Consumer Privacy: Modifications to FCC Telemarketing Rules ... · took effect in March 2013 ......
Transcript of Consumer Privacy: Modifications to FCC Telemarketing Rules ... · took effect in March 2013 ......
Consumer Privacy:
Modifications to FCC Telemarketing Rules
and HIPAA Data Protection Regulations
Nancy L. Perkins
Arnold & Porter LLP
American Conference Institute
January 16, 2014
Overview
• Revised provisions of the Telemarketing Rules of the
Federal Communications Commission (“FCC”) -- took
effect in October 2013
New restrictions on “robocalls”
• Revised provisions of the privacy, security, enforcement
and data breach notification rules of the Department of
Health and Human Services (“HHS”) under the Health
Insurance Portability and Accountability Act (“HIPAA”) --
took effect in March 2013
expanded HHS jurisdiction over certain entities
changed security breach notification standard
2
New FCC “Robocall” Rules
3
Purpose of FCC Modifications
• Respond to consumer complaints about unwanted
autodialed and prerecorded telemarketing calls
Applies to calls to wireless numbers and residential landline
numbers
• Align the FCC’s rules with the Telemarketing Sales Rule
(“TSR”) of the Federal Trade Commission (“FTC”)
FTC’s rule also addresses robocalls
4
FTC v. FCC Jurisdiction
• FTC lacks jurisdiction over certain entities, including:
banks, credit unions, and savings & loan institutions
companies engaged in the business of insurance
common carriers
airlines
nonprofit organizations
• FCC, however, has jurisdiction over all these entities as
well as those regulated also by the FTC
5
FCC v. FTC Rules
• FTC TSR: prohibits telemarketing calls that deliver
prerecorded messages without prior express consent
FTC Regulations Implement the Telemarketing and Consumer
Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101-6108.
• FCC: TCPA - prohibits the use of an Automatic
Telephone Dialing System (“ATDS”) to make phone calls
or send text messages without prior express consent.
Telephone Consumer Protection Act, 47 U.S.C. § 227.
6
Two Major Changes to FCC Rules Went into Effect
October 16:
• Elimination of “established business relationship”
exception. A prior relationship is no longer an exception
to the consent requirements for prerecorded
telemarketing calls to either wireless or residential
landline phone numbers.
• Prior express consent. - Written consent is now required
for such telemarketing calls.
7
No “Established Business Relationship” Exception
• Formerly, robocalls to residential landlines were permissible if
there was an “established business relationship” – defined as:
“a prior or existing relationship formed by a voluntary two-way
communication between a person or entity and a business or residential
subscriber with or without an exchange of consideration, on the basis of
an inquiry, application, purchase or transaction by the business or
residential subscriber regarding products or services offered by such
person or entity, which relationship has not been previously terminated
by either party.”
• Now, such a relationship does not relieve the caller of the
requirement to obtain prior express written consent.
8
Prior Express Written Consent
• A signed written agreement clearly authorizing
autodialed or prerecorded calls to a wireless number or a
prerecorded calls to a residential landline.
• No "grandfathering" of consents obtained under the
FCC's prior rules.
• BUT: Electronic signatures qualify as “written” consent,
including in the form of:
Text message
Telephone keypress
Voice recording
9
Elements of Express Consent
• Each written consent must expressly:
Bear the signature (hard copy or electronic) of the person
providing consent;
Specify the telephone number to which the person is
consenting to be called;
Clearly authorize calling the person using an ATDS or
prerecorded message for telemarketing purposes; and
Acknowledge that provision of the consent is not a
condition of purchasing goods or services.
Note: FTC TSR simply says that a seller may not require
consent as a condition of purchasing goods or services
10
What Is an ATDS Call?
• The term “automatic telephone dialing system” is defined
as equipment that has the capacity –
to store or produce telephone numbers to be called, using
a random or sequential number generator; and
to dial such numbers
• Thus, courts have held that even where a plaintiff could
not prove that the defendant used an ATDS to make allegedly
illegal telemarketing calls, it may be liable if the system it used
had the capacity to make the automated call.
11
Informational Calls vs. Telemarketing Calls
• Purely informational calls may be made to residential lines
without prior written express consent.
• No autodialed or prerecorded calls, even purely
informational calls, may be made without prior express
consent to wireless lines
• “Telemarketing” is broadly defined as:
“the initiation of a telephone call or message for the
purpose of encouraging the purchase or rental of, or
investment in, property, goods, or services, which is
transmitted to any person.”
12
Examples of Informational Calls
• debt collection calls
• airline notification calls
• bank account fraud alerts
• school and university notifications
• research or survey calls
• and wireless usage notifications
• travel itinerary changes
• fraud alerts
• payment reminders
• flight status notifications
• utility outage notifications
• appointment reminders.
13
Liability & Enforcement
• FCC enforcement actions
• Private right of action
• State laws are not preempted
• $500 per violation. Penalty can be increased to $1500
per violation by courts for willful or knowing violations.
• TCPA violations carry significant risk and TCPA litigation is
on the rise.
14
FTC and FCC Cooperation
• In 2003, the FCC and the FTC entered into a
Memorandum of Understanding, in which they agreed to
joint enforcement:
“The FCC and the FTC will work together in a cooperative and
coordinated fashion to implement consistent, comprehensive,
efficient, and non-redundant enforcement of federal telemarketing
statutes and rules.”
"The agencies will endeavor to avoid unnecessarily duplicative
enforcement actions.”
“The agencies will engage in joint enforcement actions, when
necessary, appropriate and consistent with their respective
jurisdictions.”
15
2013 Modifications to HIPAA Rules on
Business Associates and Data
Security Breaches
16
New Rules on Business Associates and
Security Breach Notifications
• The January 2013 final rule implementing the Heath
Insurance Portability Act (“HIPAA”) and the Health
Information Technology for Economic and Clinical Health
(“HITECH”) Act made key changes to:
The definition of “business associate”
The trigger for notifications of data security breaches
• What is the significance of these changes and what new
risks do they pose?
• How can those risks be mitigated?
17
Business Associates: Key Issues
• Who is now a business associate (“BA”) and who is not?
• When is a data transmitter a “conduit” and not a BA?
• When is a BA an agent, and why does that matter?
• What is newly required in a business associate
agreement (“BAA”)?
• Must existing BAAs be revised and if so, when?
18
Business Associates:
Who Are They Now?
19
Business Associate Definition
• A person who, for or on behalf of a covered entity (but not
as a member of the covered entity’s workforce), creates,
receives, maintains, or transmits protected health information
(“PHI”) to perform:
a healthcare-related function or activity, or
legal, actuarial, accounting, consulting, data aggregation, management,
administrative, accreditation, or financial services
20
New Additions to “Business Associate” Definition
• Patient Safety Organizations
• Health information exchange organizations
• E-prescribing gateways
• Vendors of personal health records
• Subcontractors
Each subcontractor of a BA is now itself a BA
Direct HIPAA liability for all BAs and BA subcontractors
HIPAA penalties applicable even to a sub-sub-sub-
contractor
21
Business Associates versus Conduits
• An entity that transmits PHI for a covered entity may be either
a BA or a mere “conduit”
• It is a BA if it requires access to the PHI on a “routine” basis
• It is a conduit if it has access to PHI only incidentally on a
random or infrequent basis
• Distinction is fact-specific, depends on:
nature of the services provided
extent to which the entity needs access to PHI to perform the service for
the covered entity
22
Ambiguities of Conduit Definition
• Conduit example: telecommunications company, even though
it has access to PHI when it reviews whether the data
transmitted over its network, because the access is random
and infrequent
• BUT: a “cloud” data storage entity, because it maintains PHI
on behalf of a covered entity, is a BA (not a mere conduit),
even if it does not actually view the PHI
• In both situations, the entity providing the service has the
opportunity to access PHI -- the difference between the two
situations is the transient versus persistent nature of that
opportunity
23
How to Help Determine if You Are a BA
• Key questions:
Are you acting on behalf of any HIPAA covered entity?
Do your activities fit within the BA definition?
• Insufficient questions:
Has any of my business partners asked me to enter into a HIPAA BAA?
Is there a BAA between any of my business partners and a covered entity?
Do I need access to PHI to perform my job?
24
Example: Researchers (context 1)
• Medical researchers generally need PHI to perform clinical or other
investigatory research, and
• Researchers frequently enter into agreements with covered entities
to obtain PHI
BUT:
• Research is not among the types of services listed in the “business
associate” definition
• BAAs with researchers do NOT permit covered entities to disclose
PHI for research without an individual’s written authorization
25
Example: Researchers (context 2)
• Researchers often need PHI to identify potential research subjects for human clinical trials
• A covered entity may not, without obtaining individual authorizations, share PHI with researchers for purposes of contacting potential research subjects
BUT:
• Covered entities, as part of their health care operations activities, may use PHI to contact individuals to obtain authorizations for disclosure of their PHI to others, including researchers
• A covered entity may enter into a BAA a with researcher, so the researcher, acting as a BA, can contact individuals to obtain their authorizations for disclosure and/or use of their PHI for the intended research
26
Example: Document Storage Company
• A document storage company has numerous customers, including accountants and lawyers
• Among the documents stored by the company are some containing PHI, to which the company has ready access
• None of the company’s customers has suggested the need for a BAA
NEVERTHELESS:
• The company should ask its customers whether the documents being stored contain PHI, and if the customers obtained the PHI from any covered entities
• NOTE: The company may be a sub-BA even if there are no BAAs between its customers and covered entities, if there are BA relationships
27
BAs as “Agents”
• BAs may be “agents” of a covered entity (or of another
BA of whom they are a sub-BA)
Common law rules determine when an independent
entity/contractor is an “agent”
Generally, common law defines an “agent” as a
person acting on another’s behalf, i.e., as a
representative of another -- but there are nuances
28
Indicia of Agency Relationship
• Right or authority of an entity to control conduct of another in the course of the other’s performance of a function or service on behalf of the entity
• Key questions in the BA context:
Can the covered entity direct the specific actions of the BA after the relationship is established?
Or does the BA have autonomy to decide how to perform its service for the covered entity?
• Every circumstance must be examined on its facts
• Labels or titles of entities or of their relationship are not determinative
29
Nuances of Agency Determinations
• A BA can be an agent of a covered entity even if:
The covered entity cannot control all aspects of the
BA’s activities
The covered entity does not actually exercise its
authority to control the BA’s activities
The covered entity is not physically close to the BA for
oversight purposes
30
Significance: Liability for Conduct of Agents
• Liability for an agent’s conduct is imputed to the principal, but:
• A covered entity is not liable for acts/omissions of its agent-BA if the covered entity acted with reasonable diligence, i.e., it:
did not know about the act/omission, and
could not, by exercising reasonable diligence, have known about the act/omission
• A covered entity is liable for acts/omissions of its agent-BA if the covered entity acted with willful neglect, i.e., it :
had actual or constructive knowledge of the act/omission, or
acted with “reckless indifference” with respect to the agent’s acts/omissions
31
Example: Imputed Knowledge of Data Security
Breach
32
Business
Associate
Is Not
Covered Entity’s Agent
Knowledge of a breach will be imputed to the
covered entity as of the date of notification of the
covered entity by its business associate
Business
Associate
Is
Covered Entity’s Agent
Knowledge of a breach will be imputed to the
covered entity as of the date of discovery of the breach by
the business associate
Business Associate
Agreements
33
BAA Requirements and Significance
• Business Associate Agreements are required:
Between a covered entity and each of its BAs
Between a business associate and each of its subcontractor BAs (“sub-BAs”)
• But: being a business associate does not depend on entering into a BAA
• Business associates are liable for violations of the HIPAA rules even if no BAA is in place
34
Timing for BAA Compliance
• New BAAs: Any BAA executed after January 25, 2013
must be in compliance by September 23, 2013.
• Transition Rule for “Grandfathered” BAAs:
If a written BAA was in place before January 25, 2013, and
The BAA is in compliance with the HIPAA Rules then in effect,
and
The BAA was not and will not be modified between March 26,
2013 and September 23, 2013, then:
The BAA will be deemed compliant until earlier of (1) the date it
is renewed or modified or (2) September 22, 2014.
35
Newly Required Content of BAAs
• Each BAA must now include:
Statement that BA must comply with the HIPAA Security Rule
Requirement for BA to report to the covered entity any breaches of the
security of unsecured PHI
Mandate for BA to execute formal, written BAAs with each subcontractor
(each of which is now itself a BA)
Requirement for BA to provide access to electronic PHI in electronic form,
as requested by an individual
Statement that any fulfillment by the BA of the covered entity’s
responsibilities under the HIPAA Rules (such as delivering privacy notices or
breach notifications) must be in compliance with the Rules as they apply to
the covered entity
36
Content to Consider for BAAs
• Timing for performance of obligations
Provision of access to PHI
Amendment of PHI
Reporting of breaches of security
• Use of subcontractors
Qualification for subcontractors (e.g., cloud data storage providers)
Timing for security breach notification from subcontractors
• Disclaimer of Agency Relationship or Third-Party Beneficiary Rights
• Specificity of BA obligations so BA is not deemed subject to interim direction by covered entity (as would be an agent)
37
Data Security Breach
Notifications
38
New Standard for Breach Notification
39
Interim Final Rule: Risk of
Individual Harm
Final Rule: Presumption of Need to Notify
Prior Notification Trigger
• Under the Interim Rule, breach notification was required
when:
PHI was acquired, accessed, used or disclosed in a manner not
permitted by the Privacy Rule that
compromised the security or privacy of the protected health
information, and
• The unauthorized acquisition, access, use or disclosure
would reasonably be deemed to pose a significant risk of
financial, reputational, or other harm to the individual
40
New Notification Trigger
• The Final Rule eliminates the harm standard
• Now, there is a presumption that a breach has occurred
unless:
The covered entity can demonstrate, through a
documented risk assessment, that:
there is a low probability that the PHI has been
compromised
41
Risk Assessment
• Unless covered entities simply prefer to notify affected individuals, they must conduct a risk assessment of any known or suspected breach
• A risk assessment must evaluate all of the following factors in determining whether notification is required:
1. The nature and extent of the PHI involved
2. The type of unauthorized person in receipt of the PHI as a result of the breach
3. Whether the PHI was actually “acquired or viewed”
4. The extent to which the risk to the PHI has been mitigated
• Other factors may also be considered
42
Risk Assessment Questions (Part 1)
43
• What type and amount of PHI was subject to
disclosure? For example:
Was it just a list of a dentists’ charges to a particular
medical account number?
Or was it a record of an abortion or a prescription for
AIDS medication?
Risk Assessment Questions (Part 2)
44
• Who impermissibly used or accessed the PHI?
• Do the HIPAA Privacy and Security Rules, or any similar
statutory or regulatory protections for data privacy, apply
to the unauthorized recipient?
If so, there may be a lower probability that the protected
health information has been compromised, since the
recipient is required to keep the information confidential
and protect its security.
Risk Assessment Questions (Part 3)
45
• Was the PHI returned before there was an opportunity
for it to be actually acquired or viewed?
For example if the PHI was in a file stored on a laptop computer
that was lost or stolen but then recovered, and a forensic
analysis shows that file was not opened or transferred, the
probability of compromise of the PHI is low.
In contrast, if a fax containing PHI went to the wrong patient,
there would be a higher probability of misuse.
Risk Assessment Questions (Part 4)
46
• Were steps taken to mitigate risk of harm, such as
obtaining satisfactory assurances from the unauthorized
recipient of PHI that the PHI will not be retained or
further used or disclosed?
• If a written confidentiality agreement is obtained that
provides commitments to that effect, it may be
reasonable to conclude that there is a low probability that
the PHI was compromised.
Security Breach Response Plan
47
• Do you have a security breach response plan in place?
Require reporting of any known of suspected security breach
Train employees and agents on reporting obligations
Identify individuals to head up breach investigations
Ensure investigations will identify key criteria for breach
notification
• Are you ready to provide timely notifications of a breach?
Inventory your contact information for patients
Obtain permission to notify them by e-mail
Prepare standard breach notification letters
For Further Information, Contact:
Nancy L. Perkins
Arnold & Porter LLP
202.942.5065
48