR user.

Standards, Implementation and Certification Criteria

The ONC Interim Final Rule sets forth initial standards, implementation specifications and certification criteria for EHR technology.  These provisions specify the capabilities and related standards that certified EHR technology must include in order to support the proposed Stage 1 requirements for meaningful use.  This Rule goes into effect 30 days after publication in the Federal Register.

According to ONC, the standards set forth in the Rule “rely heavily on existing standards for the interoperability of health information technologies, including those established and/or promoted by Health Level 7 (HL7), the National Institute of Standards and Technology (NIST) and Integrating the Healthcare Enterprise (IHE).”  The standards, which fall into the categories of vocabulary, content exchange, transport and privacy/security, also rely upon classification and nomenclature systems such as SNOMED CT, ICD-9 and 10, X12, LOINC, NCPDP and RxNorm. 

ONC will issue a separate Notice of Proposed Rulemaking relating to the testing and certification process for EHRs and EHR Modules in early 2010. 

• Email This
• Print

On December 14, the Supreme Court granted certiorari in City of Ontario v. Quon, a case that could set the parameters for the rights of employees in the workplace to privacy in their electronic communications, or just as easily be narrowly resolved on constitutional grounds with little implications for private employers.

Quon, an officer with the Ontario, California Police Department, was discharged after his employer searched the records of his city-issued pager and found personal and sexually explicit messages between Quon, his wife, his girlfriend, and a co-worker.  Though the city had a policy that it could monitor all employee electronic communications for inappropriate use, Quon's supervisor had communicated an informal policy under which the supervisor would not review the contents of text messages so long as officers exceeding their monthly allotment paid the difference.  Quon had paid the difference in every month that he had exceeded his allotment.

Notwithstanding this informal policy, the police department, as account holder, requested a copy of certain text message transcripts to determine why officers were exceeding their message limits, and discovered Quon's messages.  After being discharged, Quon sued his public employer for a violation of his Fourth Amendment rights, claiming that his supervisor created a constitutionally cognizable reasonable expectation of privacy in the messages by informally mentioning that they would not be reviewed.  In addition, Quon sued the telecommunications provider, Arch Wireless, under the federal Stored Communications Act ("SCA"), which prohibits electronic communication services, which transmit electronic communications such as e-mails and text messages, from disclosing these messages to anyone except to the sender, to the recipient, or in other limited circumstances.

Though the district court ruled against Quon on all claims, the Ninth Circuit reversed, finding that Quon and the recipients of the text messages had a reasonable expectation in the privacy of their messages, as guaranteed by the supervisor's informal policy.  It also ruled that the telecommunications provider violated the SCA by disclosing the content of the communications to the city which, despite being the actual subscriber to the text messaging service, was not the technical "sender" or "recipient" of the text messages.  The Ninth Circuit denied a review of the case en banc, over the dissent of seven circuit judges.

Though Supreme Court will determine whether the search of the text messages violated the Fourth Amendment, it could be important to private employers given that state law privacy rights are governed by an often-overlapping "reasonable expectation of privacy" standard.  Currently, many  employers, like the city of Ontario, institute policies expressly disclaiming any potential right to privacy in their employees' electronic communications using company resources.  The disciplinary force of employment policies can be weakened by inaction or inconsistent application, but there would be serious implications for employers if they could also be affected by conflicting representations by low-level managers that are not sanctioned by the company.

The Court will also review whether the city was required to abstain from reviewing the content of the text messages in favor of non-content information that could have revealed the information about pager use for which it was searching, and whether the recipients of the text messages -- Quon's wife, girlfriend, and co-worker -- had their constitutional rights violated by the city's search.

Though this case might provide some pause for employers, this Supreme Court's grant of certiorari in a Ninth Circuit case creating new case law contrary to that of other circuits, over the dissent of a number of their conservative colleagues, seems ripe for overturning.  Nevertheless, it remains good law in the Ninth Circuit and is potential fodder for other employment lawsuits until and when the Supreme Court issues a decision in the case.  The more permanent and significant result of this appeal could be the Court's denial of certiorari on the SCA issue, leaving as good law in the Ninth Circuit that electronic communication services cannot disclose the content of stored messages to organizational clients without the specific approval of the person either sending or receiving a particular message.  Employers, especially in the Ninth Circuit, should amend their electronic communications policies to receive authorization from employees to review e-mails, text messages, and other electronic communications stored remotely by the vendors that process these messages, especially as more employers migrate their e-mail and other services to servers not owned or operated in-house.

• Email This
• Print

In a letter to the European Commission dated 4 December 2009, the European data protection authorities gathered in the Article 29 Working Party claim that the US and Australia are violating their respective Passenger Name Record (PNR) agreements with the EU. The letter - a copy of which was recently published on the website of the Dutch data protection authority - urges the European Commission to take immediate action to halt the breach and to resolve the matter with its US and Australian counterparts.   

The EU/US PNR Agreement

The EU/US PNR Agreement, which has been in force since 26 July 2007, is already the third agreement between the EU and US establishing a legal framework for transferring EU-sourced PNR data to the US Department of Homeland Security (DHS). On the basis of assurances from DHS that the data will be safeguarded, the EU has agreed to the release by air carriers transporting passengers between the EU and the US of certain PNR data contained in their reservation systems. The 2007 Agreement changed the mode of data transmission from a “pull” system into a “push” system, at least for those air carriers complying with DHS’ technical requirements. However, the Article 29 Working Party has now found that the US authorities continue to “pull” PNR data through terminals based at their offices, even in cases where airlines are compliant with DHS’ technical requirements. According to the Article 29 Working Party, DHS currently has access to all PNR data for all flights by a particular airline, even if the flights have no connection with the US. The Article 29 Working Party further claims that the continued practice of pulling data is a clear breach of the Agreement, constituting ”a sound reason to terminate the Agreement”. Under the Agreement, the EU has an exclusive remedy if it finds that the US has committed a breach: the EU can terminate the Agreement and revoke its determination that DHS is ensuring an adequate level of data protection. If the EU applies this remedy, the practical ramifications for air carriers will be significant in terms of EU data protection law compliance.                       

The EU/Australia PNR Agreement         

The EU/Australia PNR Agreement was entered into on 30 June 2008 to provide a legal basis for the processing and transfer of EU-sourced passenger name record data by air carriers to the Australian Customs Service. The Agreement applies to airlines that have reservations systems and/or PNR data processed in the EU and operate flights between the EU and Australia. The Agreement allows for 19 different types of information - including travel itineraries and payment details but excluding sensitive personal data such as race or religion - to be shared with Australian Customs for the purpose of preventing and combating terrorism and other serious crimes.

According to the Article 29 Working Party, the Australian authorities are receiving all passenger PNR data from airlines rather than just the data specified in the Agreement. The Article 29 Working Party claims that Australia is violating the terms of the Agreement by demanding more information (than listed in the Agreement), which suggests that some EU-sourced PNR data are currently being processed by Australian Customs without adequate protection. The Agreement foresees the possibility to initiate a joint review of each party’s implementation of the Agreement, which appears to be the Article 29 Working Party’s preferred course of action to remedy this situation.

To be continued…   

• Email This
• Print

By Sarah Jacquier and Winston Maxwell

On December 8, 2009, the French Supreme Court found illegal a Code of Business Conduct put in place by the Dassault Group for compliance with Sarbanes-Oxley requirements.

Dassault’s Code of Business Conduct had two aspects: It (i) required employees to obtain an approval from their employer prior to using any information (not just confidential information but all information used for “internal purposes”) that employees could have knowledge of in the course of their employment and (ii) put in place a whistle-blowing policy whereby employees could - but had no obligation to - report any breach of the Code of Business Conduct, in accounting, financing, and anti-corruption matters. However, the policy also contemplated the possibility for employees to report any breach of the Code of Business Conduct in other matters (e.g. intellectual property rights, confidentiality, discrimination, harassment) to the extent the breach threatened Dassault Group’s vital interests or an individual’s physical or psychological integrity.

The Court ruled that requiring employees to obtain the prior approval of their employer before using any and all internal information infringed employees’ freedom of speech, which may be limited only in a proportionate manner. The prohibition was too broad, and therefore the proportionality test was not satisfied.

As far as the whistle-blowing policy is concerned, the Court ruled that the policy could not cover matters other than accounting, financing, and anti-corruption. In France, whistle blowing policies need to be approved by the French data privacy authority (“the CNIL”) because their enforcement may lead to sanctions of employees. In 2005, the CNIL published a blanket authorization which generally authorizes whistle blowing policies in France for Sarbanes-Oxley requirements compliance purposes, but this authorization is limited to pure accounting, financing and anti-corruption matters. If the whistle-blowing policy exceeds the scope of the blanket authorization, it needs to be authorized on an individual basis. Otherwise, the whole policy will be deemed invalid, as confirmed by the Supreme Court’s decision.

Most international groups are reviewing the French versions of their Codes of Conduct to ensure that they comply with this new ruling.

• Email This
• Print

On December 8, the House of Representatives by voice vote passed H.R. 2221, entitled the "Data Accountability and Trust Act," which would require all organizations engaged in interstate commerce that manage or contract another to manage electronic data containing personal information to comply with a comprehensive set of standards designed to protect that information from unnecessary disclosure and to prevent identity theft and other fraud.

These measures include:

• Requiring covered organizations to establish and implement comprehensive policies and procedures regarding information security practices for the treatment and protection of personal information, tailored to the individual organization's capabilities.  This would include:
  • the creation of a security policy;
  • the identification of a security officer or other individual as the point of contact for the organization's security program;
  • the creation of a process for assessing vulnerabilities to electronic systems containing personal information, including regular monitoring for security breaches;
  • the creation of a process for taking preventative and corrective action to mitigate against any vulnerabilities found; and
  • the creation of a process for the secure disposal of obsolete data.
• Subjecting data brokers maintaining PII to standards similar to credit reporting agencies, including allowing individuals to request and correct false information maintained about them, and punishing data brokers for the unauthorized disclosure of personal information through "pretexting" -- that is, obtaining or hiring someone who obtains personal information of others through false pretenses.
• Creating a federal data breach notification requirement that would mandate any organization suffering a breach of personal information to notify all affected individuals, unless it determines that there is no reasonable risk of identity theft, fraud, or other unlawful conduct (which can be presumed if the data is properly encrypted or otherwise rendered in an electronic form unreadable or undecipherable).  Organizations suffering breaches would also be required to provide consumer credit reports to affected individuals on a quarterly basis for two years.

The FTC would be directed to pass regulations and guidance implementing and interpreting many of the specifics, and would be granted civil enforcement authority through its power under the FTC Act to prevent unfair and deceptive trade practices.  In addition, the bill would empower state attorneys general to bring civil actions to enforce its provisions with regard to violations against residents of their respective states.

Penalties would be substantial.  The failure of any covered organization to implement a comprehensive data security program or of data brokers to implement requirements specific to them would carry a maximum penalty of $11,000 per violation -- which in the case of the data security program would be $11,000 per day -- up to a maximum of $5,000,000.  Failing to comply with the breach notification provision would carry a penalty of up to $11,000 per failed notification, up to a maximum of $5,000,000, which could theoretically be reached by an unreported breach of the personal information of only 455 individuals .

Importantly, the bill would preempt the breach notification laws of forty-five states, the District of Columbia, Puerto Rico, and the Virgin Islands, as well as the recent controversial Massachusetts regulations requiring the creation of a comprehensive data security program and policy of all organizations maintaining the electronic personal information of residents of that state.  It would not, however, replace any of the parallel federal breach notification standards, such as the breach notification rule recently issued by the department of Health and Human Services under the HITECH Act and other disclosure requirements under the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act.

Just last month, the Senate Judiciary Committee approved two bills very similar to H.R. 2221.  While there are some notable differences -- including criminal penalties, an applicability threshold for the data security program requirement, and express exemptions for entities in compliance with similar federal regulations in the Senate versions, and prohibition of pretexting and higher penalties in the House version -- all three bills have enjoyed bipartisan support and their purposes are aligned.  Though health care and other items remain higher on the Senate's agenda, and the full chamber is unlikely to vote on the bills for some time, proponents are now likely to point to the momentum generated by the passage of the House version to bring the issue before the Senate sooner rather than later.

• Email This
• Print

On December 1, Judge Reggie Walton of the U.S. District Court for the District of Columbia issued a memorandum opinion in a lawsuit by the American Bar Association against the Federal Trade Commission, explaining his October 29 ruling from the bench that the FTC's Red Flags Rule does not apply to lawyers.  Holding that "[e]ven a cursory review of the language of [the Fair and Accurate Transactions Act (FACT Act), through which Congress authorized the creation of the Red Flags Rule, and other legislation defining relevant terms] and the purposes underlying their enactment leads the Court to the conclusion that it was not 'the unambiguously expressed intent of Congress' to bring attorneys within the purview of the FACT Act and thus subject them to regulation by the Commission's Red Flags Rule," Judge Walton rejected almost every argument put forth by the FTC and indicated that the court would similarly condemn any FTC attempt to apply the Rule to other professionals outside of the banking, lending, and financial sectors who bill periodically for services previously rendered.

Specifically, Judge Walton rejected the Rule's applicability to lawyers under both prongs of the Chevron test regarding judicial deference to agency interpretation, finding that no evidence indicated that Congress intended that rules promulgated under the FACT Act would apply to lawyers, but even if Congressional intent could be considered ambiguous, that the FTC's interpretation of the FACT Act and its resulting application of the Rule to lawyers was unreasonable and therefore undeserving of deference.

• Email This
• Print

The Office of the National Coordinator for Health IT (ONC) has announced that it will establish a new Office of the Chief Privacy Officer as part of a reorganization to better support the adoption and implementation of health IT.  This office will be lead by a Chief Privacy Officer, which will be named by the Secretary, and will advise the national coordinator for health IT and others on issues related to data privacy and security.

The changes to ONC’s operational structure became effective December 1, and in addition include the creation of four new offices:

·         (1) The Office of Economic Modeling and Analysis – This office will apply statistical and economic approaches to health IT investments and policies.

·         (2) The Office of the Chief Scientist – This office will evaluate health IT grant programs, track innovations, lead research efforts and develop education programs. It replaces the interoperability and standards group.

·         (3) The Office of the Deputy National Coordinator for Programs and Policy – Replacing ONC’s programs and coordination division, this office will oversee health IT grant programs.

·         (4) The Office of the Deputy National Coordinator for Operations – This office will replace ONC’s policy and research group and will perform activities such as budget formulation, facilities management, contract and grants management, and financial strategic planning.

All offices will report directly to David Blumenthal, the National Coordinator for Health IT.   

• Email This
• Print