Category: Civil Rights

Congress Renews Violence Against Women Act, Expands Tribal Court Jurisdiction

The National Law Review recently featured an article by Brian L. Pierson with Godfrey & Kahn S.C., regarding Recent Congressional Actions:

Godfrey & Kahn S.C. Law firm

On February 28, 2013 the House of Representatives approved Senate Bill 47, which reauthorizes and amends the Violence Against Women Act of 1994 (VAWA). The Bill, already approved in the Senate, became law when the President signed it on March 7th.

The VAWA is a major legislative achievement for Indian country. The Supreme Court held in 1978 that tribes lack inherent power to exercise criminal jurisdiction over non-Indians. For the first time since that decision, Congress has authorized tribes to exercise such jurisdiction. Title IX of the VAWA amends the Indian Civil Rights Act (ICRA) to permit tribes to exercise “special domestic violence criminal jurisdiction” over non-Indians who are charged with domestic violence, dating violence, and violations of protective orders that occur on their lands. Features of special domestic violence criminal jurisdiction include:

  • either the perpetrator or victim must be Indian
  • the tribe must prove that the defendant has ties to the tribal community
  • tribal jurisdiction is concurrent with state and federal jurisdiction
  • the defendant has the right to a trial by an impartial jury that is drawn from sources that –
    • reflect a fair cross section of the community; and
    • do not systematically exclude any distinctive group in the community, including non-Indians
  • In the event that a sentence of imprisonment “may” be imposed, the tribe must guarantee the defendant the enhanced procedural rights added to the ICRA by the Tribal Law and Order Act of 2010, including:
    • effective assistance of counsel, paid for by the tribe if the defendant is indigent
    • a legally trained judge licensed to practice law
    • published laws and rules of criminal procedure
    • recorded proceedings

Copyright © 2013 Godfrey & Kahn S.C.

Federal Circuit Courts Find No Causal Connection in Employee Retaliation Claims

The National Law Review recently featured an article, Federal Circuit Courts Find No Causal Connection in Employee Retaliation Claims, written by Katherine G. Cisneros of Schiff Hardin LLP:

SchiffHardin-logo_4c_LLP_www

 

As employers know, retaliation cases are notoriously difficult to defend. However, two recent decisions from federal courts of appeal may help employers prevail in such cases. The Sixth and Seventh Circuit U.S. Courts of Appeals recently affirmed summary judgment in two retaliation cases, both courts holding that the employees’ claims did not establish a causal connection between the protected activity and adverse employment action.

Timing Alone Insufficient Where Multi-Year Gap Between Protected Activity and Adverse Action

In Fuhr v. Hazel Park Sch. Dist., No. 2:08-cv-11652 (6th Cir. Mar. 19, 2013), the Sixth Circuit affirmed summary judgment for Hazel Park School District, finding no causal connection between a coach’s prior lawsuit and her subsequent removal from a coaching position. Fuhr served as the high school girls’ varsity basketball head coach at Hazel Park High. In 1999, Fuhr sued the school district, alleging gender discrimination based on the school district’s failure to hire her as the high school boys’ varsity basketball head coach. At the time, the boys’ and girls’ teams played during different seasons. Fuhr ultimately prevailed and in 2004 became the boys’ basketball coach. Anticipating a federal district court order requiring the basketball seasons be played at the same time, the school district removed Fuhr as the girl’ head coach in 2006 because it would be too difficult to coach two teams in the same season.

Fuhr sued, claiming that her removal as the girls’ coach and other harassing acts were retaliation for prevailing in her previous lawsuit. Fuhr claimed her principal told her that “this is a good old boys network….They are doing this to you to get back at you for winning the lawsuit.” The Sixth Circuit determined that the principal’s statement was too ambiguous to provide direct evidence of unlawful retaliation. The court next found that Fuhr failed to demonstrate a causal connection between her prior lawsuit and removal as the girls’ coach. While a close temporal proximity between events can constitute evidence of a causal connection, here, the “multi-year gap prove[d] fatal” to establishing causality. The court also added that even if Fuhr could prove causation, the school district was able to offer legitimate, non-discriminatory reasons for any alleged harassing actions. Accordingly, the Sixth Circuit affirmed summary judgment for the school district on Fuhr’s retaliation claim based on the lack of any temporal proximity.

Employee’s Disagreement with Employer’s Investigation Does Not Prove Retaliation

In Collins v. American Red Cross, No. 08-cv-50160 (7th Cir. Mar. 8, 2013), the Seventh Circuit affirmed summary judgment in favor of the American Red Cross, finding that the employer’s investigation report, albeit possibly incorrect, is not evidence of unlawful retaliation or discrimination. Collins, an African-American woman, worked for the Red Cross. In 2006, Collins filed a racial discrimination charge with the Equal Employment Opportunity Commission (“EEOC”) based on harassment from her co-workers. Collins received a “right-to-sue” letter, but did not file a suit. In 2007, Collins’s co-workers complained that, among other acts of misconduct, Collins said that the Red Cross was out to get minorities. The human resources officer assigned to investigate found that all of these allegations against Collins were “substantiated,” and Collins was terminated.

Collins sued, claiming that her termination was in retaliation for her filing of the EEOC charge. Collins claimed that the report did not really substantiate the claim that Collins said the Red Cross is out to get minorities, and therefore, the report must have been referring to the EEOC complaint. Although the report was “sloppy, and perhaps it was also mistaken or even unfair,” Title VII only forbids discriminatory or retaliatory terminations. Nothing in the report suggested the Red Cross was concerned with Collins’s EEOC complaint. Collins only provided speculation that the report was incorrect because of the EEOC complaint, and mere speculation is not enough to overcome summary judgment. Accordingly, the Seventh Circuit affirmed summary judgment for the Red Cross on Collins’s retaliation claim because she failed to show a causal link between the filing of her EEOC complaint and her subsequent termination.

The Seventh Circuit also affirmed summary judgment on Collins’s race discrimination claim because Collins failed to prove that the Red Cross’ reason for termination was pretextual, emphasizing that “pretext means a lie.” The only piece of evidence Collins offered was that she denied all the allegations raised by her co-worker’s complaints. Denying the allegations is not enough to survive summary judgment because the “fact that a statement is inaccurate does not meant that it is a deliberate lie.” Evidence that an employer reached the wrong conclusion can suggest discrimination if the conclusion were “incredible on its face.” However, here, the court found that the report’s conclusions were not incredible, and there was nothing in the record to suggest racial animus toward Collins. While the Red Cross’s report may have been wrong, that is not enough for Collins’s claim to survive summary judgment.

Sound Employer Practices Remain Key to Successful Defenses

As is clear from the Seventh Circuit case, employer investigations remain a key component of successful defenses of claims. Employers should utilize human resources or other professionals who are trained in both conducting investigations and writing investigation reports to investigate allegations of harassment, discrimination or retaliation. Also keep in mind that, as the Sixth Circuit case suggests, if a long period of time elapses between the employee’s protected activity and the adverse action, it is likely that additional evidence of retaliatory conduct will be required in order for the employee to prevail. To defeat any such evidence, employers should be sure that the legitimate, non-discriminatory reasons for the actions taken are well-documented.

© 2013 Schiff Hardin LLP

Service of Process through Social Media

The National Law Review recently featured an article, Service of Process through Social Media, written by Philip H. Cohen with Greenberg Traurig, LLP:

GT Law

 

In the matter of Federal Trade Commission v. PCCare247 Inc., Case No. 12 Civ. 7189 (PAE), 2013 WL 841037 (S.D.N.Y. March 7, 2013) (PCCare247), the United States District Court for the Southern District of New York sanctioned using social media as a means of circumventing the Hague Service Convention’s standard method of facilitating service among signatory states through designated Central Authorities. Granting the FTC’s motion for leave to effect service of documents by alternative means on defendants located in India, Judge Paul A. Engelmayer’s ruling appears to represent the first time a U.S. court has permitted service of process via Facebook.

In PCCare247, Indian defendants allegedly operated a scheme to convince American consumers that they should spend money to fix non-existent problems with their computers. After the Indian Central Authority was unable to formally serve the Indian defendants pursuant to the Hague Convention, the court granted the FTC’s request to serve process on the defendants by both email and through a Facebook account.

The FTC’s proposed service using Facebook presented the court with a novel issue.  Last year, another court in the Southern District of New York denied a motion to permit a party to effect service using Facebook because the plaintiff had not sufficiently established the credibility of the defendant’s Facebook account.  Fortunato v. Chase Bank USA, N.A., Case No. 11 Civ. 6608 (JFK), 2012 WL 2086950 (S.D.N.Y. June 7, 2012) (Fortunato).  Fortunato involved a domestic defendant accused of committing credit card fraud.  After several failed attempts at personal service, the court rejected the third-party plaintiff’s “unorthodox” proposal to serve process, including by Facebook, citing concerns about the lack of certainty and authenticity of the defendant’s purported Facebook profile.  The court questioned whether the Facebook profile was in fact operational and accessed by the party to be served, noting that the location listed on the profile was inconsistent with four potential addresses a private investigator had identified. The court opted instead for service by publication pursuant to New York rules.

Distinguishing  PCCare247 from  Fortunato, Judge Engelmayer articulated several considerations supporting his confidence in “service by Facebook.” The court observed that under Rule 4(f)(3) of the Federal Rules of Civil Procedure, a court remains free to order alternative means of service on an individual in a foreign country so long as the means of service are not prohibited by international agreement and comport with due process.  The court acknowledged that although service by email and Facebook is not enumerated in Article 10 of the Hague Service Convention, India has not specifically objected to them. Therefore, under Rule 4(f)(3) the court found that it was free to authorize process by these means provided that doing so would satisfy due process.

Recognizing that the reasonableness inquiry is intended to “unshackle[] the federal  courts from anachronistic methods of service and permit[] them entry into the technological renaissance,” quoting Rio Props., Inc. v. Rio Int’l Interlink, 284 F.3d 1007, 1017 (9th Cir. 2002), the court concluded that Facebook was “reasonably calculated to provide defendants with notice of future filings” in the case. In support of its conclusion, the court explained that the defendants ran an Internet-based  business and that the email addresses specified for the defendants were those used for various aspects of the  alleged scheme.  For two of the Indian defendants in PCCAre247, their Facebook accounts were registered to the same email addresses to be served. Moreover, the court had “independent confirmation” that one of the email addresses identified was genuine and operated by a defendant, because it had been used to communicate with the court on several occasions.  Additional evidence that the Facebook profiles were authentic included that some of the defendants listed their job titles at the defendant companies and that the defendants were  Facebook “friends” with each other. Additional considerations the court noted were: the FTC had made several good faith efforts to serve the defendants by other means; and defendants had already demonstrated knowledge of the lawsuit. Accordingly, the FTC’s proposal to serve process by both email and Facebook was a combination that satisfied due process as a means of alternative service and was highly likely to be an effective means of reaching and communicating with the defendants.

This decision suggests that under the right circumstances, where a party establishes a reasonable foundation for the authenticity of the accounts, service via email and social media may be an economical and effective option for serving process on foreign parties, or even domestic parties that are otherwise difficult to track down by traditional means.

©2013 Greenberg Traurig, LLP

Preservation of Error: Prejudicial or Argumentative Closing Arguments

The National Law Review recently published an article, Preservation of Error: Prejudicial or Argumentative Closing Arguments, written by Jennifer R. Dixon with Lowndes, Drosdick, Doster, Kantor & Reed, P.A.:

Lowndes_logo

The Second District Court of Appeal, last week, issued an opinion that reversed a trial court’s order granting new trial, Carnival Corporation v. Jimenez, 38 Fla. L. Weekly D455a, Case No. 2D11-5482 (2d DCA February 27, 2013).  The order was predicated on the trial judge’s finding that “comments made [by defense] counsel during closing arguments are perceived to have been prejudicial and highly inflammatory in nature because of their cumulative effect and their accusatory undertones.”  Id.

Jimenez was a personal injury case in which a large part of the defense strategy was to discredit the plaintiff’s expert/treating physician, because he had treated the plaintiff under a letter of protection.  According to the order on appeal, defense counsel “argued in closing . . . that plaintiff’s counsel . . . had collaborated or conspired with [the doctor] to conjure a non-injury into this lawsuit.”  While the trial court recognized that it had allowed evidence of the letter of protection, the introduction of such evidence “is to enable defense counsel to suggest that the doctor may have a financial bias, or stake in the outcome of the case.  Not for the impermissible purpose of allowing Defendant’s attorney to suggest a ‘neighborly’ conspiracy between the doctor and Plaintiff’s attorney.”  In sum, the trial court determined that the defense went so far in putting forth the conspiracy theory that the jury could not fairly assess the issues of causation and damages.

While the general rule is that improper comments made during closing argument may provide a basis for granting a new trial (see Mercury Ins. Co. of Fla. v. Moreta, 957 So. 2d 1242, 1250 (Fla. 2d DCA 2007)), the issue must be properly preserved by contemporaneous objection and a motion for mistrial.  Engle v. Liggett Grp., Inc., 945 So. 2d 1246, 1271 (Fla. 2006).  If the error has not been properly preserved, a new trial is only warranted when the improper behavior amounts to fundamental error. Companioni v. City of Tampa, 51 So. 3d 452, 456 (Fla. 2010).

The Jimenez court, noted that the plaintiff’s counsel only made two objections relative to the defense counsel’s references to the letter of protection.  Both were sustained, but there was no motion for mistrial.  The court, relying upon the 4-part test articulated in Murphy v. International Robotic Systems, Inc., 766 So. 2d 1010, 1027-31 (Fla. 2000) determined that while the plaintiff established the first prong of Murphy–that the challenged conduct was improper–she did not establish the remaining three prongs:  that the challenged conduct was harmful, that the challenged conduct was incurable, and that public interest in our system of justice requires a new trial.

Because the application of the Murphy factors did not show that the challenged conduct was so highly prejudicial that it denied the plaintiff her right to a fair trial, the order granting new trial was reversed, and the final judgment was ordered to be reinstated.

Practice tip:  when objecting to prejudicial or argumentative closing arguments: 1) object contemporaneously, 2) request a curative instruction (if appropriate), and 3) move for a mistrial, or be bound by the heightened standard for new trials articulated in Murphy.

© Lowndes, Drosdick, Doster, Kantor & Reed, PA

Can Having Employees Pose for the Camera Pose Problems for You?

The National Law Review recently featured an article regarding Employee Photos written by Amy D. Cubbage with McBrayer, McGinnis, Leslie and Kirkland, PLLC:

McBrayer NEW logo 1-10-13

Employers have a variety of reasons for using employee photos, including:

  • internal company use (for a company directory or in the break room);
  • external use (such as the company website or a blog post—you’ll find my picture below);
  • for safety precautions (name badges or scan cards); and
  • for commercial use in advertisements or marketing.

Employees are usually amendable to having their picture taken. But, there may be a few who express their genuine disinterest in being photographed. Such employees could simply be camera shy; others may have a more serious reason to refuse to have an image published.  Some may need to protect anonymity for personal reasons, such as past domestic abuse.  Others may adhere to religions forbidding taking pictures.

There are generally no legal ramifications for using employee photos, unless it is for commercial purposes.  Most states, including Kentucky, have laws that require permission before using an individual or their “likeness” for commercial purposes. This is due to the commonly held notion that a person has property rights in his or her name and likeness and those rights should be shielded from exploitation. Kentucky’s law is codified in KRS 391.170.

If you need to use employee photos for a commercial use, there is a simple solution. Have employees sign releases in which they acknowledge that their picture may be used in a company advertisement and they will receive no compensation for the use of their photo. Keep these releases on file.

Even in a state where consent is not required, it is always a smart approach to use a release so that employees will not be surprised when they see their face plastered on a promotional piece. If minors appear in the commercial materials always use extra caution. Use a consent form, whether required or not, to be signed by the child’s parents.

A warning about taking photos of potential employees: if you take photographs of applicants applying for a job (to help remember who’s who), it may put you at risk for a discrimination claim. A photograph creates a record of certain protected characteristics (i.e., sex, race, or the presence of a disability) that employers generally cannot use in hiring considerations. If this information is collected and a discrimination claim arises, the burden will be on the employer to prove the photographs were not used to make a discriminatory employment decision.

I will leave you with a little common sense about employee photos. Always remember to publicize when the office picture day will be; no one likes showing up ill-prepared. Offer a “redo day” for those who are truly unhappy about how their picture turned out. If all else fails, resort to photoshopping. A little lighting adjustment or cropping can work wonders for a shutterbug humbug.

© 2013 by McBrayer, McGinnis, Leslie & Kirkland, PLLC

Federal Court Rejects Americans with Disabilities Act (ADA) Suit Over Random Alcohol Testing of Probationary Plant Employees

The National Law Review recently published an article regarding Random Alcohol Testing written by Robert S. NicholsRobert E. Sheeder, and Amy Karff Halevy with Bracewell & Giuliani LLP:

Bracewell & Giuliani Logo

 

A federal judge in Pennsylvania has dismissed an Equal Employment Opportunity Commission challenge to U.S. Steel Corporation’s random alcohol testing of probationary employees at one of the company’s most safety sensitive facilities. The Court’s ruling in this carefully watched suit is significant for employers because it represents a forceful rejection of one of the more extreme positions the EEOC has taken in interpreting how the Americans with Disabilities Act (ADA) regulates workplaces.

EEOC’s Restrictive Interpretation of Employer Rights

The EEOC has adopted a very restrictive view of an employer’s right to conduct across-the-board medical examinations or inquiries of current employees even when the examination or inquiry is plainly motivated by workplace safety concerns. According to the EEOC, employers are prohibited in most circumstances from conducting generalized medical examinations, including random alcohol testing or periodic physical examinations of current employees.

The EEOC has pointed to a provision of the ADA that provides that an employer may not “require a medical examination and shall not make inquiries of an employee as to whether such employee is an individual with a disability or as to the nature or severity of the disability, unless such examination or inquiry is shown to be job-related and consistent with business necessity.” 42 U.S.C. § 12112(d)(4)(A). Conducting random testing for the unlawful use of drugs, as opposed to testing for the use of alcohol, does not create the same legal impediments because a test for the unlawful use of drugs is generally not regarded as a “medical examination” under the ADA.

The very limited exceptions to this prohibition on across-the-board medical examinations or inquiries of current employees that the EEOC has recognized include examinations of certain public safety employees in police and firefighter positions as well as, of course, examinations or inquiries that are required by other federal agencies, such as the Department of Transportation.

EEOC Lawsuit Against U.S. Steel

In the U.S. Steel suit, the EEOC argued that across-the-board medical examination or inquiries, including random or other generalized alcohol testing, could not be justified by the business necessity defense even in a highly safety sensitive work environment. Rather, the EEOC has taken the position that alcohol testing can only be justified based upon individualized suspicion that the particular employee to be tested was under the influence of alcohol at work.

U.S. Steel argued in a motion for summary judgment that given the highly safety sensitive nature of the plant at issue, where employees work with materials that are at temperatures of more than 2,100 degrees, random testing was justified as a matter of business necessity.

The judge in the case granted U.S. Steel’s motion and dismissed the EEOC’s claims finding that the random alcohol testing of probationary employees was justified by the business necessity defense. The Court first pointed out that there was no disputing that safety in and of itself can be a matter of business necessity. As a result, according to the Court, the only question remaining was whether the policy of random alcohol testing served that asserted business necessity. After analyzing the facts at issue, the judge found that the alcohol testing policy plainly served the business necessity of workplace safety.

In doing so, the Court specifically rejected the EEOC’s position that across-the-board medical examinations or inquiries of current employees could only be justified in the case of law enforcement or firefighting employees. The Court explained that there was no legitimate basis for not extending the same rationale to employees in other highly safety sensitive positions. Also, the Court noted that in this instance selecting employees for testing based on individualized suspicion would not work effectively because personal protective equipment obscures the U.S. Steel employees’ faces and speech.

Additionally, the Court concluded that the random alcohol testing approach was not inconsistent with the ADA’s goal of preventing employers from targeting specific employees with disabilities based upon stereotypes and misconceptions. The Court pointed out that, after all, random testing, as opposed to individualized suspicion testing, was not potentially based upon conclusions about particular individuals with disabilities.

The Court also noted that the testing program at issue was the product of negotiations with the union representing plant employees and not a process unilaterally imposed by the employer.

Takeaways

The decision in the U.S. Steel case offers employers new hope that more federal courts will reject the EEOC’s very restrictive view of the right to conduct across-the-board medical examinations or inquiries, including, across-the-board random alcohol testing of employees in certain safety sensitive positions. While this decision is encouraging, employers need to recognize that the EEOC continues to adhere to its position regarding this issue and other federal courts may ultimately side with the EEOC. Nonetheless, the Court’s decision in the U.S. Steel suit is an encouraging sign for employers that courts, recognizing the importance of workplace safety, may adopt a far more reasonable and pragmatic view than the EEOC on this question of across-the-board medical examinations and inquiries of current employees.

© 2013 Bracewell & Giuliani LLP

Federal Trade Commission (FTC) Recommends Privacy Practices for Mobile Apps

The National Law Review recently published an article, Federal Trade Commission (FTC) Recommends Privacy Practices for Mobile Apps, written by Daniel F. GottliebRandall J. Ortman, and Heather Egan Sussman with McDermott Will & Emery:

McDermottLogo_2c_rgb

On February 1, 2013, the Federal Trade Commission (FTC) released a report entitled “Mobile Privacy Disclosures: Building Trust Through Transparency” (Report), which urges mobile device application (app) platforms and developers to improve the privacy policies for their apps to better inform consumers about their privacy practices.  This report follows other recent publications from the FTC concerning mobile apps—including “Mobile Apps for Kids: Disclosures Still Not Making the Grade,” released December 2012 (December 2012 Report), and “Mobile Apps for Kids: Current Privacy Disclosures are Disappointing,” released February 2012 (February 2012 Report)—and the adoption of the amended Children’s Online Privacy Protection Act (COPPA) Rule on December 19, 2012.  (See “FTC Updates Rule for Children’s Online Privacy Protection” for more information regarding the recent COPPA amendments.

Among other things, the Report offers recommendations to key stakeholders in the mobile device application marketplace, particularly operating system providers (e.g., Apple and Microsoft), application developers, advertising networks and related trade associations.  Such recommendations reflect the FTC’s enforcement and policy experience with mobile applications and public comment on the matter; however, where the Report goes beyond existing legal requirements, “it is not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC.”  Nevertheless, such key stakeholders should take the FTC’s recommendations into account when determining how they will collect, use and transfer personal information about consumers and preparing privacy policies to describe their information practices because they reflect the FTC’s expectations under its consumer protection authorities.

At a minimum, operating system providers and application developers should review their existing privacy policies and make revisions, as necessary, to comply with the recommendations included within the Report.  However, all key stakeholders should consider the implications of recommendations specific to their industry segment, as summarized below.

Operating System Providers

Characterized within the Report as “gatekeepers to the app marketplace,” the FTC states that operating system providers have the “greatest ability to effectuate change with respect to improving mobile privacy disclosures.”  Operating system providers, which create and maintain the platform upon which mobile apps run, promulgate rules that app developers must follow in order to access the platform and facilitate interactions between developers and consumers.  Given their prominent role within the app marketplace, it is not surprising that the FTC directs numerous recommendations toward operating system providers, including:

  • Just-In-Time Disclosures.  The Report urges operating system providers to display just-in-time disclosures to consumers and obtain express, opt-in (rather than implied) consent before allowing apps to access sensitive information like geolocation (i.e., the real world physical location of a mobile device), and other information that consumers may find sensitive, such as contacts, photos, calendar entries or recorded audio or video.  Thus, operating system providers and mobile app developers should carefully consider the types of personal information practices that require an opt-in rather than mere use of the app to evidence consent.
  • Privacy Dashboard.  The Report suggests that operating system providers should consider developing a privacy “dashboard” that would centralize privacy settings for various apps to allow consumers to easily review the types of information accessed by the apps they have downloaded.  The “dashboard” model would enable consumers to determine which apps have access to different types of information about the consumer or the consumer’s device and to revisit the choices they initially made about the apps.
  • Icons.  The Report notes that operating system providers currently use status icons for a variety of purposes, such as indicating when an app is accessing geolocation information.  The FTC suggests expansion of this practice to provide an icon that would indicate the transmission of personal information or other information more broadly.
  • Best Practices.  The Report recommends that operating system providers establish best practices for app developers.  For example, operating system providers can compel app developers to make privacy disclosures to consumers by restricting access to their platforms.
  • Review of Apps.  The Report suggests that operating system providers should also make clear disclosures to consumers about the extent to which they review apps developed for their platforms.  Such disclosures may include conditions for making apps available within the platform’s app marketplace and efforts to ensure continued compliance.
  • Do Not Track Mechanism.  The Report directs operating system providers to consider offering a “Do Not Track” (DNT) mechanism, which would provide consumers with the option to prevent tracking by advertising networks or other third parties as they use apps on their mobile devices.  This approach allows consumers to make a single election, rather than case-by-case decisions for each app.

App Developers

Although some practices may be imposed upon app developers by operating system providers, as discussed above, app developers can take several steps to adopt the FTC’s recommendations, including:

  • Privacy Policies.  The FTC encourages all app developers to have a privacy policy, and to include reference to such policy when submitting apps to an operating system provider.
  • Just-In-Time Disclosures.  As with the recommendations for operating system providers, the Report suggests that app developers provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information.
  • Coordination with Advertising Networks.  The FTC argues for improved coordination and communication between app developers and advertising networks and other third parties that provide certain functions, such as data analytics, to ensure app developers have an adequate understanding of the software they are incorporating into their apps and can accurately describe such software to consumers.
  • Participation in Trade Associations.  The Report urges app developers to participate in trade associations and other industry organizations, particularly in the development of self-regulatory programs addressing privacy in mobile apps.

Advertising Networks and Other Third Parties

By specifically including advertising networks and other third parties in the Report, the FTC recognizes that cooperation with such networks and parties is necessary to achieve the recommendations outlined for operating system providers and app developers.  The recommendations for advertising networks and other third parties include:

  • Coordination with App Developers.  The Report calls upon advertising networks and other third parties to communicate with app developers to enable such developers to provide accurate disclosures to consumers.
  • DNT Mechanism.  Consistent with its recommendations for operating system providers, the FTC suggests that advertising networks and other third parties work with operating system providers to implement a DNT mechanism.

Trade Associations

The FTC states that trade associations can facilitate standardized privacy disclosures.  The Report makes the following recommendations for trade associations:

  • Icons.  Trade associations can work with operating system providers to develop standardized icons to indicate the transmission of personal information and other data.
  • Badges.  Similar to icons, the Report suggests that trade associations consider developing “badges” or other visual cues used to convey information about a particular app’s data practices.
  • Privacy Policies.  Finally, the FTC suggests that trade associations are uniquely positioned to explore other opportunities to standardize privacy policies across the mobile app industry.

Children and Mobile Apps

Commenting on progress between the February 2012 Report and December 2012 Report, both of which relied on a survey of 400 mobile apps targeted at children, the FTC stated that “little or no progress has been made” in increasing transparency in the mobile app industry with regard to privacy practices specific to children.  The December 2012 Report suggests that very few mobile apps targeted to children include basic information about the app’s privacy practices and interactive features, including the type of data collected, the purpose of the collection and whether third parties have access to such data:

  • Privacy Disclosures.  According to the December 2012 Report, approximately 20 percent of the mobile apps reviewed disclosed any privacy-related information prior to the download process and the same proportion provided access to a privacy disclosure after downloading the app.  Among those mobile apps, the December 2012 Report characterizes their disclosures as lengthy, difficult to read or lacking basic detail, such as the specific types of information collected.
  • Information Collection and Sharing Practices.  The December 2012 Report notes that 59 percent of the mobile apps transmitted some information to the app developer or to a third party.  Unique device identifiers were the most frequently transmitted data point, which the December 2012 Report cites as problematic, suggesting that such identifiers are routinely used to create user “profiles,” which may track consumers across multiple mobile apps.
  • Disclosure Practices Regarding Interactive App Features.  The FTC reports that nearly half of the apps that stated they did not include advertising actually contained advertising, including ads targeted to a mature audience.  Similarly, the December 2012 Report notes that approximately 9 percent of the mobile apps reviewed disclosed that they linked with social media applications; however, this number represented only half of the mobile apps that actually linked to social media applications.  Mobile app developers using a template privacy policy as a starting point for an app’s privacy policy should carefully tailor the template to reflect the developer’s actual privacy practices for the app.

Increased Enforcement

In addition to the reports discussed above and the revisions to the COPPA Rule, effective July 1, 2013, the FTC has also increased enforcement efforts relating to mobile app privacy.  On February 1, 2013, the FTC announced an agreement with Path Inc., operator of the Path social networking mobile app, to settle allegations that it deceived consumers by collecting personal information from their mobile device address books without their knowledge or consent.  Under the terms of the agreement, Path Inc. must establish a comprehensive privacy program, obtain independent privacy assessments every other year for the next 20 years and pay $800,000 in civil penalties specifically relating to alleged violations of the COPPA Rule.  In announcing the agreement, the FTC commented on its commitment to continued scrutiny of privacy practices within the mobile app industry, adding that “no matter what new technologies emerge, the [FTC] will continue to safeguard the privacy of Americans.”

Key Takeaways

App developers and other key stakeholders should consider the following next steps:

  • Review existing privacy policies to confirm they accurately describe current privacy practices for the particular app rather than merely following the developer’s preferred template privacy policy
  • Where practical, update actual privacy practices and privacy policies to be more in line with the FTC’s expectations for transparency and consumer choice, including use of opt-in rather than opt-out consent models
  • Revisit privacy practices in light of heightened FTC enforcement under COPPA and its other consumer protection authorities

© 2013 McDermott Will & Emery

Women Really CAN Have it All – Ridding the Legal Field of “The Mommy” / “Tiger Lady” Oxymoron

The National Law Review recently published a book review of, Women Really CAN Have it All – Ridding the Legal Field of “The Mommy” / “Tiger Lady” Oxymoron, by Heidi R. Wendland of The National Law Review / The National Law Forum LLC:

The National Law Review a top volume legal news website

Long gone is the notion that a woman’s place is at home. Anne Murphy Brown has had her own success in balancing motherhood with a legal career as a litigator, corporate attorney and currently as an Assistant Professor and Director of Legal Studies at Ursuline College. Anne Murphy Brown finds more than 20 other women who have enjoyed the same successes and profiles them in Legally Mom: Real Women’s Stories of Balancing Motherhood and Law Practice. She does an excellent job in making this book relevant to every woman by carefully selecting a diverse array of women to profile. She finds women practicing at law firms and at governmental agencies. She also profiles women who have started their own law firms, who pursue a legal career from home, and who work as in house counsel at corporations. Each chapter contains a different woman’s personal experience and perspectives in balancing motherhood and her legal career. While all of these women face unique challenges depending on which course of work they pursue in the legal field, a common theme prevails throughout the entire book. The recipe for success of “having it all” is the same: these women have been successful because they have had support, drive, and a realistic grasp on their own personal limitations.

Many of the women within Legally Mom are able to pursue a career and be a mother because they have strong support from their husbands. Their husbands help split the parenting duties allowing the mother to keep up with the demands of her career. Other women profiled are not as lucky, and have to find support outside of the home. Some find support from family members in the form of child care. Others find support from within their workplace through understanding bosses, flexible hours, and policies enacted for mothers within the firm such as paid time off, nursing rooms, and child care offered on the premises. Anne Murphy Brown also provides the reader with a great resource: www.mamalaw.com . This website was created by a group of career moms to serve as a forum for other career moms to lend support to each other.

All the women profiled share a desire to succeed as both a mother and a lawyer. The book demonstrates how women have to fight for their right to pursue a career while being a mother and every woman profiled gives excellent advice as to how to do so. They have to be comfortable in confronting their bosses in order to achieve what they want. In fact, one woman profiled mentions an excellent point that it is to a firm’s detriment to not be flexible for women attorneys. Law firms and companies lose many educated women to motherhood because they do not enact policies that provide for flexibility to pursue both. This interesting perspective gives the reader a great negotiating tool when confronting her employer.

Women who want both a career and to be a mother must still acknowledge that there are limits since there are only 24 hours in a day. The women in the book all prioritize their lives in different ways and give advice as to how to live with the choices they make. In the end, the women do what works best for their own unique situation.

For some women profiled, being a mother and pursuing a legal career was something they always knew they wanted to balance. For other women profiled, being a mother was an afterthought and it was not until they had established themselves within their career did they consider starting their families. Every woman who is considering whether it is possible to be a mother and pursue a legal career should read this book. Every woman who thinks it is impossible to have both should certainly read this book. While woman have a huge task in front of them when deciding to be a mother and a career lady, this book proves it is not impossible. With effective time management, a woman can pursue a successful career and be a good mother. Legally Mom serves to enhance the feeling of female camaraderie in a traditionally male dominated career of law, and will no doubt inspire every reader and continue the movement for change and women empowerment.

Copyright ©2012 National Law Forum, LLC

District Court Holds IRS Lacks Authority to Issue and Enforce Tax Return Preparer Regulations

The National Law Review recently featured an article, District Court Holds IRS Lacks Authority to Issue and Enforce Tax Return Preparer Regulations, written by Gale E. Chan and Robin L. Greenhouse with McDermott Will & Emery:

McDermottLogo_2c_rgb

On January 18, 2013, the District Court for the District of Columbia (District Court) issued a surprising decision in Loving v. Internal Revenue Service, No. 12-385 (JEB), holding that the Internal Revenue Service (IRS) lacked the authority to issue and enforce the final Circular 230 tax return preparer regulations that were issued in 2011 (Regulations).  The District Court also permanently enjoined the IRS from enforcing the Regulations.

Background

As part of the IRS’s initiative to increase oversight of the tax return preparer industry by creating uniform and high ethical standards of conduct, the IRS created a new category of preparers, “registered tax return preparer,” to be subject to the rules of Circular 230.  Attorneys, certified public accountants, enrolled agents and enrolled actuaries were already subject to IRS regulation under Circular 230, and thus, were not affected by the issuance of the Regulations.

In June 2011, the IRS and the U.S. Department of the Treasury (Treasury) issued the Regulations relating to registered tax return preparers and practice before the IRS.  T.D. 9527 (June 3, 2011).  Under these rules, registered tax return preparers have a limited right to practice before the IRS.  A registered tax return preparer can prepare and sign tax returns, claims for refunds and other documents for submission to the IRS.  A registered tax return preparer who signs the return may represent taxpayers before revenue agents and IRS customer service representatives (or similar officers or employees of the IRS) during an examination, but the registered tax return preparer cannot represent the taxpayer before IRS appeals officers, revenue officers, counsel or similar officers or employees of the IRS.  In addition, a registered tax return preparer can only advise a taxpayer as necessary to prepare a tax return, claim for refund or other document intended to be submitted to the IRS.

The Regulations also impose additional examination and continuing education requirements on registered tax return preparers in addition to obtaining a preparer tax identification number (PTIN).  Under the rules, to become a “registered tax return preparer,” an individual must be 18 years old, possess a current and valid PTIN, pass a one-time competency examination, and pass a federal tax compliance check and a background check.  The Regulations require a registered tax return preparer to renew his or her PTIN annually and to pay the requisite user fee.  To renew a PTIN, a registered tax return preparer must also complete a minimum of 15 hours of continuing education credit each year that includes two hours of ethics or professional conduct, three hours of federal tax law updates and 10 hours of federal tax law topics.

Loving v. Internal Revenue Service

In Loving, three individual paid tax return preparers (Plaintiffs) filed suit against the IRS, the Commissioner of Internal Revenue and the United States (collectively, Government) seeking declaratory relief, arguing that tax return preparers whose only “appearance” before the IRS is the preparation of tax returns cannot be regulated by the IRS, and injunctive relief, requesting the court to permanently enjoin the IRS from enforcing the Regulations.  In filed declarations, two of the Plaintiffs indicated that they would likely close their tax businesses if they were forced to comply with the Regulations, and the third Plaintiff, who serves low-income clients, indicated that she would have to increase her prices if forced to comply with the Regulations, likely resulting in a loss of customers.  The Plaintiffs and the Government each filed separate motions for summary judgment.

At issue in the case was the IRS’s claim that it can regulate individuals who practice before it, including tax return preparers.  The IRS relied on an 1884 statute, 31 U.S.C. § 330, which provides the Treasury with the authority to regulate the people who practice before it.  The statute currently provides that the Treasury may “regulate the practice of representatives of persons before the Department of the Treasury.”  31 U.S.C. § 330(a)(1) (emphasis added).  The statute further requires that a representative demonstrate certain characteristics prior to being admitted as a representative to practice, including “competency to advise and assist persons in presenting their cases.”  31 U.S.C. § 330(a)(2)(D) (emphasis added).  The statute also gives the Treasury authority to suspend or disbar a representative from practice before the Treasury in certain circumstances, as well as to impose a monetary penalty.  31 U.S.C. § 330(b).

The District Court’s Application of Chevron

The District Court applied the framework of Chevron U.S.A., Inc. v. Natural Res. Def. Council, Inc., 467 U.S. 837 (1984), and concluded that the text and context of 31 U.S.C. § 330 unambiguously foreclosed the IRS’s interpretation of the statute.  Chevron applies a two-step inquiry to determine whether a statute is ambiguous.  The first step asks whether the intent of Congress is clear in the statute—i.e., has Congress “directly spoken to the precise question at issue.”  Chevron, 467 U.S. at 842.  If a court determines that the intent of Congress is clear, under the Chevron framework, that is the end and the court “must give effect to the unambiguously expressed intent of Congress.”  Id. at 842–43.  However, if the court determines that the statute is silent or ambiguous, the court must proceed to step two of Chevron and ask whether the agency’s interpretation “is based on a permissible construction of the statute.”  Id. at 843.  An agency’s construction under step two is permissible “unless it is arbitrary or capricious in substance, or manifestly contrary to the statute.”  Mayo Found. for Med. Educ. & Research v. United States, 131 S. Ct. 704, 711 (2011) (citation omitted).

In Loving, the District Court concluded that 31 U.S.C. § 330 was unambiguous as to whether tax return preparers are “representatives” who “practice” before the IRS for three reasons.  First, the District Court stated that 31 U.S.C. § 330(a)(2)(D) defines the phrase “practice of representatives” in a way that does not cover tax return preparers.  As noted above, 31 U.S.C. § 330(a)(2)(D) requires a representative to demonstrate that he or she is competent to advise and assist taxpayers in presenting their “cases.”  The District Court stated that the statute thus equates “practice” with advising and assisting with the presentation of a case, which the filing of a tax return is not.  Thus, the District Court concluded that the definition in 31 U.S.C. § 330(a)(2)(D) “makes sense only in connection with those who assist taxpayers in the examination and appeals stages of the process.”

Second, the District Court stated that the IRS’s interpretation of 31 U.S.C. § 330 would undercut various statutory penalties in the Internal Revenue Code (Code) specifically applicable to tax return preparers.  The District Court noted that if 31 U.S.C. § 330(b) is interpreted as authorizing the IRS to penalize tax return preparers under the statute, the statutory penalty provisions in the Code specific to tax return preparers would be displaced, thereby allowing the IRS to penalize tax return preparers more broadly than is permissible under the Code.  Thus, the District Court stated that the specific penalty provisions applicable to tax return preparers in the Code should not be “relegated to oblivion” and trumped by the general penalty provision of 31 U.S.C. § 330(b).

The District Court also stated that 31 U.S.C. § 330(b) does not authorize penalties on tax return preparers because Section 6103(k)(5) of the Code, which provides that the IRS may disclose certain penalties to state and local agencies that license, register or regulate tax return preparers, does not identify 31 U.S.C. § 330(b) as one of the reportable statutory penalty provisions.

Finally, the District Court stated that if the IRS’s interpretation of 31 U.S.C. § 330 is accepted, Section 7407 of the Code would be duplicative.  Section 7407 of the Code provides the IRS with the right to seek an injunction against a tax return preparer to enjoin the preparer from further preparing returns if the preparer engages in specified unlawful conduct.  This right is similar to the authority under 31 U.S.C. § 330(b) to penalize if the IRS’s interpretation of 31 U.S.C. § 330 is accepted.  Under the IRS’s interpretation of 31 U.S.C. § 330, the IRS could disbar a representative from practice before the IRS if a tax return preparer engages in the conduct described in 31 U.S.C. § 330(b) (incompetence, being disreputable, violating regulations and fraud).  Thus, the District Court noted that disbarment under 31 U.S.C. § 330(b) is wholly within the IRS’s control and would be an easier path to penalize a tax return preparer than offered by Section 7407 of the Code.  The District Court stated that under the IRS’s interpretation, the IRS likely would never utilize the remedies available under Section 7407 of the Code, thereby rendering the statute pointless.

Conclusion

The District Court granted the Plaintiffs’ motion for summary judgment, holding that the IRS lacked statutory authority to issue and enforce the Regulations against “registered tax return preparers,” and permanently enjoined the IRS from enforcing the Regulations.  The Government will likely appeal the District Court’s decision.  Nevertheless, the District Court’s decision will have a great impact on the hundreds of thousands of tax return preparers ensnared by the Regulations and the clients they serve.

© 2013 McDermott Will & Emery

HIPAA Final Omnibus Rule Brings “Sweeping Change” to Health Care Industry

Dinsmore-2c-print NEW

On January 17, 2013, the U.S. Department of Health and Human Services (HHS)announced the release of the HIPAA final omnibus rule, which was years in the making. The final rule makes sweeping changes to the HIPAA compliance obligations of covered entities and business associates and comprises four final rules wrapped into one:

  1. Modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the rules, which were issued as a proposed rule on July 14, 2010;
  2. Changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act and to adopt the additional HITECH Act enhancements to the Enforcement Rule that were not previously adopted in the October 30, 2009 interim final rule, including provisions to address enforcement where there is HIPAA non-compliance due to willful neglect;
  3. A final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which eliminates the breach notification rule’s “harm” threshold and supplants an interim final rule published on Aug. 24, 2009; and
  4. A final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on Oct. 7, 2009.

HHS estimates a total cost of compliance with the final omnibus rule’s provisions to be between $114 million and $225.4 million in the first year of implementation and approximately $14.5 million each year thereafter. Among the costs HHS associates with the final rule are: (i) costs to covered entities of revising and distributing new notices of privacy practices; (ii) costs to covered entities related to compliance with new breach notification requirements; (iii) costs to business associates to bring their subcontracts into compliance with business associate agreement requirements; and (iv) costs to business associates to come into full compliance with the Security Rule. HHS attributes between $43.6 million and $155 million of its first year estimates to business associate compliance efforts. It is predicted that the true compliance costs for both covered entities and business associates will be far in excess of these HHS estimates.

Some of the key provisions of the final omnibus rule include:

  • Expanded definition of “business associate.” The definition of “business associate” has been expanded to include subcontractors of business associates, any person who “creates, receives, maintains, or transmits” protected health information on behalf of a covered entity, and certain identified categories of data transmission services that require routine access to protected health information, among others. A covered entity is not required to enter into a business associate agreement with a business associate that is a subcontractor; that obligation flows down to the business associate, who is required to obtain the proper written agreement from its subcontractors.
  • Direct compliance obligations and liability of business associates.Business associates are now directly liable for compliance with many of the same standards and implementation specifications, and the same penalties now apply to business associates that apply to covered entities, under the Security Rule. Additionally, the rule requires business associates to comply with many of the same requirements, and applies the same penalties to business associates that apply to covered entities, under the Privacy Rule. Business associates must also obtain satisfactory assurances in the form of a business associate agreement from subcontractors that the subcontractors will safeguard any protected health information in their possession. Finally, business associates must furnish any information the Secretary requires to investigate whether the business associate is in compliance with the regulations.
  • Modified definition of “marketing.” The definition of “marketing” has been modified to encompass treatment and health care operations communications to individuals about health-related products or services if the covered entity receives financial remuneration in exchange for making the communication from or on behalf of the third party whose product or service is being described. A covered entity must obtain an individual’s written authorization prior to sending marketing communications to the individual.
  • Prohibition on sale of PHI without authorization. An individual’s authorization is required before a covered entity may disclose protected health information in exchange for remuneration (i.e., “sell” protected health information), even if the disclosure is for an otherwise permitted disclosure under the Privacy Rule. The final rule includes several exceptions to this authorization requirement.
  • Clear and conspicuous fundraising opt-outs. Covered entities are required to give individuals the opportunity to opt-out of receiving future fundraising communications. The final rule strengthens the opt-out by requiring that it be clear and conspicuous and that an individual’s choice to opt-out should be treated as a revocation of authorization. However, the final rule leaves the scope of the opt-out to the discretion of covered entities. In addition to demographic information, health insurance status, and dates of health care provided to the individual, the final rule also allows covered entities to use and disclose: department of service information, treating physician information, and outcome information for fundraising purposes. Covered entities are prohibited from conditioning treatment or payment on an individual’s choice with respect to the receipt of fundraising communications. In addition, the NPP must inform individuals that the covered entity may contact them to raise funds and that they have a right to opt-out of receiving such communications.
  • Right to electronic copy of PHI. If an individual requests an electronic copy of protected health information that is maintained electronically in one or more designated record sets, the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.
  • Right to restrict disclosures to health plans. When an individual requests a restriction on disclosure of his or her protected health information, the covered entity must agree to the requested restriction (unless the disclosure is otherwise required by law), if the request for restriction is on disclosures to a health plan for the purpose of carrying out payment or health care operations and if the restriction applies to protected health information for which the health care provider has been paid out of pocket in full. Covered health care providers will need to employ some method to flag or make a notation in the record with respect to the protected health information that has been restricted to ensure that such information is not inadvertently sent to or made accessible to the health plan for payment or health care operations purposes, such as audits by the health plan.
  • GINA changes for some health plans. Health plans that are HIPAA covered entities, except issuers of long term care policies, are prohibited from using or disclosing an individual’s protected health information that is genetic information for underwriting purposes. The rule does not affect health plans that do not currently use or disclose protected health information for underwriting purposes.
  • Provision for compound authorizations for research. A covered entity may combine conditioned and unconditioned authorizations for research, provided that the authorization clearly differentiates between the conditioned and unconditioned research components, clearly allows the individual the option to opt in to the unconditioned research activities, and the research does not involve the use or disclosure of psychotherapy notes. For research that involves the use or disclosure of psychotherapy notes, an authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes.
  • Required changes to Notice of Privacy Practices (NPP). NPPs must be modified and distributed to individuals to advise them of the following: (1) for health plans that underwrite, the prohibition against health plans using or disclosing PHI that is genetic information about an individual for underwriting purposes; (2) the prohibition on the sale of protected health information without the express written authorization of the individual, as well as the other uses and disclosures for which the rule expressly requires the individual’s authorization (i.e., marketing and disclosure of psychotherapy notes, as appropriate); (3) the duty of a covered entity to notify affected individuals of a breach of unsecured protected health information; (4) for entities that have stated their intent to fundraise in their notice of privacy practices, the individual’s right to opt out of receiving fundraising communications from the covered entity; and (5) the right of the individual to restrict disclosures of protected health information to a health plan with respect to health care for which the individual has paid out of pocket in full.
  • Broader disclosure of decedents’ PHI. Covered entities are permitted to disclose a decedent’s protected health information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.
  • Disclosure of proof of immunizations to schools. A covered entity is permitted to disclose proof of immunization to a school where State or other law requires the school to have such information prior to admitting the student. While written authorization will no longer be required to permit this disclosure, covered entities will still be required to obtain agreement, which may be oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual himself or herself, if the individual is an adult or emancipated minor.
  • Tiered and enhanced enforcement provisions. The final rule conforms the regulatory language of the rule to the enhanced enforcement provisions of the HITECH Act. Penalties for non-compliance are based on the level of culpability with a maximum penalty of $1.5 million for uncorrected willful neglect.

As detailed above, the changes announced by HHS expand many of the requirements to business associates and subcontractors. Fortunately, the final rule provides a slight reprieve in one respect. It allows covered entities and business associates up to one year after the 180-day compliance date to modify business associate agreements and contracts to come into compliance with the rule.

Perhaps the most highly anticipated change found in the final omnibus rule relates to what constitutes a “breach” under the Breach Notification Rule. The final rule added language to the definition of breach to clarify that an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity (or business associate) demonstrates that there is a low probability that the PHI has been compromised. Stated differently, the rule removes the subjective harm standard and modifies the risk assessment to focus instead on the risk that the PHI has been compromised. The final rule also identifies four objective factors covered entities and business associates are to consider when performing a risk assessment to determine if the protected health information has been compromised and breach notification is necessary: (1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the protected health information or to whom the disclosure was made; (3) whether the protected health information was actually acquired or viewed; and (4) the extent to which the risk to the protected health information has been mitigated.

The final omnibus rule does not address the accounting for disclosures requirements, which is the subject of a separate proposed rule published on May 31, 2011, or the penalty distribution methodology requirement, which HHS has stated will both be the subject of future rulemaking.

The Office of Civil Rights has characterized the new rules as “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” Leon Rodriguez, the Director of the Office of Civil Rights, stated, “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

The HIPAA final omnibus rule is scheduled to be published in the Federal Register on January 25, 2013 and will go into effect on March 26, 2013. Covered entities and business associates must comply with the applicable requirements of the final rule by September 23, 2013. Entities affected by this final rule are strongly urged to begin an analysis of their existing HIPAA compliance policies and procedures and take steps to comply with the final rule.

The HHS Press Release announcing the final rule is available at:
http://www.hhs.gov/news/press/2013pres/01/20130117b.html

The full text of the rule is currently available at:
https://www.federalregister.gov/articles/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules

© 2013 Dinsmore & Shohl LLP