Privacy and Security Law

As employers continue their efforts to safely bring employees back to the workplace, many have moved beyond initial pre-entry wellness checks or questionnaires and are considering technology solutions that monitor social distancing and conduct contact tracing in real-time. Along with introducing these enhanced capabilities, the question of the privacy and security of employee personally identifiable

On October 12, 2020, the California Attorney General issued its notice and third set of proposed modifications to the regulations implementing the California Consumer Protection Act (“CCPA”). These proposed modifications would change the regulations that were approved by the California Office of Administrative Law on August 14, 2020. The California Department of Justice is accepting

Recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), the agency enforcing the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, obtained two large breach-related settlements: one from a HIPAA Covered Entity and one from a HIPAA Business Associate.  These enforcement actions signal that despite COVID-19 related challenges, organizations continue to face rampant data breaches and ensuing HIPAA enforcement.

On September 25, 2020, OCR settled an investigation into a breach suffered by a large health insurer by obtaining the second-largest resolution payment in HIPAA enforcement history ($6.85 million).  This enforcement action resolved an investigation concerning potential violations of HIPAA Privacy and Security Rules related to a breach affecting the electronic protected health information (ePHI) of more than 10.4 million people.  The breach resulted from a phishing attack that introduced malware into the insurer’s IT systems and allowed unauthorized actors to gain access and remain undetected for nearly nine months.  Similarly on September 23, 2020, a business associate providing IT and health information management services to hospitals and physicians clinics entered a settlement ($2.3 million) with OCR for potential violations of HIPAA Privacy and Security Rules related to a breach affecting over 6 million people.  Essentially, these cyberattacks were advanced persistent threats that compromised the privacy and security of ePHI and PHI and revealed longstanding gaps in the companies’ cybersecurity controls.
Continue Reading Data Breaches and HIPAA Enforcement Remain Endemic Amidst the COVID-19 Pandemic

Earlier this summer, Ethan P. Davis, Principal Deputy Assistant Attorney General for the Civil Division of the U.S. Department of Justice (DOJ) delivered remarks addressing DOJ’s top priorities for enforcement actions related to COVID-19 and indicating that DOJ plans to “vigorously pursue fraud and other illegal activity.”[1] As discussed below, Davis’s remarks not only highlighted principles that will guide enforcement efforts of the Civil Fraud Section under the False Claims Act (FCA) and of the Consumer Protection Branch (CPB) under the Food, Drug, and Cosmetic Act (FDCA) and the Controlled Substances Act (CSA) in response to the COVID-19 public health emergency (PHE), they also provide an indication of how DOJ might approach enforcement over the next few years.

DOJ’S KEY CONSIDERATIONS & ENFORCEMENT STRATEGY FOR COVID-19

Davis highlighted two key principles that would drive DOJ’s COVID-related enforcement efforts: the energetic use of “every enforcement tool available to prevent wrongdoers from exploiting the COVID-19 crisis” and a respect of the private sector’s critical role in ending the pandemic and restarting the economy.[2] Under that framework, DOJ plans to pursue fraud and other illegal activity under the FCA, which Davis characterizes as “one of the most effective weapons in [DOJ’s] arsenal.”[3]

However, as DOJ pursues FCA cases, it will also seek to affirmatively dismiss qui tam claims that  DOJ finds meritless or that interfere with agency policy and programs.[4] DOJ also plans to collect certain information from qui tam relators regarding third-party litigation funders during relator interviews.[5] DOJ’s emphasis on qui tam cases—cases brought under the FCA by relators or whistleblowers—for COVID-related enforcement highlights the impact such matters have on DOJ’s enforcement agenda.[6]

  1. DOJ will consider dismissing cases that involve regulatory overreach and are not otherwise in the interest of the United States.

Although Davis emphasized that the majority of qui tam cases would be allowed to proceed, in order to “weed out” cases that lack merit or that DOJ believes should not proceed, DOJ will consider dismissing cases that “involve regulatory overreach or are otherwise not in the interest of the United States.”[7] This is consistent with the principles reflected in the 2018 Granston Memo that instructed DOJ attorneys to consider “whether the government’s interests are served” when considering whether cases should proceed and listed considerations for seeking alternative grounds for dismissal of FCA cases.[8] Davis gave examples throughout his speech of actions DOJ might consider dismissing:

  • Cases based on immaterial or inadvertent mistakes, such as technical mistakes with paperwork
  • Cases based on honest misunderstandings of rules, terms, and conditions
  • Cases based on alleged deviations from non-binding guidance documents
  • Cases against entities that reasonably attempted to comply with guidance and “in good faith took advantage of the regulatory flexibilities granted by federal agencies in the time of crisis.”[9]

DOJ litigators have been advised to inform relators of the possibility of dismissal.[10] Additionally, qui tam suits based on behaviors temporarily permitted during the COVID-19 pandemic, particularly in circumstances in which agencies exercised discretion to waive or not enforce certain requirements, might
“fail as a matter of law for lack of materiality and knowledge.”[11]

  1. DOJ will now include a series of questions during relator interviews to identify third-party litigation funders.

During each relator interview, DOJ has instructed line attorneys to ask a series of questions to identify whether the relator or their counsel has a third-party litigation funding agreement,[12] which is an agreement in which a third party—such as a commercial lender or a hedge fund—finances the cost of litigation in return for a portion of recoveries.[13] Under the new policy detailed in Davis’s speech, if a third-party funder is disclosed, DOJ will ask for the following:

  • the identity of the third-party litigation funder,
  • information regarding whether information of the allegations has been shared with the third party,
  • whether the relator or their counsel has a written agreement with the third party, and
  • whether the agreement between the relator or their counsel and the third party includes terms that entitles the third-party funder to exercise direct or indirect control over the relator’s litigation or settlement decisions.

Relators must inform DOJ of changes as the case proceeds through the course of litigation.[14] While Davis characterizes these changes as a “purely information-gathering exercise for the purpose of studying the issues,” the questions are in furtherance of DOJ’s ongoing efforts to uncover the potential negative impacts third-party litigation financing may have in qui tam actions. [15] The questions Davis referenced in his remarks reflect DOJ’s concerns with third-party litigation funding as expressed by Deputy Associate Attorney General Stephen Cox in a January 2020 speech.[16] Davis emphasized that DOJ particularly sought to evaluate the extent to which third-party litigation funders were behind qui tam cases DOJ investigates, litigates, and monitors; the extent of information sharing with third-party funders; and the amount of control third-party funders exercised over the litigation and settlement decisions.[17] While the Litigation Funding Transparency Act of 2019 has remained inactive since its introduction in February 2019 by Senator Grassley[18] and the 2018 proposal by the U.S. Court’s Advisory Committee on Civil Rights’ Multidistrict Litigation Subcommittee to require disclosure of third-party litigation funding remains under consideration,[19] DOJ’s plans to include this line of questioning potentially signals DOJ’s intention to take more concrete and significant steps to address third-party litigation funding in the future.


Continue Reading False Claims Act Enforcement During the COVID-19 Pandemic and Beyond

The regulations for the California Consumer Protection Act (“CCPA”) were approved by the California Office of Administrative Law on August 14, 2020 and went into effect immediately.   Earlier this year, the California Department of Justice proposed these regulations to govern the California Attorney General’s enforcement of CCPA. CCPA was signed into law on June 28,

As consumerism in healthcare increases, companies and the individuals they serve are increasingly sharing data with third-party application developers that provide innovative ways to manage health and wellness, among numerous other products that leverage individuals’ identifiable health data.  As the third-party application space continues to expand and data sharing becomes more prevalent, it is critical that such data sharing is done in a responsible manner and in accordance with applicable privacy and security standards. Yet, complying with applicable standards requires striking the right balance between rules promoting interoperability vis-à-vis prohibiting information blocking vs. ensuring patient privacy is protected. This is especially difficult when data is sent to third party applications that remain largely unregulated from a privacy and security perspective.  Navigating this policy ‘tug of war’ will be critical for organizations to comply with the rules, but also maintain consumer confidence.
Continue Reading Be Aware Before You Share: Vetting Third Party Apps Prior to Data Transfer

On July 7, the Court of Justice of the European Union (ECJ) invalidated the EU-US Privacy Shield framework in its ruling in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Case C-311/18). More than 5,000 organizations in the United States have certified their adherence to this framework, and have relied on it to receive personal data from organizations in the EU in compliance with the General Data Protection Regulation (GDPR) since 2016. The framework was a joint effort between the US Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. The Department of Commerce released the following statement:

The United States shares the values of rule of law and protection of our democracies with our partners in the European Union (EU).  Therefore, we are deeply disappointed that the Court of Justice of the European Union (“ECJ”) has invalidated the EU-U.S. Privacy Shield framework.  The United States is reviewing this outcome and the consequences and implications for more than 5,300 European and U.S. companies, representing millions of transatlantic jobs and over $7.1 trillion in commercial transactions.

The United States and the EU have a shared interest in protecting individual privacy and ensuring the continuity of commercial data transfers.  Uninterrupted data flows are essential to economic growth and innovation, for companies of all sizes and in every sector, which is particularly crucial now as both our economies recover from the effects of the COVID-19 pandemic.  This decision directly impacts both European companies doing business in the United States as well as American companies, of which over 70 percent are small and medium enterprises.  The United States will continue to work closely with the EU to find a mechanism to enable the essential unimpeded commercial transfer of data from the EU to the United States.


Continue Reading ECJ Invalidated the EU-US Privacy Shield Framework

On January 1, 2020 California Consumer Privacy Act (“CCPA”) largely came into effect, albeit with several last-minute modifications and a need to promulgate regulations.  As our colleagues have discussed previously here, CCPA joins other California laws safeguarding California residents’ privacy rights under the California Constitution.  Despite uncertainty around the final regulatory parameters of the law, CCPA grants the California Attorney General (AG) the authority to begin enforcement on July 1, 2020. Further, there have been no indications that such enforcement will be delayed.

Re-issued Proposed CCPA Regulations

After the California legislature passed several amendments to the CCPA in October 2019, the California AG has been working on proposed regulations.  The proposed regulations, initially introduced on October 12, 2019, went through three rounds of comment periods and were recently amended and reissued as the “Final Text of Regulations” on June 1, 2020.  These proposed regulations notably add new aspects and regulatory hurdles to CCPA implementation most notably: (i) increasing requirements for initial notices; and (ii) adding new requirements on the contents in business’s privacy policies.  These reissued proposed regulations were submitted to the California Office of Administrative Law (OAL) for review.  The OAL has thirty working days to review these regulations, plus an additional sixty calendar days under the California Governor’s Executive Order N-40-20 related to the COVID-19 pandemic, to review the regulations for procedural compliance with state law.

CCPA Proposed Regulatory Framework

The CCPA applies to any for-profit business that: (i) collects personal information on California residents; (ii) does business in the state of California; and (iii) satisfies one or more of the following thresholds: (a) has annual gross revenues in excess of $25,000,000; (b) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or (c) derives 50 percent or more of its annual revenues from selling consumers’ personal information.  Businesses that hit the thresholds will be covered even if they are located outside the state of California.

Notably, companies subject to CCPA must “at or before the point of collection” of personal information provide notice to consumers informing them of the categories of personal information the company collects and what purpose the information is used by the company.  In addition, CCPA requires businesses to post a clear and conspicuous link on their website that says “Do Not Sell My Personal Information” and then to enable consumers to opt-out of the sale of their data to third parties.  CCPA also establishes a wide-range of rights to consumers (as specified below).  Companies should be aware of the potential added cost of business in responding to these rights and ensure that they do not discriminate against any individual who exercises their rights under CCPA.


Continue Reading On the Verge of CCPA Enforcement: What Should Companies Do to Comply?

On March 9, 2020, the Office of the National Coordinator for Health Information Technology (“ONC”) and the Center for Medicare and Medicaid Services (“CMS”) published their long-awaited final rules that seeks to promote interoperability. Market participants waited longer than usual for this rule due to the Department of Health and Human Services (“HHS”) extending the comment period at the request of a variety of stakeholders.

The ONC’s rule (the “Final Rule”) supports interoperability by prohibiting “information blocking”.  Affected organizations (see below) will want to be considering the impact on contracts and developing compliance policies that reflect the requirements of the Final Rule. One aspect of needed compliance relates to the Final Rule’s exceptions to information blocking including a newly-added “content and manner” exception.

Generally, information blocking is defined as an action by an actor interfering with, preventing, or materially discouraging access, exchange, or use of electronic health information[1]  (“EHI”). Actors include health care providers, health IT developers, health information exchanges, or health information network. In the proposed rule, the ONC proposed seven exceptions to conduct that might otherwise be deemed information blocking. However, in the Final Rule, ONC created eight exceptions. Further, the ONC defined two categories of exceptions: (1) Exceptions that involve not fulfilling requests to access, exchange, or use EHI and (2) Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI. Each of the eight enumerated exceptions are categorized as follows:


Continue Reading ONC’s New Information Blocking Prohibition Affects Health Care Providers, Health IT Developers, Health Information Exchanges, and Health Information Networks

In a recent blog post, colleagues in our Employment, Labor & Workforce Management practice addressed the legal framework pertaining to coronavirus (COVID-19) risks in the workplace.  As the number of cases continues to the climb in the U.S., it is imperative that HIPAA covered entities and their business associates are aware of their privacy and security responsibilities in the midst of this public health emergency.  EBG provides this guidance on how to effectively respond to the coronavirus public health crisis while navigating patient privacy issues.
Continue Reading Public Health vs. Patient Privacy – How Coronavirus Is Putting HIPAA to the Test