Category: Administrative & Regulatory

HIPAA Enforcement Continues Under Right of Access Initiative

On March 28, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of two additional cases as part of OCR’s HIPAA Right of Access Initiative.

The Right of Access Initiative was launched by OCR in 2019 “to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule” as explained by OCR. In the March 28 announcement, OCR indicated its continuing commitment to enforce compliance with the HIPAA Rules, including the “foundational” Right of Access provision. With the two most recent cases, there have now been 27 investigations and settlements under the Right of Access Initiative (see full chart below).

Nearly all of the investigations in the Right of Access Initiative involve a single individual unable to obtain a copy of some or all of their protected health information from a health care provider or to do so within the timeframe required or in accordance with fees permitted by the HIPAA Privacy Rule. In some cases, additional issues found during the investigation, such as failure to have conducted a HIPAA risk assessment or lack of HIPAA policies, are part of the settlement.  In all cases, in addition to the monetary penalty, the settlement has included a Corrective Action Plan imposing various obligations, such as policy development, training, and mandatory reporting to OCR.

The Right of Access Initiative remains one of the most active areas of HIPAA enforcement. In its most recent Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance, OCR noted that right of access was the third most common issue of complaints resolved. Moreover, the Right of Access Initiative coordinates with the ONC 2020-2025 Federal HIT Strategic Plan and the goal of “Providing patients and caregivers with more robust health information.” It is a core tenant of the Federal HIT Strategic Plan that access to health information will “better support person-centered care and patient empowerment.”

Article By Allen R. Killworth and Zeina Abu-Hijleh of Epstein Becker & Green, P.C.

For more health law legal news, click here to visit the National Law Review.

©2022 Epstein Becker & Green, P.C. All rights reserved.

Better Late than Never, Just About – UK Government Issues Workplace Guidance on Living with COVID

So with Covid 19 now officially behind us for all purposes (except actual reality, obviously), we have now been graced by the Government’s new “Living with Covid” guidance.  This was due to come into force on 1 April and was released fashionably late in the afternoon on, well, 1st April.  You could say with some justification that this did not give employers much time to prepare, but that is OK because on close review of the guidance there is in fact very little to prepare for.  As a steer to businesses, this is little short of directionless.

First, it makes the obvious point that the abolition of the requirement to give covid express consideration in workplace risk assessments does not take away any of the employer’s obligations to continue to comply with its health & safety, employment and equality duties (in the latter two cases, although unsaid, presumably as they may be affected by the former).

From there, the Government moves to normalise covid through a long list of symptoms common to it, colds, flu and other respiratory diseases – fair enough so far – but also to other quite unrelated conditions such as hangovers, migraines, food poisoning, being unfit, malaria and frankly just getting old (“unexplained tiredness, lack of energy”).  The list is significantly expanded from the traditional trio of continuous cough, fever, loss of taste and smell and now also includes muscle pain, diarrhoea, headache, loss of appetite and “feeling sick” (what, really?). Some medical practitioners say that this is long overdue recognition of all the things covid can do to you. However, it is still a wincingly unhappy expansion for employers, since the published list now essentially includes something from pretty much every ailment known to man. The guidance notes that it will not usually be possible to tell whether you have covid or something else from the symptoms alone and of course the free testing by which that could have been determined in the past is now largely withdrawn.  Therefore the guidance to individuals is that “if you have symptoms of a respiratory infection such as covid and you have a high temperature or you do not feel well enough to go to work, you are advised to try to stay at home and avoid contact with other people” and then “Try to work from home if you can.  If you are unable to work from home you should talk to your employer about options available to you”.  Given the rich panoply of symptoms now available to the discerning malingerer, justifying taking yourself home for five days while you work out whether your headache is covid or just a headache has never been so easy.

As a result, the burden is shifted squarely to employers to keep up the anti-covid fight, and in particular to decide whether to maintain restrictions on entry to their premises for those who are unvaccinated and/or untested.  Both will be increasingly difficult to sustain in view of the obvious official indifference to the question evidenced by the guidance, which focuses instead on the traditional measures of ventilation, regular cleaning of high-touch surfaces, provision of sanitiser and hygiene advice, etc. The other big hole in the guidance is as to the employer’s rights (or is it obligation?) to send someone home if they have one or more of that long list of potentially relevant symptoms, and even if the employee himself feels able to work and/or cannot work from home.  Nor does it deal with the employees’ sick pay rights in those cases.

Taking a reasonably hawkish view of those two questions:-

  1. If you know that the employee has symptoms which could well indicate that he is suffering from covid, and even if it could equally be something less serious, are you complying with your Health & Safety at Work Act duty to take all reasonably practicable steps to maintain a safe system of work if you allow him in anyway?  If he works in a sparsely –occupied well-ventilated area, perhaps yes, but otherwise probably not.  Given the virulence of Omicron, it is unarguably foreseeable that allowing someone who may have it to breathe wantonly on other people may lead to their contracting it too.  It is also clearly foreseeable, if no longer as much so as with the earlier covid variants, that those other people may become properly ill or die as a result.  Put mathematically, breach of duty + foreseeable risk of injury + causation + actual injury = liability.

So in my view, despite the vacuum in the new guidance, an employer not just can, but really should send home immediately an employee with any material case of the symptoms listed, as a minimum until it becomes clear that the real issue is something else (though not malaria – best not let them in either).

A firm stance on this will also help combat reluctance to return to the office among those staff concerned about the health risk of doing so.  If they or their cohabitants are particularly vulnerable, the knowledge that basically no precautions are being taken to ensure that those present in the workplace are all covid-free will only feed those anxieties.

  1. If the employee is sent home on these grounds and cannot work there, will he be entitled to full salary (as it was not by his choice) or sick pay only?  In many cases he will be back within a week and the two may be the same.  Where they are not, however, I believe that it would strictly be sick pay only – though the employee may himself be physically able to work, he is practically unable to do so by reason of his own possible medical condition, the risk it may pose to others in the workplace and the duty of the employer to take reasonable steps to head off that risk.  That said, there are employment relations arguments both ways on this – on the one hand, that the symptoms listed are so varied and transient that they represent an easy avenue for abuse, and on the other that if reporting them means you get packed off home on reduced pay (perhaps none until SSP kicks in on day 4), you are much less likely to report them in the first place and will probably prefer to pass your day posing an undeclared but potentially quite serious risk to your colleagues.

Article By David Whincup of Squire Patton Boggs (US) LLP

For more coronavirus legal news, click here to visit the National Law Review.

© Copyright 2022 Squire Patton Boggs (US) LLP

President Biden’s FY 2023 Budget Request Would Strengthen TSCA and Tackle PFAS Pollution

On March 28, 2022, the Biden Administration submitted to Congress President Biden’s budget for fiscal year (FY) 2023. According to the U.S. Environmental Protection Agency’s (EPA) March 28, 2022, press release, the budget makes critical investments, including:

  • Strengthening EPA’s Commitment and Ability to Implement Toxic Substances Control Act (TSCA) Successfully: The budget provides $124 million and 449 full time equivalents (FTE) for TSCA efforts “to deliver on the promises made to the American people by the bipartisan Lautenberg Act.” According to the budget, “[t]hese resources will support EPA-initiated chemical risk evaluations and protective regulations in accordance with statutory timelines.”
  • Tackling Per- and Polyfluoroalkyl Substances (PFAS) Pollution: PFAS are a group of man-made chemicals that threaten the health and safety of communities across the United States. As part of the President’s commitment to tackling PFAS pollution, the budget provides approximately $126 million in FY 2023 for EPA to increase its understanding of human health and ecological effects of PFAS, restrict uses to prevent PFAS from entering the air, land, and water, and remediate PFAS that have been released into the environment. EPA states that it will continue to act on its PFAS Strategic Roadmap to safeguard communities from PFAS contamination.

Article By Lynn L. Bergeson and Carla N. Hutton of Bergeson & Campbell, P.C.

For more environmental legal news, click here to visit the National Law Review.

©2022 Bergeson & Campbell, P.C.

The X Box: EEOC Announces Addition of Nonbinary Gender Option to Discrimination Charge

In recognition of Transgender Day of Visibility, today, the EEOC announced that it would be providing members of the LGBTQI+ community the option to select a nonbinary “X” gender marker when completing the voluntary self-identification questions that are traditionally part of the intake process for filing a charge of discrimination.

Specifically, in an effort to promote greater equity and inclusion, the EEOC will add an option to mark “X” during two stages of the intake and charge filing process. This addition will be reflected in the EEOC’s voluntary demographic questions relating to gender in the online public portal, which individuals use to submit inquires regarding the filing of a charge of discrimination, as well as related forms that are used in lieu of the online public portal. The nonbinary “X” gender marker will also be included in the EEOC’s modified charge of discrimination form, which will also include “Mx” in the list of prefix options.

Additionally, the EEOC will incorporate the CDC and NCHS’s proposed definition of “X,” which provides as follows: (1) “unspecified,” which promotes privacy for individuals who prefer not to disclose their gender identity; and (2) “another gender identity,” which promotes clarity and inclusion for those who wish to signify that they do not identify as male or female.

The EEOC’s announcement came shortly after the White House released a detailed Fact Sheet highlighting the steps the federal government has taken to address equality and visibility for Transgender Americans.

Article By Aretta K. Bernard and Stephanie Olivera Mittica of Roetzel & Andress LPA

For more labor and employment legal news, click here to visit the National Law Review.

©2022 Roetzel & Andress

PFAS Air Regulations Proposed By House

In the latest federal legislative move to try to force the EPA to take quicker action than contemplated by the agency’s PFAS Roadmap of 2021, a bill was recently introduced in the House that would require the EPA to set air emission limits for all PFAS under the Clean Air Act. PFAS air regulations are something that advocates concerned about PFAS pollution issues beyond just drinking water have advocated for in the past few years. There are barriers, though, to achieving the desired results even if the legislation passes. Nevertheless, the federal legislative activity underscores the need for all companies that are currently using PFAS in their manufacturing or industrial processes to understand the full scope of compliance needs when and if PFAS air regulations become a reality.

House Bill For PFAS Air Regulations

On March 17, 2022, a bipartisan group in the House introduced the “Prevent Release Of Toxics Emissions, Contamination, and Transfer Act of 2022” (also known as the PROTECT Act of 2022 or HR 7142). The aim of the bill is to require the EPA to list all PFAS as hazardous air pollutants (HAPs) under the Clean Air Act. If passed, the designation as HAPs would require the EPA to develop regulatory limits for the emission of PFAS into the air.

The proposed steps, however, go well beyond the EPA’s own plan for potential PFAS air regulations as detailed in the EPA’s PFAS Strategic Roadmap 2021. In the PFAS Roadmap, the EPA indicates that it commits to performing ongoing investigation to:

  • Identify sources of PFAS air emissions;
  • Develop and finalize monitoring approaches for measuring stack emissions and ambient concentrations of PFAS;
  • Develop information on cost-effective mitigation technologies; and
  • Increase understanding of the fate and transport of PFAS air emissions to assess their potential for impacting human health via contaminated groundwater and other media pathways.

The EPA committed to using this information and data in order to, by the Fall of 2022, “evaluate mitigation options”, which could include listing “certain PFAS” as HAPs. However, the EPA also indicated that it might use other regulatory or non-regulatory tools to achieve results similar to formal PFAS air regulations under the Clean Air Act.

The bill, therefore, would considerably accelerate the EPA’s process for potential HAPs, which in turn could result in legal challenges to any rushed HAPs, as the EPA would not have had the opportunity to collect all necessary data and evaluate the soundness of the science behind any HAP designation.

Impact On Business

Any designation of PFAS as HAPs under the Clean Air Act will of course immediately impact companies that are utilizing PFAS and emitting PFAS into the air. While it remains to be seen whether the PROTECT Act will pass, if it were to pass and the EPA’s HAP designations were to survive any legal challenges, the impacts on businesses would be significant. Companies would need to undertake extensive testing of air emissions to determine their risk of Clean Air Act violations, which will be complicated due to limitations on current technology to do this type of testing. Companies may also need to pivot their production practices to reduce or limit PFAS air emissions, which would add unplanned costs to balance sheets. Finally, companies may wish to explore substitutes for PFAS rather than navigate Clean Air Act regulatory compliance, which is a significant undertaking that takes time and money.

It is also worth noting that a designation as a HAP for any PFAS would also trigger significant regulatory challenges to businesses that might have nothing to do with air emissions. Any substance listed as a HAP under the Clean Air Act is automatically designated as a “hazardous substance” under CERCLA (the Superfund law). Once a substance is classified as a “hazardous substance” under CERCLA, the EPA can force parties that it deems to be polluters to either cleanup the polluted site or reimburse the EPA for the full remediation of the contaminated site. Without a PFAS Superfund designation, the EPA can merely attribute blame to parties that it feels contributed to the pollution, but it has no authority to force the parties to remediate or pay costs. The designation also triggers considerable reporting requirements for companies. Currently, those reporting requirements with respect to PFAS do not exist, but they would apply to industries well beyond just PFAS manufacturers. Superfund site cleanup costs can be extensive, even as high as hundreds of millions of dollars, depending on the scope of pollution at issue and the amount of territory involved in the site.

Article By John Gardella of CMBG3 Law

For more environmental legal news, click here to visit the National Law Review.

©2022 CMBG3 Law, LLC. All rights reserved.

USCIS Policies Lead to High Denial Rates for L-1B Petitions

The L-1B nonimmigrant visa program is regularly utilized by companies to transfer employees with specialized knowledge from foreign countries to the United States. According to a recent analysis, the program continues to experience significant denial rates, raising questions about the underlying causes of the phenomenon.

L1-B Visa Program

The L1-B Visa Program allows employers to transfer certain nonimmigrant employees from foreign offices to offices within the United States. Specifically, the employment-based nonimmigrant visa program allows the transfer of professional employees with specialized knowledge relating to the organization’s interests from foreign offices to the United States, sometimes even to establish a U.S. office. To qualify under the program, the employee must possess “specialized knowledge,” which, according to the U.S. Citizenship and Immigration Service (“USCIS”), requires knowledge of the petitioning employer’s product, service, research, equipment, techniques, management, or other interests. USCIS evaluates L-1B petitions on a case-by-case basis.

In practice, L-1B petitions are filed by employers on behalf of their employees seeking intracompany transfer. While an employer may file an L-1B petition for an individual employee, larger companies may have the option to file a “blanket petition” so long as the company meets certain criteria. When petitioning for individual employees, the petition must be approved and then taken to a U.S. consulate for approval. For blanket petitions that have been approved, the employer need only submit a Form 129S, Nonimmigrant Petition Based on Blanket L Petition, which then may be taken to a consulate for approval.

High Denial Rates of L-1B Petitions

A recent article by Forbes analyzed government data concerning L-1B petitions and detailed their trends over the last decade. During that period, the average denial rate for L1-B petitions was 28.2%, a significant number, especially considering the denial rate for H-1B petitions averages under 5%. While the denial rate declined to 21.3% in the third quarter of the fiscal year 2021 and 20.7% in the fourth quarter, the denial rates were 32.7% and 33.3% respectively for the first two fiscal quarters of 2021.

Given that L-1B petitions appear to receive greater scrutiny than other business nonimmigrant visas, one must wonder what causes the denial rate, and what steps can be taken to ensure approval of such a petition.

Explanations for High L-1B Denial Rates

The unusually high denial rate for L-1B petitions could be explained in part by the high bar set by USCIS in adjudicating the petitions. However, at least one attorney noted the case-by-case nature of the petitions do not easily lend itself to a simple adjudication process, noting that “USCIS applies [the standard] in a way that favors documentary evidence while discounting the company’s own assessments of the worker’s importance and knowledge […]” While the USCIS Policy Manual provides immigration officers with some guidance, more comprehensive guidance could certainly be helpful.

In response to the investigation conducted by Forbes, USCIS commented,

“USCIS officers review each L-1B petition on a case-by-case basis to determine if they meet all standards required under applicable laws, regulations, and policies. […] The agency will continue to solicit feedback from stakeholders to identify procedural efficiencies and promote policies that break down barriers in the lawful immigration system.”

Additionally, the denial rate can be attributed at least in part to the political implications of the executive branch. For the fiscal year 2021, the improvement that can be detected in the L-1B denial rate followed President Biden’s assumption of office. This shift may be attributed not to a more liberal implementation of policy, but rather to the reinstatement of the USCIS policy of giving deference to previous decisions. This deference does not extend to petitions or applications made by Customs and Border Protection (“CBP”) or Department of State (“DOS”) officials.

The high denial rate for L-1B petitions serves to frustrate employers, and even discourages foreign investment in the United States. While the petitions continue to receive increased scrutiny, it is advisable to take the utmost care in the preparation of applications and ensure that all are supported with sufficient evidence and documentation.

Article By Raymond G. Lahoud of Norris McLaughlin P.A.

For more immigration legal news, click here to visit the National Law Review.

©2022 Norris McLaughlin P.A., All Rights Reserved

HHS OIG Signs Off on Substance Use Recovery Incentive Program

On March 2, 2022, the Department of Health and Human Services (“HHS”) Office of the Inspector General (the “OIG”) issued a new advisory opinion (“AO 22-04”) related to a program through which the Requestor would provide certain individuals access to digital contingency management (“CM”) and related tools to treat substance use disorders (“Program”).  The OIG advised that it would not impose administrative sanctions under the Anti-Kickback Statute (“AKS”) or the Beneficiary Inducements Civil Monetary Penalty Law (“CMPL”).

The Requestor, a digital health company, offers a Program that uses smartphone and smart debit card technology to implement CM for individuals with substance use disorders, addressing aspects of these disorders “in ways that conventional counseling and medications often cannot.” The Requestor makes this technology available to individuals who meet certain requirements through contracts with a variety of entities, such as health plans, addiction treatment providers, employee assistance programs, research institutions, and other treatment providers (“Customers”).

Individuals (‘Members”) are Customer- or self-referred, and are subject to a structured interview using the American Society of Addiction Medicine Continuum Triage tool before participation in the Program. The Requestor’s enrollment specialist, under the guidance of a licensed clinical supervisor, determines the type of services and frequency of recovery coaching using an evidence-based, automated algorithm. The Program technology establishes the schedule of expected target behavioral health events, objectively validates whether each expected event has occurred, and, if it has, promptly disburses the exact, protocol-specified incentive to the Member, using (where appropriate) a progressive reinforcement schedule.

The Program is not limited to treatments or federally reimbursable services; it also includes, among other features, support groups, medication reminders, and appointment attendance verification. For those that do include federally reimbursable services, the Requestor advised that such services may be furnished by a Customer. Incentives from the Program are provided to Members via a “smart debit card.” The card includes “abuse and anti-relapse protections (e.g., it cannot be used at bars, liquor stores, casinos, or certain other locations nor can it be used to convert credit to cash at ATMs or gas stations)”, and allows the Requestor to monitor use. Incentives are capped at $200/month and $599/year; individual incentives are typically relatively small, at $1-$3.

The Requestor receives fees from Customers on either a flat monthly basis, per eligible, active Member, or a pay-for-performance model, in which Requestor is paid upon a Member achieving certain agreed-upon targets for abstinence. The Requestor certified that the aggregate fees are consistent with fair market value and do not vary based on the volume or value of business generated under federal health care programs. Instead, fees are based on the service configurations being purchased and the intensity of behavioral targets that are planned for each Member, as well as whether a member is low- or high-risk, and in or out of treatment.

OIG concluded that two stream of remuneration potentially implicate the AKS and CMPL.  First, Customers pay Requestor a fee to provide services, some of which could incentivize a Member to receive a federally billable service. Second, some of the fees Customers pay to Requestor get passed on to Members as CM Incentives for achieving certain behavioral health goals, some of which may involve services that could be billable to Federal health care programs (e.g., a counseling session) by a particular provider or supplier, which could be a Customer. OIG noted its longstanding concerns relating to the offer of incentives intended to induce beneficiaries to obtain federally reimbursable items and services, as such incentives could present significant risks of fraud and abuse.

The OIG concluded that the Program presents a minimal risk of fraud and abuse and declined to impose sanctions, providing four justifications –

  1. The Requestor certified that the Program is based in research, and provided evidence that CM is a “highly effective, cost-efficient treatment for individuals with substance use disorders.” Therefore, the OIG decided that, taken together with the other safeguards present in the Arrangement, the incentives in the Requestor’s Program serve as “part of a protocol-driven, evidence-based treatment program rather than an inducement to seek, or a reward for having sought, a particular federally reimbursable treatment.”
  2. The incentives offered through the Program have a relatively low value and a cap, and largely are unrelated to any federally payable services, especially as the Requestor is not enrolled in and does not bill to federal health care programs for Program services. Therefore, the OIG determined that the risk of the incentives “encouraging overutilization of federally reimbursable services is low.”
  3. The Requestor’s Customer base is not limited to entities that have an incentive to induce receipt of federally reimbursable services. While the OIG acknowledged that there may be instances where an incentive may be given for receiving a federally billable service, the fees do not vary based on volume or value of any federally reimbursable services, and the Customers do not have control of the Program. Therefore, the OIG determined that the risk is low an entity would become a Customer to “generate business or reward referrals.”
  4. Although the incentives loaded onto a smart debit card function as cash equivalents, the OIG found the safeguards included in the Arrangement sufficient to mitigate fraud and abuse concerns. The Requestor, which does not bill federal health care programs or have an incentive to induce overutilization, determines what services an individual needs and what incentives are attached. Additionally, the smart debit card has “anti-relapse protections”, which can signal possible need for intervention. Therefore, the OIG concluded that the remuneration in the form the smart debit card is sufficiently low risk.

AO 22-04 reflects HHS’s continued aims to increase flexibility around substance use disorder treatments.  Just two weeks before, HHS announced two grant programs, totaling $25.6 million, to expand access to medication-assisted treatment for opioid use disorder and prevent the misuse of prescription drugs. In a press release, HHS Secretary Xavier Becerra is quoted as saying, “At HHS we are committed to addressing the overdose crisis, and one of the ways we’re doing this is by expanding access to medication-assisted treatment and other effective, evidenced-based prevention and intervention strategies.” HHS’ “National Tour to Strengthen Mental Health” is intended to “hear directly from Americans across the country about the challenges they’re facing, and engage with local leaders to strength the mental health and crisis care in our communities”, focused on three aspects: mental health, suicide, and substance use. Further flexibilities should be anticipated in these areas as the Tour continues.

Anyone seeking treatment options for substance misuse should call SAMHSA’s National Helpline at 800-662-HELP (4357) or visit findtreatment.gov. If you or anyone you know is struggling with thoughts of suicide, please call the National Suicide Prevention Lifeline at 800-273-TALK (8255), or text the Crisis Text Line (text HELLO to 741741).

Article By Christine M. Clements and Theresa E. Thompson of Sheppard, Mullin, Richter & Hampton LLP

For more health law legal news, click here to visit the National Law Review.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.

DOJ Aggressively Targeting PPP Loan Recipients for Fraud: What Businesses Need to Know

More than five million businesses applied for emergency loans under the Paycheck Protection Program (PPP), and with a hurried implementation that prevented a full diligence process, it’s not surprising the program became a target for fraud. The government is now aggressively conducting investigations, employing both criminal and civil enforcement actions. On the civil lawsuit front, companies that received PPP loans should be aware of actions brought under the False Claims Act (FCA) and the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA). This advisory details some of the key points of these enforcement tools and what the government looks for when prosecuting fraudulent conduct.

How will PPP Loan Fraud Enforcement Under the FCA Work?

A company can be liable under the FCA if it knowingly presents a false or fraudulent claim for payment or approval to the government or uses a falsified record in the course of making a false claim. 31 U.S.C. § 3729(a)(1)(A), (B). The FCA allows the government to recover up to three times the amount of the damages caused by the false claims in addition to financial penalties of not less than (as adjusted for inflation) $12,537, and not more than $25,076 for each claim.

The FCA can be enforced by individuals through qui tam lawsuits. This means a private individual, known as a relator, can file a lawsuit on behalf of the government. When a qui tam case is filed, it remains confidential (under seal) while the government reviews the claim and decides whether to intervene in the case. If the lawsuit is successful, the relator is entitled to a portion of the reward.

The False Claims Act has been used to pursue fraud claims in connection with PPP loan applications. Any company that participated in the PPP by applying for a loan should retain documentation justifying all statements made on the loan application and evidencing how any funds obtained through the loans were utilized.

How will PPP Loan Fraud Enforcement Under FIRREA Work?

The government is also utilizing FIRREA in response to fraudulent conduct related to PPP loans. FIRREA is a “hybrid” statute, predicating civil liability on the government’s ability to prove criminal violations. The statute allows the government to recover penalties against a person who violates specifically enumerated criminal statutes such as bank fraud, making false statements to a bank, or mail or wire fraud “affecting a federally insured financial institution.” 12 U.S.C. §1833a.

To establish liability under FIRREA, the government does not have to prove any additional element beyond the violation of that offense and that the violation “affect[ed] a federally insured financial institution.” The government has invoked FIRREA in the context of PPP loan fraud by stating the fraud related to obtaining the loan falls under one or more of the predicate offenses set forth in the statute.

What Factors Determine PPP Loan Fraud Penalties Under FIRREA?

While the assessment of a penalty is mandatory under FIRREA, the amount of the penalty is left to the discretion of the court but may not exceed $1.1 million per offense. There is an exception to this maximum penalty, however, if the person against which the action is brought profited from the violation by more than $1.1 million. FIRREA then allows the government to collect the entire amount gained by the perpetrator through the fraud. The actual amount of the penalty is determined by the court after weighing several factors including:

  • The good or bad faith of the defendant and the degree of his/her knowledge of wrongdoing;
  • The injury to the public, and whether the defendant’s conduct created substantial loss or the risk of substantial loss to other persons;
  • The egregiousness of the violation;
  • The isolated or repeated nature of the violation;
  • The defendant’s financial condition and ability to pay;
  • The criminal fine that could be levied for this conduct;
  • The amount the defendant sought to profit through his fraud;
  • The penalty range available under FIRREA; and
  • The appropriateness of the amount considering the relevant factors.

The government favors utilizing FIRREA penalties to pursue fraud claims for several reasons. The statute of limitations provided in 12 U.S.C. §1833a(h) is 10 years, which is much longer than most civil statutes of limitations. The standard of proof required to impose penalties is preponderance of the evidence, rather than the higher “beyond a reasonable doubt” standard that must be met in a criminal prosecution.

Checklist for PPP Loan Recipients

A company that applied for COVID relief funds, such as PPP loans, should ensure they satisfy the eligibility requirements for obtaining the loan, confirm false statements were not made during the application, and review the rules set forth by the SBA for applying for PPP. The government has shown it is willing to pursue remedies under the FCA and FIRREA for fraudulent statements made regarding a PPP loan application.

Article By Ronald G. DeWaard, Gary J. Mouw, and Gage M. Selvius of Varnum LLP

For more white collar crime and business fraud legal news, click here to visit the National Law Review.

© 2022 Varnum LLP

EDPB on Dark Patterns: Lessons for Marketing Teams

“Dark patterns” are becoming the target of EU data protection authorities, and the new guidelines of the European Data Protection Board (EDPB) on “dark patterns in social media platform interfaces” confirm their focus on such practices. While they are built around examples from social media platforms (real or fictitious), these guidelines contain lessons for all websites and applications. The bad news for marketers: the EDPB doesn’t like it when dry legal texts and interfaces are made catchier or more enticing.

To illustrate, in a section of the guidelines regarding the selection of an account profile photo, the EDPB considers the example of a “help/information” prompt saying “No need to go to the hairdresser’s first. Just pick a photo that says ‘this is me.’” According to the EDPB, such a practice “can impact the final decision made by users who initially decided not to share a picture for their account” and thus makes consent invalid under the General Data Protection Regulation (GDPR). Similarly, the EDPB criticises an extreme example of a cookie banner with a humourous link to a bakery cookies recipe that incidentally says, “we also use cookies”, stating that “users might think they just dismiss a funny message about cookies as a baked snack and not consider the technical meaning of the term “cookies.”” The EDPB even suggests that the data minimisation principle, and not security concerns, should ultimately guide an organisation’s choice of which two-factor authentication method to use.

Do these new guidelines reflect privacy paranoia or common sense? The answer should lie somewhere in between, but the whole document (64 pages long) in our view suggests an overly strict approach, one that we hope will move closer to commonsense as a result of a newly started public consultation process.

Let us take a closer look at what useful lessons – or warnings – can be drawn from these new guidelines.

What are “dark patterns” and when are they unlawful?

According to the EDPB, dark patterns are “interfaces and user experiences […] that lead users into making unintended, unwilling and potentially harmful decisions regarding the processing of their personal data” (p. 2). They “aim to influence users’ behaviour and can hinder their ability to effectively protect their personal data and make conscious choices.” The risk associated with dark patterns is higher for websites or applications meant for children, as “dark patterns raise additional concerns regarding potential impact on children” (p. 8).

While the EDPB takes a strongly negative view of dark patterns in general, it recognises that dark patterns do not automatically lead to an infringement of the GDPR. The EDPB acknowledges that “[d]ata protection authorities are responsible for sanctioning the use of dark patterns if these breach GDPR requirements” (emphasis ours; p. 2). Nevertheless, the EDPB guidance strongly links the concept of dark patterns with the data protection by design and by default principles of Art. 25 GDPR, suggesting that disregard for those principles could lead to a presumption that the language or a practice in fact creates a “dark pattern” (p. 11).

The EDPB refers here to its Guidelines 4/2019 on Article 25 Data Protection by Design and by Default and in particular to the following key principles:

  • “Autonomy – Data subjects should be granted the highest degree of autonomy possible to determine the use made of their personal data, as well as autonomy over the scope and conditions of that use or processing.
  • Interaction – Data subjects must be able to communicate and exercise their rights in respect of the personal data processed by the controller.
  • Expectation – Processing should correspond with data subjects’ reasonable expectations.
  • Consumer choice – The controllers should not “lock in” their users in an unfair manner. Whenever a service processing personal data is proprietary, it may create a lock-in to the service, which may not be fair, if it impairs the data subjects’ possibility to exercise their right of data portability in accordance with Article 20 GDPR.
  • Power balance – Power balance should be a key objective of the controller-data subject relationship. Power imbalances should be avoided. When this is not possible, they should be recognised and accounted for with suitable countermeasures.
  • No deception – Data processing information and options should be provided in an objective and neutral way, avoiding any deceptive or manipulative language or design.
  • Truthful – the controllers must make available information about how they process personal data, should act as they declare they will and not mislead data subjects.”

Is data minimisation compatible with the use of SMS two-factor authentication?

One of the EDPB’s positions, while grounded in the principle of data minimisation, undercuts a security practice that has grown significantly over the past few years. In effect, the EDPB seems to question the validity under the GDPR of requests for phone numbers for two-factor authentication where e-mail tokens would theoretically be possible:

“30. To observe the principle of data minimisation, [organisations] are required not to ask for additional data such as the phone number, when the data users already provided during the sign- up process are sufficient. For example, to ensure account security, enhanced authentication is possible without the phone number by simply sending a code to users’ email accounts or by several other means.
31. Social network providers should therefore rely on means for security that are easier for users to re[1]initiate. For example, the [organisation] can send users an authentication number via an additional communication channel, such as a security app, which users previously installed on their mobile phone, but without requiring the users’ mobile phone number. User authentication via email addresses is also less intrusive than via phone number because users could simply create a new email address specifically for the sign-up process and utilise that email address mainly in connection with the Social Network. A phone number, however, is not that easily interchangeable, given that it is highly unlikely that users would buy a new SIM card or conclude a new phone contract only for the reason of authentication.” (emphasis ours; p. 15)

The EDPB also appears to be highly critical of phone-based verification in the context of registration “because the email address constitutes the regular contact point with users during the registration process” (p. 15).

This position is unfortunate, as it suggests that data minimisation may preclude controllers from even assessing which method of two-factor authentication – in this case, e-mail versus SMS one-time passwords – better suits its requirements, taking into consideration the different security benefits and drawbacks of the two methods. The EDPB’s reasoning could even be used to exclude any form of stronger two-factor authentication, as additional forms inevitably require separate processing (e.g., phone number or third-party account linking for some app-based authentication methods).

For these reasons, organisations should view this aspect of the new EDPB guidelines with a healthy dose of skepticism. It likewise will be important for interested stakeholders to participate in the consultation to explain the security benefits of using phone numbers to keep the “two” in two-factor authentication.

Consent withdrawal: same number of clicks?

Recent decisions by EU regulators (notably two decisions by the French authority, the CNIL have led to speculation about whether EU rules effectively require website operators to make it possible for data subjects to withdraw consent to all cookies with one single click, just as most websites make it possible to give consent through a single click. The authorities themselves have not stated that this is unequivocally required, although privacy activists notably filed complaints against hundreds of websites, many of them for not including a “reject all” button on their cookie banner.

The EDPB now appears to side with the privacy activists in this respect, stating that “consent cannot be considered valid under the GDPR when consent is obtained through only one mouse-click, swipe or keystroke, but the withdrawal takes more steps, is more difficult to achieve or takes more time” (p. 14).

Operationally, however, it seems impossible to comply with a “one-click withdrawal” standard in absolute terms. Just pulling up settings after registration or after the first visit to a website will always require an extra click, purely to open those settings. We expect this issue to be examined by the courts eventually.

Is creative wording indicative of a “dark pattern”?

The EDPB’s guidelines contain several examples of wording that is intended to convince the user to take a specific action.

The photo example mentioned in the introduction above is an illustration, but other (likely fictitious) examples include the following:

  • For sharing geolocation data: “Hey, a lone wolf, are you? But sharing and connecting with others help make the world a better place! Share your geolocation! Let the places and people around you inspire you!” (p.17)
  • To prompt a user to provide a self-description: “Tell us about your amazing self! We can’t wait, so come on right now and let us know!” (p. 17)

The EDPB criticises the language used, stating that it is “emotional steering”:

“[S]uch techniques do not cultivate users’ free will to provide their data, since the prescriptive language used can make users feel obliged to provide a self-description because they have already put time into the registration and wish to complete it. When users are in the process of registering to an account, they are less likely to take time to consider the description they give or even if they would like to give one at all. This is particularly the case when the language used delivers a sense of urgency or sounds like an imperative. If users feel this obligation, even when in reality providing the data is not mandatory, this can have an impact on their “free will”” (pp. 17-18).

Similarly, in a section about account deletion and deactivation, the EDPB criticises interfaces that highlight “only the negative, discouraging consequences of deleting their accounts,” e.g., “you’ll lose everything forever,” or “you won’t be able to reactivate your account” (p. 55). The EDPB even criticises interfaces that preselect deactivation or pause options over delete options, considering that “[t]he default selection of the pause option is likely to nudge users to select it instead of deleting their account as initially intended. Therefore, the practice described in this example can be considered as a breach of Article 12 (2) GDPR since it does not, in this case, facilitate the exercise of the right to erasure, and even tries to nudge users away from exercising it” (p. 56). This, combined with the EDPB’s aversion to confirmation requests (see section 5 below), suggests that the EDPB is ignoring the risk that a data subject might opt for deletion without fully recognizing the consequences, i.e., loss of access to the deleted data.

The EDPB’s approach suggests that any effort to woo users into giving more data or leaving data with the organisation will be viewed as harmful by data protection authorities. Yet data protection rules are there to prevent abuse and protect data subjects, not to render all marketing techniques illegal.

In this context, the guidelines should in our opinion be viewed as an invitation to re-examine marketing techniques to ensure that they are not too pushy – in the sense that users would in effect truly be pushed into a decision regarding personal data that they would not otherwise have made. Marketing techniques are not per se unlawful under the GDPR but may run afoul of GDPR requirements in situations where data subjects are misled or robbed of their choice.

Other key lessons for marketers and user interface designers

  • Avoid continuous prompting: One of the issues regularly highlighted by the EDPB is “continuous prompting”, i.e., prompts that appear again and again during a user’s experience on a platform. The EDPB suggests that this creates fatigue, leading the user to “give in,” i.e., by “accepting to provide more data or to consent to another processing, as they are wearied from having to express a choice each time they use the platform” (p. 14). Examples given by the EDPB include the SMS two-factor authentication popup mentioned above, as well as “import your contacts” functionality. Outside of social media platforms, the main example for most organisations is their cookie policy (so this position by the EDPB reinforces the need to manage cookie banners properly). In addition, newsletter popups and popups about “how to get our new report for free by filling out this form” are frequent on many digital properties. While popups can be effective ways to get more subscribers or more data, the EDPB guidance suggests that regulators will consider such practices questionable from a data protection perspective.
  • Ensure consistency or a justification for confirmation steps: The EDPB highlights the “longer than necessary” dark pattern at several places in its guidelines (in particular pp. 18, 52, & 57), with illustrations of confirmation pop-ups that appear before a user is allowed to select a more privacy-friendly option (and while no such confirmation is requested for more privacy-intrusive options). Such practices are unlawful according to the EDPB. This does not mean that confirmation pop-ups are always unlawful – just that you need to have a good justification for using them where you do.
  • Have a good reason for preselecting less privacy-friendly options: Because the GDPR requires not only data protection by design but also data protection by default, make sure that you are able to justify an interface in which a more privacy-intrusive option is selected by default – or better yet, don’t make any preselection. The EDPB calls preselection of privacy-intrusive options “deceptive snugness” (“Because of the default effect which nudges individuals to keep a pre-selected option, users are unlikely to change these even if given the possibility” p. 19).
  • Make all privacy settings available in all platforms: If a user is asked to make a choice during registration or upon his/her first visit (e.g., for cookies, newsletters, sharing preferences, etc.), ensure that those settings can all be found easily later on, from a central privacy settings page if possible, and alongside all data protection tools (such as tools for exercising a data subject’s right to access his/her data, to modify data, to delete an account, etc.). Also make sure that all such functionality is available not only on a desktop interface but also for mobile devices and across all applications. The EDPB illustrates this point by criticising the case where an organisation has a messaging app that does not include the same privacy statement and data subject request tools as the main app (p. 27).
  • Be clearer in using general language such as “Your data might be used to improve our services”: It is common in most privacy statements to include a statement that personal data (e.g., customer feedback) “can” or “may be used” to improve an organisation’s products and services. According to the EDPB, the word “services” is likely to be “too general” to be viewed as “clear,” and it is “unclear how data will be processed for the improvement of services.” The use of the conditional tense in the example (“might”) also “leaves users unsure whether their data will be used for the processing or not” (p. 25). Given that the EDPB’s stance in this respect is a confirmation of a position taken by EU regulators in previous guidance on transparency, and serves as a reminder to tell data subjects how data will be used.
  • Ensure linguistic consistency: If your website or app is available in more than one language, ensure that all data protection notices and tools are available in those languages as well and that the language choice made on the main interface is automatically taken into account on the data-related pages (pp. 25-26).

Best practices according to the EDPB

Finally, the EDPB highlights some other “best practices” throughout its guidelines. We have combined them below for easier review:

  • Structure and ease of access:
    • Shortcuts: Links to information, actions, or settings that can be of practical help to users to manage their data and data protection settings should be available wherever they relate to information or experience (e.g., links redirecting to the relevant parts of the privacy policy; in the case of a data breach communication to users, to provide users with a link to reset their password).
    • Data protection directory: For easy navigation through the different section of the menu, provide users with an easily accessible page from where all data protection-related actions and information are accessible. This page could be found in the organisation’s main navigation menu, the user account, through the privacy policy, etc.
    • Privacy Policy Overview: At the start/top of the privacy policy, include a collapsible table of contents with headings and sub-headings that shows the different passages the privacy notice contains. Clearly identified sections allow users to quickly identify and jump to the section they are looking for.
    • Sticky navigation: While consulting a page related to data protection, the table of contents could be constantly displayed on the screen allowing users to quickly navigate to relevant content thanks to anchor links.
  • Transparency:
    • Organisation contact information: The organisation’s contact address for addressing data protection requests should be clearly stated in the privacy policy. It should be present in a section where users can expect to find it, such as a section on the identity of the data controller, a rights related section, or a contact section.
    • Reaching the supervisory authority: Stating the specific identity of the EU supervisory authority and including a link to its website or the specific website page for lodging a complaint is another EDPB recommendation. This information should be present in a section where users can expect to find it, such as a rights-related section.
    • Change spotting and comparison: When changes are made to the privacy notice, make previous versions accessible with the date of release and highlight any changes.
  • Terminology & explanations:
    • Coherent wording: Across the website, the same wording and definition is used for the same data protection concepts. The wording used in the privacy policy should match that used on the rest of the platform.
    • Providing definitions: When using unfamiliar or technical words or jargon, providing a definition in plain language will help users understand the information provided to them. The definition can be given directly in the text when users hover over the word and/or be made available in a glossary.
    • Explaining consequences: When users want to activate or deactivate a data protection control, or give or withdraw their consent, inform them in a neutral way of the consequences of such action.
    • Use of examples: In addition to providing mandatory information that clearly and precisely states the purpose of processing, offering specific data processing examples can make the processing more tangible for users
  • Contrasting Data Protection Elements: Making data protection-related elements or actions visually striking in an interface that is not directly dedicated to the matter helps readability. For example, when posting a public message on the platform, controls for geolocation should be directly available and clearly visible.
  • Data Protection Onboarding: Just after the creation of an account, include data protection points within the onboarding experience for users to discover and set their preferences seamlessly. This can be done by, for example, inviting them to set their data protection preferences after adding their first friend or sharing their first post.
  • Notifications (including data breach notifications): Notifications can be used to raise awareness of users of aspects, changes, or risks related to personal data processing (e.g., when a data breach occurs). These notifications can be implemented in several ways, such as through inbox messages, pop-in windows, fixed banners at the top of the webpage, etc.

Next steps and international perspectives

These guidelines (available online) are subject to public consultation until 2 May 2022, so it is possible they will be modified as a result of the consultation and, we hope, improved to reflect a more pragmatic view of data protection that balances data subjects’ rights, security, and operational business needs. If you wish to contribute to the public consultation, note that the EDPB publishes feedback it receives (as a result, we have occasionally submitted feedback on behalf of clients wishing to remain anonymous).

Irrespective of the outcome of the public consultation, the guidelines are guaranteed to have an influence on the approach of EU data protection authorities in their investigations. From this perspective, it is better to be forewarned – and to have legal arguments at your disposal if you wish to adopt an approach that deviates from the EDPB’s position.

Moreover, these guidelines come at a time when the United States Federal Trade Commission (FTC) is also concerned with dark patterns. The FTC recently published an enforcement policy statement on the matter in October 2021. Dark patterns are also being discussed at the Organisation for Economic Cooperation and Development (OECD). International dialogue can be helpful if conversations about desired policy also consider practical solutions that can be implemented by businesses and reflect a desirable user experience for data subjects.

Organisations should consider evaluating their own techniques to encourage users to go one way or another and document the justification for their approach.

Article By Peter Craddock, Sheila A. Millar, and Tracy P. Marshall of Keller and Heckman LLP

For more cybersecurity legal news, click here to visit the National Law Review.

© 2022 Keller and Heckman LLP

OIG: Telehealth “Critical” to Maintaining Access to Care Amidst COVID-19

The federal Office of Inspector General (OIG) recently published a report (OIG Report) as part of a series of analyses of the expansion and utilization of telehealth in response to the COVID-19 public health emergency.  In its report, the OIG concludes that telehealth was “critical for providing services to Medicare beneficiaries during the first year of the pandemic” and that the utilization of telehealth “demonstrates the long-term potential of telehealth to increase access to health care for beneficiaries.” The OIG’s conclusions are notable because they come at a time when policymakers and health care stakeholders are determining whether and how to make permanent certain expansions of telehealth for patients nationwide.

The OIG Report is based on Medicare claims and encounter data from the “first” year of the pandemic (March 1, 2020 through February 28, 2021) as compared to data for the immediately preceding year (March 1, 2019 through February 29, 2020). Per the OIG Report, the OIG observed that approximately 43% of Medicare beneficiaries used telehealth during the first year of the pandemic, and that office visits were the most common telehealth encounter for those patients. The telehealth utilization data showed an 88-fold increase over the utilization of telehealth services for the prior year, which in part reflects the significant limitations on telehealth reimbursement under Medicare prior to COVID-19, in addition to the significant regulatory expansion of telehealth at the federal and state levels in response to COVID-19.

Interestingly, the OIG Report states that beneficiaries enrolled in a Medicare Advantage plan “were more likely to use telehealth” than Medicare fee-for-service beneficiaries, and that “CMS’s temporary policy changes enabled the monumental growth in the use of telehealth in multiple ways,” including by expanding the permissible patient locations, and the types of services that could be provided via telehealth. In addition, the OIG indicated that the use of telehealth for behavioral health services by beneficiaries “stands out” because of the higher incidence of beneficiaries accessing those services via telehealth, which may in turn influence policymaking and increase access to critical behavioral health care services.

Finally, the OIG Report notably includes a footnote which indicates that a separate report on “Program Integrity Risks” is forthcoming, which may shed light on corresponding compliance concerns that have arisen in connection with the significant expansion of telehealth in response to COVID-19.

Article By Conor O. Duffy of Robinson & Cole LLP

For more health law legal news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.