Category: Consumer Protection

Cutting Edge Issues in Asbestos Litigation Conference – March 18-19, 2013

The National Law Review is pleased to bring you information about the upcoming Perrin Cutting Edge Issues in Asbestos Litigation Conference:

Asbestos March 18 2013

Monday, March 18th – Tuesday, March 19th, 2013
Beverly Wilshire, A Four Seasons Hotel
Beverly Hills, CA

 

Federal Trade Commission (FTC) Recommends Privacy Practices for Mobile Apps

The National Law Review recently published an article, Federal Trade Commission (FTC) Recommends Privacy Practices for Mobile Apps, written by Daniel F. GottliebRandall J. Ortman, and Heather Egan Sussman with McDermott Will & Emery:

McDermottLogo_2c_rgb

On February 1, 2013, the Federal Trade Commission (FTC) released a report entitled “Mobile Privacy Disclosures: Building Trust Through Transparency” (Report), which urges mobile device application (app) platforms and developers to improve the privacy policies for their apps to better inform consumers about their privacy practices.  This report follows other recent publications from the FTC concerning mobile apps—including “Mobile Apps for Kids: Disclosures Still Not Making the Grade,” released December 2012 (December 2012 Report), and “Mobile Apps for Kids: Current Privacy Disclosures are Disappointing,” released February 2012 (February 2012 Report)—and the adoption of the amended Children’s Online Privacy Protection Act (COPPA) Rule on December 19, 2012.  (See “FTC Updates Rule for Children’s Online Privacy Protection” for more information regarding the recent COPPA amendments.

Among other things, the Report offers recommendations to key stakeholders in the mobile device application marketplace, particularly operating system providers (e.g., Apple and Microsoft), application developers, advertising networks and related trade associations.  Such recommendations reflect the FTC’s enforcement and policy experience with mobile applications and public comment on the matter; however, where the Report goes beyond existing legal requirements, “it is not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC.”  Nevertheless, such key stakeholders should take the FTC’s recommendations into account when determining how they will collect, use and transfer personal information about consumers and preparing privacy policies to describe their information practices because they reflect the FTC’s expectations under its consumer protection authorities.

At a minimum, operating system providers and application developers should review their existing privacy policies and make revisions, as necessary, to comply with the recommendations included within the Report.  However, all key stakeholders should consider the implications of recommendations specific to their industry segment, as summarized below.

Operating System Providers

Characterized within the Report as “gatekeepers to the app marketplace,” the FTC states that operating system providers have the “greatest ability to effectuate change with respect to improving mobile privacy disclosures.”  Operating system providers, which create and maintain the platform upon which mobile apps run, promulgate rules that app developers must follow in order to access the platform and facilitate interactions between developers and consumers.  Given their prominent role within the app marketplace, it is not surprising that the FTC directs numerous recommendations toward operating system providers, including:

  • Just-In-Time Disclosures.  The Report urges operating system providers to display just-in-time disclosures to consumers and obtain express, opt-in (rather than implied) consent before allowing apps to access sensitive information like geolocation (i.e., the real world physical location of a mobile device), and other information that consumers may find sensitive, such as contacts, photos, calendar entries or recorded audio or video.  Thus, operating system providers and mobile app developers should carefully consider the types of personal information practices that require an opt-in rather than mere use of the app to evidence consent.
  • Privacy Dashboard.  The Report suggests that operating system providers should consider developing a privacy “dashboard” that would centralize privacy settings for various apps to allow consumers to easily review the types of information accessed by the apps they have downloaded.  The “dashboard” model would enable consumers to determine which apps have access to different types of information about the consumer or the consumer’s device and to revisit the choices they initially made about the apps.
  • Icons.  The Report notes that operating system providers currently use status icons for a variety of purposes, such as indicating when an app is accessing geolocation information.  The FTC suggests expansion of this practice to provide an icon that would indicate the transmission of personal information or other information more broadly.
  • Best Practices.  The Report recommends that operating system providers establish best practices for app developers.  For example, operating system providers can compel app developers to make privacy disclosures to consumers by restricting access to their platforms.
  • Review of Apps.  The Report suggests that operating system providers should also make clear disclosures to consumers about the extent to which they review apps developed for their platforms.  Such disclosures may include conditions for making apps available within the platform’s app marketplace and efforts to ensure continued compliance.
  • Do Not Track Mechanism.  The Report directs operating system providers to consider offering a “Do Not Track” (DNT) mechanism, which would provide consumers with the option to prevent tracking by advertising networks or other third parties as they use apps on their mobile devices.  This approach allows consumers to make a single election, rather than case-by-case decisions for each app.

App Developers

Although some practices may be imposed upon app developers by operating system providers, as discussed above, app developers can take several steps to adopt the FTC’s recommendations, including:

  • Privacy Policies.  The FTC encourages all app developers to have a privacy policy, and to include reference to such policy when submitting apps to an operating system provider.
  • Just-In-Time Disclosures.  As with the recommendations for operating system providers, the Report suggests that app developers provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information.
  • Coordination with Advertising Networks.  The FTC argues for improved coordination and communication between app developers and advertising networks and other third parties that provide certain functions, such as data analytics, to ensure app developers have an adequate understanding of the software they are incorporating into their apps and can accurately describe such software to consumers.
  • Participation in Trade Associations.  The Report urges app developers to participate in trade associations and other industry organizations, particularly in the development of self-regulatory programs addressing privacy in mobile apps.

Advertising Networks and Other Third Parties

By specifically including advertising networks and other third parties in the Report, the FTC recognizes that cooperation with such networks and parties is necessary to achieve the recommendations outlined for operating system providers and app developers.  The recommendations for advertising networks and other third parties include:

  • Coordination with App Developers.  The Report calls upon advertising networks and other third parties to communicate with app developers to enable such developers to provide accurate disclosures to consumers.
  • DNT Mechanism.  Consistent with its recommendations for operating system providers, the FTC suggests that advertising networks and other third parties work with operating system providers to implement a DNT mechanism.

Trade Associations

The FTC states that trade associations can facilitate standardized privacy disclosures.  The Report makes the following recommendations for trade associations:

  • Icons.  Trade associations can work with operating system providers to develop standardized icons to indicate the transmission of personal information and other data.
  • Badges.  Similar to icons, the Report suggests that trade associations consider developing “badges” or other visual cues used to convey information about a particular app’s data practices.
  • Privacy Policies.  Finally, the FTC suggests that trade associations are uniquely positioned to explore other opportunities to standardize privacy policies across the mobile app industry.

Children and Mobile Apps

Commenting on progress between the February 2012 Report and December 2012 Report, both of which relied on a survey of 400 mobile apps targeted at children, the FTC stated that “little or no progress has been made” in increasing transparency in the mobile app industry with regard to privacy practices specific to children.  The December 2012 Report suggests that very few mobile apps targeted to children include basic information about the app’s privacy practices and interactive features, including the type of data collected, the purpose of the collection and whether third parties have access to such data:

  • Privacy Disclosures.  According to the December 2012 Report, approximately 20 percent of the mobile apps reviewed disclosed any privacy-related information prior to the download process and the same proportion provided access to a privacy disclosure after downloading the app.  Among those mobile apps, the December 2012 Report characterizes their disclosures as lengthy, difficult to read or lacking basic detail, such as the specific types of information collected.
  • Information Collection and Sharing Practices.  The December 2012 Report notes that 59 percent of the mobile apps transmitted some information to the app developer or to a third party.  Unique device identifiers were the most frequently transmitted data point, which the December 2012 Report cites as problematic, suggesting that such identifiers are routinely used to create user “profiles,” which may track consumers across multiple mobile apps.
  • Disclosure Practices Regarding Interactive App Features.  The FTC reports that nearly half of the apps that stated they did not include advertising actually contained advertising, including ads targeted to a mature audience.  Similarly, the December 2012 Report notes that approximately 9 percent of the mobile apps reviewed disclosed that they linked with social media applications; however, this number represented only half of the mobile apps that actually linked to social media applications.  Mobile app developers using a template privacy policy as a starting point for an app’s privacy policy should carefully tailor the template to reflect the developer’s actual privacy practices for the app.

Increased Enforcement

In addition to the reports discussed above and the revisions to the COPPA Rule, effective July 1, 2013, the FTC has also increased enforcement efforts relating to mobile app privacy.  On February 1, 2013, the FTC announced an agreement with Path Inc., operator of the Path social networking mobile app, to settle allegations that it deceived consumers by collecting personal information from their mobile device address books without their knowledge or consent.  Under the terms of the agreement, Path Inc. must establish a comprehensive privacy program, obtain independent privacy assessments every other year for the next 20 years and pay $800,000 in civil penalties specifically relating to alleged violations of the COPPA Rule.  In announcing the agreement, the FTC commented on its commitment to continued scrutiny of privacy practices within the mobile app industry, adding that “no matter what new technologies emerge, the [FTC] will continue to safeguard the privacy of Americans.”

Key Takeaways

App developers and other key stakeholders should consider the following next steps:

  • Review existing privacy policies to confirm they accurately describe current privacy practices for the particular app rather than merely following the developer’s preferred template privacy policy
  • Where practical, update actual privacy practices and privacy policies to be more in line with the FTC’s expectations for transparency and consumer choice, including use of opt-in rather than opt-out consent models
  • Revisit privacy practices in light of heightened FTC enforcement under COPPA and its other consumer protection authorities

© 2013 McDermott Will & Emery

People Still Value Privacy. Get Over It. Online Privacy Alliance.

An article, People Still Value Privacy. Get Over It. Online Privacy Alliance., published in The National Law Review recently was written by Mark F. Foley with von Briesen & Roper, S.C.:

vonBriesen

 

Sun Microsystems’ CEO Scott McNealy famously quipped to reporters in 1999: “You have zero privacy anyway. Get over it.” Sun on Privacy: ‘Get Over It‘, WIRED, Jan. 26, 1999, http://www.wired.com/politics/law/news/1999/01/17538.

 

At the time, Sun Microsystems was a member of the Online Privacy Alliance, an industry coalition seeking to head off government regulation of online consumer privacy in favor of industry self regulation. Although McNealy was widely criticized for his views at the time, it is fair to say that much of the technology world agreed then, or agrees now with his remark.

Have we gotten over it? Do we reside in a world in which individuals assign so little value to personal privacy that companies who collect, process, analyze, sell, and use personal data are free to do whatever they want?

There are indications that if it ever were true that consumers did not value privacy, their interest in privacy is making a comeback. Where commercial enterprises do not align their practices with consumer expectations and interests, a regulator will step in and propose something unnecessarily broad and commercially damaging, or outraged consumers will take matters into their own hands. Recent privacy tornadoes provide the proof.

For some time, employers have accessed public information from social media sites to monitor employee activities or to investigate the personal qualifications of prospective hires. But recently, companies have gone further, demanding that employees and prospects provide user names and passwords that would enable the company to access otherwise limited distribution material. Dave Johnson, a writer for CBS Money Watch, said employer demands for access to an employee’s or prospective hire’s Facebook username and password are “hard to see … as anything other than an absolutely unprecedented invasion of privacy.”  http://www.cbsnews.com/8301-505143_162-57562365/states-protect-employees-social-media-privacy/

The reaction was predictable. In the past year, six states – California, Delaware, Illinois, Maryland, Michigan and New Jersey – have reacted to public outcries by outlawing the practice of employers coercing employees into turning over social media account access information. At least eight more states have similar bills pending, including Massachusetts, Minnesota, Missouri, New York, Ohio, Pennsylvania, South Carolina, and Washington. See National Conference of State Legislatures Legislation Summary as of Jan. 8, 2013 at http://www.ncsl.org/issues-research/telecom/employer-access-to-social-media-passwords.aspx.

Similarly, Congress enacted the Children’s Online Privacy Protection Act (COPPA) in 1998 in response to the failure of self-regulation to limit the scope and nature of information collected from young children. COPPA and implementing regulations limited the collection of information from or about children less than 13 years old. In the past several years, it was widely conceded that this law was not effective in preventing the collection and use of personal information about our children, particularly where photographs and mobile phones were concerned. Companies collecting and using information about children took no action to satisfy parental concerns.

The reaction? In December 2012, the Federal Trade Commission issued amended regulations to make clear that COPPA rules apply to a child-oriented site or service that integrates outside services, such as plug-ins or advertising networks, to collect personal information from visitors. The definition of restricted personal information now includes geolocation as well as photos, videos, and audio files that contain a child’s image or voice, and “persistent identifiers” that recognize users over time and across different websites or services.

Parents and job counselors have been warning for years that teenagers and young adults must not post unflattering images to their Facebook pages because, even if deleted, they will persist somewhere on the internet and may be found by prospective colleges and employers. There were many anecdotes about teenagers committing suicide after nasty postings or the distribution of photos. There did not seem to be a practical solution to the problem.

Last year, the European Commission proposed a sweeping revision to its already difficult data privacy rules to include an explicit “right to be forgotten.” If the proposal is adopted, individuals can demand that websites remove personal photos or other data. Companies that fail or refuse to do so could be fined an amount based on their annual income. The rules, as proposed, would apply both to information the data subject posted about herself and embarrassing information others posted about her, unless the website can prove to a regulator that the information is part of a legitimate journalistic, literary, or artistic exercise. Such a new law would set up a dramatic clash between the European concept of privacy and the American concept of free speech.

For the past three years we’ve heard shocking stories about phone Apps that quietly collect information about our searches, interests, contacts, locations, and more without disclosure or a chance to opt out. The uproar led to only limited action that has not satisfied consumer concerns.

The reaction? U.S. Representative Hank Johnson has proposed The Application Privacy, Protection, and Security (APPS) Act of 2013, which would require App developers to disclose their information-gathering practices and allow users to require that their stored information be deleted.

Increasingly, consumers are not waiting for regulatory action, but are taking privacy protection into their own hands. For example, Instagram built a business on its photosharing App. Shortly after it became popular enough to be purchased by Facebook, Instagram issued new terms of service and privacy policies that appeared to give the company the right to use uploaded images without permission and without compensation. The Washington Post described consumer reaction as a “user revolt. . . on Twitter where shock and outrage mixed with fierce declarations swearing off the popular photo-sharing site for good.” http://articles.washingtonpost.com/2012-12-18/business/35908189_1_kevin-systrom-instagram-consumer-privacy. The Twitter response was so memorable that perhaps, in the future “insta-gram” will come to have a secondary meaning of “a massively parallel instantaneous complaint in cyberspace.”

The blogosphere and Twitterterra were filled with apologies and explanations by Instagram and others stating the company was not a bad actor and truly had no intention of using photos of your naked child to sell diapers without your permission. Even some of the harshest critics admitted, “it’s [not] quite as dramatic as everyone . . . made it seem like on Twitter.” See Theron Humphrey quoted in David Brancaccio’s Marketplace Tech Report for December 19, 2012, http://www.marketplace.org/topics/tech/instagrams-privacy-backlash-and-dirty-secret-data-caps. But the truth about the revised terms and conditions may not matter because consumer goodwill toward Instagram had been destroyed by the perception.

Instagram users are not alone in their disapproval of commercial uses of personal information. Consumer analytics company LoyaltyOne released a July 2012 survey that shows U.S. consumers are increasingly protective of personal information. Of the 1,000 consumers responding, only about 50% said they would be willing to give a trusted company their religious or political affiliation or sexual orientation, only 25% were willing to share commonly commercialized data such as their browsing history, and only 15% were willing to share their smart phone location. See summary of findings at http://www.retailcustomerexperience.com/article/200735/Consumers-still-value-privacy-survey-shows. USA Today reported that an ISACA survey of adults 18 years and older showed that 35% would not share any personal information if offered 50% off a $100 item, 52% would not share any personal information if offered 50% off a $500 item, and 55% would not share any personal information if offered 50% off a $1,000 item. USA TODAY, Bigger Discount, Less Sharing, January 21, 2013.

I’m confident everyone reading this Update has been sufficiently careful and prudent in their own personal and professional lives; but who among us has not had an, ahem, family member, who does not regret a photo posted to a social media site, an unappreciated email joke, or a comment in a tweet or blog that looks much less “awesomely insightful” after the passage of a few days. (Is there an emoticon meaning “I’m being really facetious”?) Such brief moments of indiscretion can lead to disproportionately bad results.

Have commercial collectors, users, and resellers of such information shown sufficient willingness to respond to consumer’s widespread discomfort with the permanent retention and uncontrolled access to their personal information, candid photos, and musings?

We no longer inhabit a Wild West without limit on the collection and use of personal information for commercial purposes. Be assured, that when something perceived to be bad happens, there will be a violent, goodwill damaging, market value destroying, throw-out-the-baby-with-the-bath-water Instagram-like response that will obliterate some current business models and corporate franchises. Notwithstanding terms and conditions of service that try contractually to deprive users of any right to complain about your use of their data, they will complain and they will vote, with both their Feet and their Tweets.

There are very good social, psychological, religious, and political reasons why privacy should be protected. See Wolfgang Sofsky, PRIVACY: A MANIFESTO (Princeton Univ. Press 2008). As consumers and parents we instinctively know that privacy is important, even if we can’t precisely define it and can’t say exactly why. Even though we’ve sometimes been too foolishly willing to let go of privacy protections in exchange for the convenience of a nifty new website or clever new App, we do, in the end, still care. We know there is something important at issue here. We should not forget this insight when we change hats and become business people deciding what data to collect and how to use it.

Companies that want to avoid receiving an “insta-gram,” that want to build long term relationships with consumers, need to accept that sentiment has changed when designing their programs, analytics, and business models. It’s time to throw out McNealy’s aphorism. Businesses need to recognize that today consumers increasingly do value their privacy, and get over it.

©2013 von Briesen & Roper, s.c

New Children’s Product Testing and Certification Rule Set to Impact Manufacturers and Importers on February 8

The National Law Review recently published an article written by Charles A. Samuels and Matthew Cohen with Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. regarding Children’s Product Testing:

MintzLogo2010_Black

 

On February 8, 2013, manufacturers and importers of children’s products (a consumer product designed or intended primarily for children 12 years of age or younger) will be required to follow certain testing and certification protocols established by the U.S. Consumer Product Safety Commission (“CPSC”).1 The new rule provides guidance on how to ensure a product meets all applicable safety standards over continued production. Understanding the new testing and certification rule is critical for all manufacturers and importers of children’s products. The deadline to be in compliance with the rule comes at a time when the safety of children’s products continues to receive heightened scrutiny by the federal government.

Brief Background

The Consumer Product Safety Act2 (as amended by the Consumer Product Safety Improvement Act of 2008) requires that nearly all children’s products undergo third party testing. The law also mandates that manufacturers, importers and private labelers certify that their children’s products meet all applicable CPSC rules. Therefore, third party testing serves as the basis for a company to certify, via a “Children’s Product Certificate,” that its children’s products meet all such requirements.

In 2011, the CPSC enacted a final rule establishing protocols with respect to initial and continued testing and certification for children’s products. This rule has been called by some the “reasonable testing rule” because it establishes standards for testing and certification programs. Importantly, on February 8, 2013, this rule will become effective and apply to all children’s products manufactured after that date. By this time, children’s product manufacturers and importers must have a documented testing and certification program, and all products must be made per the terms of this program.

Third Party Testing and Certification

There are three types of third party testing discussed in the new rule: (1) initial testing; (2) material change testing; and (3) periodic testing. It is critical to have an understanding of each phase of testing and certification, and how they affect manufacturing and testing processes.

  • Initial Testing: Manufacturers of children’s products must submit “a sufficient number of samples” to an accredited CPSC third party laboratory to ensure compliance with all applicable product safety rules. The manufacturer or importer must issue a Children’s Product Certificate to their retailers and distributors (or to the government upon request) based on these third party laboratory test results.
  • Material Change Testing: If a material change is made to a children’s product (or to a component part of that product) after initial testing and certification, then the product or component part needs to be retested by a third party laboratory and a new certificate needs to be issued.
  • Periodic Testing: Finally, manufacturers must now document a “periodic testing plan” to any continuing production of a children’s product. If a children’s product initially is tested and certified, and then additional production continues, effective February 8, 2013, periodic testing is required for all the applicable children’s product safety rules, even if there are no material changes to the product. The periodic testing plan must provide the manufacturer with a “high degree of assurance” that its children’s products manufactured after the issuance of a Children’s Product Certificate comply with the CPSC rules. Typically, periodic testing must be conducted at least once per year, although the time interval may vary depending on the product and other factors such as high variability in testing results, consumer complaints, or the manufacturing process itself.

A Written Testing and Certification Plan

As of February 8, 2013, manufacturers must also develop a written plan for periodic testing of their children’s products, which must include the tests to be conducted, the intervals at which the tests will be conducted, and the number of samples to be tested. The rule also requires that companies include in their plan a protocol to address a material change in product design or manufacturing process, procedures to safeguard against the exercise of undue influence on a third party laboratory, policies regarding employee training, and a recordkeeping plan, among others.

How Can You Ensure that You are Complying with the New Rule?

Firms may need to seek experienced counsel to:

  • Assess your current product testing and certification practices and policies and how to bring them into compliance with all CPSC requirements.
  • Advise your company on the many other CPSC regulations, guidance documents and enforcement policies, including those dealing with the lead paint and substrate limits; limits on phthalates in certain children’s products; whistleblower protection for employees of product makers and sellers; new restrictions on the exportation of potentially violative products; a new CPSC public database of consumer complaints; and the transformation of voluntary into mandatory standards by the CPSC.
  • Advocate for your company or industry group before the CPSC to ensure that your interests and rights under the law are fully protected.

Mintz Levin has assembled a team that is devoted to CPSC-administered laws and regulations. We stand ready to advise and assist clients to anticipate and respond to compliance issues arising under federal, state, and international product safety laws. Practice leader Chuck Samuels has represented clients in the product safety arena for almost 30 years. We are presently advising trade associations, manufacturers, retailers, and importers on how to not only prevent problems from arising, but capitalize on new opportunities.

1 This rule entitled “Testing and Labeling Pertaining to Product Certification” is codified at 16 C.F.R. § 1107.

2 15 U.S.C. §§ 2051- 2089.

©1994-2013 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

Recent Consumer Financial Protection Bureau “CFPB” Mortgage Rules to Absorb and Implement

Barnes & Thornburg LLP‘s Financial Institutions Practice Group recently had an article, Recent Consumer Financial Protection Bureau “CFPB” Mortgage Rules to Absorb and Implement, featured in The National Law Review:

Barnes & Thornburg

 

January 2013 was a very busy month for the Consumer Financial Protection Bureau in promulgating rules relating to consumer mortgage lending. The CFPB promulgated seven rules pertaining to consumer mortgage lending during January 2013:

  • Ability to Repay (ATR) and Qualified Mortgage (QM) Standards under TILA/Regulation Z
  • Escrow Requirements for Higher-Priced Mortgages Under TILA/Regulation Z
  • High-Cost Mortgage and Homeownership Counseling Amendments to TILA/Regulation Z and Homeownership Counseling Amendments to RESPA/Regulation X
  • RESPA/Regulation X and TILA/Regulation Z Mortgage Servicing
  • Appraisals for Higher-Priced Mortgage Loans (issued jointly with other agencies)
  • Disclosure and Delivery Requirements for Copies of Appraisals and Other Written Valuations Under ECOA/Regulation B
  • Loan Originator Compensation Requirements Under TILA/Regulation Z

    With so many new CFPB rules, there is much to be learned and absorbed by loan originators, mortgage brokers, mortgage lenders, and mortgage servicers between now and the dates on which such rules will go into effect. With the exception of the High-Cost Mortgage and Homeownership Counseling Amendments to TILA/Regulation Z, the Homeownership Counseling Amendments to RESPA/Regulation X and the Escrow Requirements for Higher-Priced Mortgages rule, which will go into effect on June 1, 2013, and certain limited provisions contained in the Loan Originator Compensation rule, which will also go into effect on June 1, 2013, all of these rules have effective dates in January 2014, one year after their respective promulgation dates.

    Although each of these rules is important and poses certain compliance challenges, we will summarize in this Alert two of the most significant rules (largely due to their very widespread applicability and their overall complexity).  These are (1) the ATR and QM Standards rule; and (2) the Loan Originator Compensation rule.

    ATR and QM Standards

    The ATR and QM Standards rule, together with accompanying preamble, explanations and commentary, is over 800 pages long. The rule, among other things, implements a Dodd-Frank Act amendment to TILA requiring a consumer mortgage creditor, before originating a mortgage loan, to consider the borrower’s ability to repay.  The new rule allows a creditor to satisfy this requirement by: (1) satisfying the general ATR standards, which would require the creditor to consider eight different and discrete factors relating to the borrower’s ability to repay (generally using reasonably reliable third-party records to verify the information considered); (2) refinancing a “non-standard mortgage” into a “standard mortgage”; (3) originating a “rural balloon-payment QM” if, but only if, the creditor qualifies under a rigorous standard under which few creditors would qualify (creditors must have less than $2 billion in assets, must originate no more than 500 first-lien mortgages, and must originate at least 50 percent of the first-lien mortgages in counties that are rural or underserved); or (4) originating a QM.

    The advantage of meeting the QM standards is that, in general, the creditor will obtain an irrebuttable presumption of the borrower’s ability to repay the mortgage, which would block most lawsuits.  However, if the mortgage is a “higher-priced mortgage,” the creditor obtains only a rebuttable presumption of the borrower’s ability to repay the mortgage, which makes such loans more easily challenged in court.  A “higher-priced mortgage” is one which is priced 1.5 percentage points higher than a comparable loan in Freddie Mac’s Primary Mortgage Market Survey. This distinction will likely make “higher-priced mortgages,” or so-called subprime loans, less available.  In this regard, some pundits have predicted that, in the future, only mortgages meeting the QM standards and that are not “higher-priced mortgages” or “high-cost mortgages” will be generally available.

    To qualify as a QM the mortgage loan must satisfy the following standards:

    • provide for regular periodic payments that are substantially equal (except for ARMs and step-rate loans) that do not result in negative amortization or allow the borrower to defer repayment of principal, or result in a balloon payment (except for balloon-payment QMs);
    • have a term no greater than 30 years;
    • have total points and fees that do not exceed the permitted percentage of the loan amount (which is generally three percent (3%), subject to a few exceptions and refinements);
    • be underwritten taking into account the monthly payment and any mortgage related obligations, using the maximum interest rate that may apply during the first five years and periodic payments that will repay either (i) the outstanding principal and interest over the remaining term of the loan after the interest rate adjusts to the five-year maximum or (ii) the loan amount over the loan term;
    • for which the creditor considers and verifies the income or assets, and current debt, alimony, and child support obligations; and
    • for which the consumer’s debt-to-income ratio does not exceed forty-three percent (43%) when the loan is consummated.

    Notwithstanding these stringent QM standards, on a temporary basis, and for a period not to exceed a maximum of seven years, the CFPB created a second category of QMs that meet some, but not all, of the general QM standards. Simply stated, to qualify under this second category, the loan must meet the general product feature prerequisites for a QM and also satisfy the underwriting standards for purchase, guaranty, or insurance (as applicable) of either (i) the GSEs, as long as they operate under Federal conservatorship or receivership, or (ii) HUD, the VA, the USDA, or the Rural Housing Service.

    This rule also implements a provision of the Dodd-Frank Act that prohibits prepayment penalties, except for certain fixed-rate QMs where the penalty meets certain restrictions and the creditor offered the consumer an alternative mortgage loan without the penalty.

    Loan Originator Compensation

    In connection with the CFPB’s new Loan Originator Compensation rule, the CFPB published over 500 pages of background and prefatory material, explanations, and commentary. In this rule, the CFPB both expands and clarifies existing provisions in Regulation Z regulating loan originator compensation.  Many, if not most, of the provisions in the final rule have substantially identical counterparts in current Regulation Z § 1026.36(d) and the related Official Staff Commentary.

    However, the final rule has expanded treatment regarding the prohibited use of “proxies” for a term of a transaction in awarding loan originator compensation.  In this regard, the final rule clarifies the definition of a proxy as a factor that consistently varies with a transaction over a significant number of transactions, and the loan originator has the ability, directly or indirectly, to add, drop, or change the factor in originating the transactions.

    While retaining current Regulation Z’s general prohibition against subsequent downward adjustments to a loan originator’s compensation based upon changes in the transaction terms (e.g., to match or better the terms of a competitor), the final rule, unlike current Regulation Z, allows loan originators to reduce their compensation to defray certain unexpected increases in estimated settlement costs.

    Although the final rule generally prohibits loan originator compensation based upon the profitability of a transaction or a pool of transactions, it makes certain limited exceptions to this general rule with respect to various kinds of tax-advantaged retirement plans and other profit-sharing plans.  In this regard, mortgage-related business profits can be used to make contributions to certain tax-advantaged retirement plans and to provide bonuses and contributions to other plans that do not exceed 10 percent of the individual loan originator’s total compensation (but employers can elect whether or not to include contributions to tax-advantaged retirement plans in the “total compensation” calculations).

    Regulation Z currently provides that, where a loan originator receives compensation directly from a consumer in connection with a covered mortgage loan, no loan originator may receive compensation from another person in connection with the same transaction.  The Official Staff Commentary to current Regulation Z indicates, however, that this prohibition does not prohibit the employer of a loan originator from paying such loan originator a salary or an hourly wage in that instance.  As a pleasant surprise, the final rule permits mortgage brokers to pay their employees or independent contractors a commission on the particular mortgage loan, so long as the commission is not based upon the terms of such mortgage loan.

    The CFPB has elected not to issue a rule implementing a provision of the Dodd-Frank Act prohibiting consumers from paying upfront points or fees on a transaction if the loan originator’s compensation is paid by a person other than the consumer (either to the creditor’s own employee or to a mortgage broker).  Instead, the CFPB elected to grant a temporary exemption from this prohibition while it explores the potential effects of such a prohibition.

    The final rule also contains some provisions unrelated to loan originator compensation.  Specifically, in furtherance of other provisions in the Dodd-Frank Act, the final rule (1) prohibits mandatory arbitration clauses in connection with both residential mortgage loans and HELOCS; (2) prohibits the application or interpretation of provisions in residential mortgage loans and HELOCS and related agreements that would have the effect of barring claims in a court in connection with an alleged violation of Federal law; and (3) prohibits the financing of any premiums or fees for credit insurance (such as credit life insurance) in connection with a consumer credit transaction secured by a dwelling (but allows for credit insurance to be paid on a monthly basis).  These are the only provisions of the final rule which have a June 1, 2013, effective date.

    Other provisions in the final rule address (1) the additional obligations imposed on depository institutions in ensuring that their loan originator employees meet character, fitness, and criminal background standards similar to existing SAFE Act licensing standards and are properly trained; and (2) expanded recordkeeping requirements pertaining to loan originator compensation applicable to both creditors and mortgage brokers.

    Recess Appointment of Richard Cordray

    The Jan. 25, 2013 decision of the D.C. Circuit Court of Appeals invalidating recess appointments to the National Labor Relations Board, calls into question the recess appointment of Richard Cordray as head of the CFPB.  What impact this potentially invalid appointment will have on the CFPB regulations promulgated in January 2013 is undetermined at this time.

© 2013 BARNES & THORNBURG LLP

2013 ADA Pool Lift Compliance Deadline: Has Your Business Complied?

The National Law Review recently published an article by Tara L. Tedrow with Lowndes, Drosdick, Doster, Kantor & Reed, P.A. regarding, Pool Lifts:

Lowndes_logo

January 31, 2013 marks the date for compliance with the Americans with Disabilities Act (“ADA”) Standards for Accessible Design related to installing fixed pool lifts for swimming pools, wading pools and spas.  Though the Department of Justice (“DOJ”) previously changed its hard deadline for compliance with the installation requirements from March 15, 2012 to January 31, 2013, entities covered by Title III of the ADA should not rely on any more extensions.  If complying with the new ADA requirements fell off your to-do list, it’s time to start planning.

Here are a few questions to ask yourself when understanding how these rules could affect you:

Are you a Title III entity?

Whether you even have to worry about the fixed pool lift requirements depends on whether you are a Title III entity.  Title III prohibits discrimination on the basis of disability by places of public accommodation, including many private businesses, and places with accessibility requirements on such businesses.  Title III entities are businesses such as a hotel and motel, health club, recreation center, public country club or other business that has swimming pools, wading pools and spas.  If you fall under that category, the 2010 Standards apply.

What is this pool lift requirement? 

The 2010 Standards require that newly constructed or altered swimming pools, wading pools, and spas have an accessible means of entrance and exit to pools for those people with disabilities.  However, providing accessibility is conditioned on whether providing access through a fixed lift is “readily achievable.”  The technical specifications for when a means of entry is accessible are available on the DOJ website. Other requirements, based on pool size, include providing a certain number of accessible means of entry and exit, which are outlined in Section 242 of the Standards.  However, businesses should consider the differences in application of the rules depending on whether the pool is new or altered, or whether the swimming pool was in existence before the effective date of the new rule.  Full compliance may not be required for existing facilities; Section 242 and 1009 of the 2010 Standards outline such exceptions.

What exactly is a “fixed pool lift”?

A fixed lift is one that is attached to the pool deck or apron in some fashion.  Conversely, a non-fixed lift is not attached in any way.  Many businesses with pools have purchased or own portable (i.e. non-fixed) pool lifts.  If that portable lift is attached to the pool deck, then it could be considered a fixed lift and compliant under the rules.  Thus, owners of a portable lift may be able to comply with the ADA requirements by affixing lifts to the pool deck or apron.  Moreover, owners of such portable lifts will be required to affix the lifts as a means of compliance if it is readily achievable.  This exception for certain non-fixed lifts stemmed from confusion over the new regulations, spurring the DOJ to grant exceptions to certain entities that purchased an otherwise compliant non-fixed lift before March 15, 2012.  Those exceptions apply only if the non-fixed lifts comply with the 2010 Standards and if the owners keep the portable lifts in position for use at the pool and operational during all times that the pool is open to guests.

What is the “readily achievable” standard?

The ADA does not require providing access to existing pools through a fixed lift if it is not “readily achievable,” meaning that providing access is easily accomplishable without much difficulty or expense.  The DOJ has specified that this standard is a flexible, case by case analysis, so that the ADA requirements are not unduly burdensome.  However, businesses cannot simply claim that installing a fixed pool lift is not readily achievable.  Rather, factors such as the nature and cost, the overall financial resources of the site and the effect on expenses and resources are all considered and evaluated when determining the application of the standard. Though for some businesses immediate compliance may seem impossible because of issues such as the backorder on pool lifts, it is not a valid excuse for non-compliance.  Businesses are still required to comply with the 2010 Standards through other means, as specified in the Standards.

Should I shut my pool down if I haven’t complied?

If accessibility is not readily achievable, businesses should develop plans for providing access into the pool when it becomes readily achievable in the future.  Businesses that are worried about their current status of compliance should consult with legal counsel or call the ADA Information Line to speak with an ADA Specialist regarding any further questions.

Though compliance to the pool lift requirements may seem onerous, it is necessary to prevent legal and financial liability on the part of a Title III covered business.  These requirements also potentially affect tax breaks under the IRS Code, insurance coverage, ongoing maintenance and accessibility obligations and staff training requirements, all of which are even more of a reason to take compliance seriously.

© Lowndes, Drosdick, Doster, Kantor & Reed, PA

Data Privacy Day 2013 – Passwords

The National Law Review recently featured an article on Passwords written by Cynthia J. Larose with Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.:

MintzLogo2010_Black

 

Something everyone can do for Data Privacy Day:  make it a point to change at least one password and make it “long and strong.”

Here are some tips for building strong passwords from David Sherry, Chief Information Security Officer at Brown University:

To create a strong password, you should use a string of text that mixes numbers, letters that are both lowercase and uppercase, and special characters. Best practice says it should be eight characters, but the more the better. The characters should be random, and not follow from words, alphabetically, or from your keyboard layout.

So how do you make such a password?

Spell something backwards. Example: Turn “New York” into “ kroywen ”

Use “l33t speak”: Substitute numbers for certain letters.  Example: Turn “kroywen” into kr0yw3n

Randomly throw in some capital letters.  Example: Turn “kr0yw3n” into Kr0yW3n

Don’t forget the special character.  Example: Turn “Kr0yW3n” into       !Kr0y-W3n$

So, you say you can’t remember “complex” passwords…

One suggestion: create one, very strong, password and “append” it with an identifier:

!Kr0y-W3n$Bro

!Kr0y-W3n$Ama

!Kr0y-W3n$Boa

!Kr0y-W3n$Goo

!Kr0y-W3n$Yah

©1994-2013 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

HIPAA Final Omnibus Rule Brings “Sweeping Change” to Health Care Industry

Dinsmore-2c-print NEW

On January 17, 2013, the U.S. Department of Health and Human Services (HHS)announced the release of the HIPAA final omnibus rule, which was years in the making. The final rule makes sweeping changes to the HIPAA compliance obligations of covered entities and business associates and comprises four final rules wrapped into one:

  1. Modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the rules, which were issued as a proposed rule on July 14, 2010;
  2. Changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act and to adopt the additional HITECH Act enhancements to the Enforcement Rule that were not previously adopted in the October 30, 2009 interim final rule, including provisions to address enforcement where there is HIPAA non-compliance due to willful neglect;
  3. A final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which eliminates the breach notification rule’s “harm” threshold and supplants an interim final rule published on Aug. 24, 2009; and
  4. A final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on Oct. 7, 2009.

HHS estimates a total cost of compliance with the final omnibus rule’s provisions to be between $114 million and $225.4 million in the first year of implementation and approximately $14.5 million each year thereafter. Among the costs HHS associates with the final rule are: (i) costs to covered entities of revising and distributing new notices of privacy practices; (ii) costs to covered entities related to compliance with new breach notification requirements; (iii) costs to business associates to bring their subcontracts into compliance with business associate agreement requirements; and (iv) costs to business associates to come into full compliance with the Security Rule. HHS attributes between $43.6 million and $155 million of its first year estimates to business associate compliance efforts. It is predicted that the true compliance costs for both covered entities and business associates will be far in excess of these HHS estimates.

Some of the key provisions of the final omnibus rule include:

  • Expanded definition of “business associate.” The definition of “business associate” has been expanded to include subcontractors of business associates, any person who “creates, receives, maintains, or transmits” protected health information on behalf of a covered entity, and certain identified categories of data transmission services that require routine access to protected health information, among others. A covered entity is not required to enter into a business associate agreement with a business associate that is a subcontractor; that obligation flows down to the business associate, who is required to obtain the proper written agreement from its subcontractors.
  • Direct compliance obligations and liability of business associates.Business associates are now directly liable for compliance with many of the same standards and implementation specifications, and the same penalties now apply to business associates that apply to covered entities, under the Security Rule. Additionally, the rule requires business associates to comply with many of the same requirements, and applies the same penalties to business associates that apply to covered entities, under the Privacy Rule. Business associates must also obtain satisfactory assurances in the form of a business associate agreement from subcontractors that the subcontractors will safeguard any protected health information in their possession. Finally, business associates must furnish any information the Secretary requires to investigate whether the business associate is in compliance with the regulations.
  • Modified definition of “marketing.” The definition of “marketing” has been modified to encompass treatment and health care operations communications to individuals about health-related products or services if the covered entity receives financial remuneration in exchange for making the communication from or on behalf of the third party whose product or service is being described. A covered entity must obtain an individual’s written authorization prior to sending marketing communications to the individual.
  • Prohibition on sale of PHI without authorization. An individual’s authorization is required before a covered entity may disclose protected health information in exchange for remuneration (i.e., “sell” protected health information), even if the disclosure is for an otherwise permitted disclosure under the Privacy Rule. The final rule includes several exceptions to this authorization requirement.
  • Clear and conspicuous fundraising opt-outs. Covered entities are required to give individuals the opportunity to opt-out of receiving future fundraising communications. The final rule strengthens the opt-out by requiring that it be clear and conspicuous and that an individual’s choice to opt-out should be treated as a revocation of authorization. However, the final rule leaves the scope of the opt-out to the discretion of covered entities. In addition to demographic information, health insurance status, and dates of health care provided to the individual, the final rule also allows covered entities to use and disclose: department of service information, treating physician information, and outcome information for fundraising purposes. Covered entities are prohibited from conditioning treatment or payment on an individual’s choice with respect to the receipt of fundraising communications. In addition, the NPP must inform individuals that the covered entity may contact them to raise funds and that they have a right to opt-out of receiving such communications.
  • Right to electronic copy of PHI. If an individual requests an electronic copy of protected health information that is maintained electronically in one or more designated record sets, the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.
  • Right to restrict disclosures to health plans. When an individual requests a restriction on disclosure of his or her protected health information, the covered entity must agree to the requested restriction (unless the disclosure is otherwise required by law), if the request for restriction is on disclosures to a health plan for the purpose of carrying out payment or health care operations and if the restriction applies to protected health information for which the health care provider has been paid out of pocket in full. Covered health care providers will need to employ some method to flag or make a notation in the record with respect to the protected health information that has been restricted to ensure that such information is not inadvertently sent to or made accessible to the health plan for payment or health care operations purposes, such as audits by the health plan.
  • GINA changes for some health plans. Health plans that are HIPAA covered entities, except issuers of long term care policies, are prohibited from using or disclosing an individual’s protected health information that is genetic information for underwriting purposes. The rule does not affect health plans that do not currently use or disclose protected health information for underwriting purposes.
  • Provision for compound authorizations for research. A covered entity may combine conditioned and unconditioned authorizations for research, provided that the authorization clearly differentiates between the conditioned and unconditioned research components, clearly allows the individual the option to opt in to the unconditioned research activities, and the research does not involve the use or disclosure of psychotherapy notes. For research that involves the use or disclosure of psychotherapy notes, an authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes.
  • Required changes to Notice of Privacy Practices (NPP). NPPs must be modified and distributed to individuals to advise them of the following: (1) for health plans that underwrite, the prohibition against health plans using or disclosing PHI that is genetic information about an individual for underwriting purposes; (2) the prohibition on the sale of protected health information without the express written authorization of the individual, as well as the other uses and disclosures for which the rule expressly requires the individual’s authorization (i.e., marketing and disclosure of psychotherapy notes, as appropriate); (3) the duty of a covered entity to notify affected individuals of a breach of unsecured protected health information; (4) for entities that have stated their intent to fundraise in their notice of privacy practices, the individual’s right to opt out of receiving fundraising communications from the covered entity; and (5) the right of the individual to restrict disclosures of protected health information to a health plan with respect to health care for which the individual has paid out of pocket in full.
  • Broader disclosure of decedents’ PHI. Covered entities are permitted to disclose a decedent’s protected health information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.
  • Disclosure of proof of immunizations to schools. A covered entity is permitted to disclose proof of immunization to a school where State or other law requires the school to have such information prior to admitting the student. While written authorization will no longer be required to permit this disclosure, covered entities will still be required to obtain agreement, which may be oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual himself or herself, if the individual is an adult or emancipated minor.
  • Tiered and enhanced enforcement provisions. The final rule conforms the regulatory language of the rule to the enhanced enforcement provisions of the HITECH Act. Penalties for non-compliance are based on the level of culpability with a maximum penalty of $1.5 million for uncorrected willful neglect.

As detailed above, the changes announced by HHS expand many of the requirements to business associates and subcontractors. Fortunately, the final rule provides a slight reprieve in one respect. It allows covered entities and business associates up to one year after the 180-day compliance date to modify business associate agreements and contracts to come into compliance with the rule.

Perhaps the most highly anticipated change found in the final omnibus rule relates to what constitutes a “breach” under the Breach Notification Rule. The final rule added language to the definition of breach to clarify that an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity (or business associate) demonstrates that there is a low probability that the PHI has been compromised. Stated differently, the rule removes the subjective harm standard and modifies the risk assessment to focus instead on the risk that the PHI has been compromised. The final rule also identifies four objective factors covered entities and business associates are to consider when performing a risk assessment to determine if the protected health information has been compromised and breach notification is necessary: (1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the protected health information or to whom the disclosure was made; (3) whether the protected health information was actually acquired or viewed; and (4) the extent to which the risk to the protected health information has been mitigated.

The final omnibus rule does not address the accounting for disclosures requirements, which is the subject of a separate proposed rule published on May 31, 2011, or the penalty distribution methodology requirement, which HHS has stated will both be the subject of future rulemaking.

The Office of Civil Rights has characterized the new rules as “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” Leon Rodriguez, the Director of the Office of Civil Rights, stated, “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

The HIPAA final omnibus rule is scheduled to be published in the Federal Register on January 25, 2013 and will go into effect on March 26, 2013. Covered entities and business associates must comply with the applicable requirements of the final rule by September 23, 2013. Entities affected by this final rule are strongly urged to begin an analysis of their existing HIPAA compliance policies and procedures and take steps to comply with the final rule.

The HHS Press Release announcing the final rule is available at:
http://www.hhs.gov/news/press/2013pres/01/20130117b.html

The full text of the rule is currently available at:
https://www.federalregister.gov/articles/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules

© 2013 Dinsmore & Shohl LLP

Brace for Impact – Final HITECH Rules Will Require Substantially More Breach Reporting

The National Law Review recently published an article, Brace for Impact – Final HITECH Rules Will Require Substantially More Breach Reporting, written by Elizabeth H. Johnson with Poyner Spruill LLP:

Poyner Spruill

 

The U.S. Department of Health and Human Services (HHS) has finally issued its omnibus HITECH Rules.  Our firm will issue a comprehensive summary of the rules shortly (sign up here), but of immediate import is the change to the breach reporting harm threshold.  The modification will make it much more difficult for covered entities and business associates to justify a decision not to notify when an incident occurs.

Under the interim rule, which remains in effect until September 23, 2013, a breach must be reported if it “poses a significant risk of financial, reputational, or other harm to the individual.” The final rule, released yesterday, eliminates that threshold and instead states:

“[A]n acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [the Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.”
(Emphasis added).

In other words, if a use or disclosure of information is not permitted by the Privacy Rule (and is not subject to one of only three very narrow exceptions), that use or disclosure will be presumed to be a breach.  Breaches must be reported to affected individuals, HHS and, in some cases, the media.  To rebut the presumption that the incident constitutes a reportable breach, covered entities and business associates must conduct the above-described risk analysis and demonstrate that there is only a low probability the data will be compromised.  If the probability is higher, breach notification is required regardless of whether harm to the individuals affected is likely.  (Interestingly, this analysis means that if there is a low probability of compromise notice may not be required even if the potential harm is very high.)

What is the effect of this change?  First, there will be many more breaches reported resulting in even greater costs and churn than the already staggering figures published by Ponemon which reports that 96% of health care entities have experienced a breach with average annual costs of $6.5 billion since 2010.

Second, enforcement will increase.  Under the new rules, the agency is required (no discretion) to conduct compliance reviews when “a preliminary review of the facts” suggests a violation due to willful neglect.  Any reported breach that suggests willful neglect would then appear to require agency follow-up.  And it is of course free to investigate any breach reported to them.  HHS reports that it already receives an average of 19,000 notifications per year under the current, more favorable breach reporting requirements, so where will it find the time and money to engage in all these reviews?  Well, the agency’s increased fining authority, up to an annual maximum of $1.5 million per type of violation, ought to be some help.

Third, covered entities and business associates can expect to spend a lot of time performing risk analyses.  Every single incident that violates the Privacy Rule and does not fit into one of three narrow exceptions must be the subject of a risk analysis in order to defeat the presumption that it is a reportable breach.  The agency requires that those risk analyses be documented, and they must include at least the factors listed above.

So why did the agency change the reporting standard?  As it says in the rule issuance, “We recognize that some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set. As a result, we have clarified our position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. . . .”

The agency may also have changed the standard because it was criticized for having initially included a harm threshold in the rule, with critics claiming that the HITECH Act did not provide the authority to insert such a standard.  Although the new standard does, in essence, permit covered entities and business associates to engage in a risk-based analysis to determine whether notice is required, the agency takes the position that the new standard is not a “harm threshold.”  As they put it, “[W]e have removed the harm standard and modified the risk assessment to focus more objectively on the risk that the protected health information has been compromised.”  So, the agency got their way in that they will not have to receive notice of every single event that violates the Privacy Rule and they have made a passable argument to satisfy critics that the “harm threshold” was removed.

The new rules are effective March 26, 2013 with a compliance deadline of September 23, 2013.  Until then, the current breach notification rule with its “significant risk of harm” threshold is in effect.  To prepare for compliance with this new rule, covered entities and business associates need to do the following:

  • Create a risk analysis procedure to facilitate the types of analyses HHS now requires and prepare to apply it in virtually every situation where a use or disclosure of PHI violates the Privacy Rule.
  • Revisit security incident response and breach notification procedures and modify them to adjust notification standards and the need to conduct the risk analysis.
  • Revisit contracts with business associates and subcontractors to ensure that they are reporting appropriate incidents (the definition of a “breach” has now changed and may no longer be correct in your contracts, among other things).
  • If you have not already, consider strong breach mitigation, cost coverage, and indemnification provisions in those contracts.
  • Revisit your data security and breach insurance policies to evaluate coverage, or lack thereof, if applicable.
  • Consider strengthening and reissuing training.  With every Privacy Rule violation now a potentially reportable breach, it’s more important than ever to avoid mistakes by your workforce.  And if they happen anyway, during a subsequent compliance review, it will be important to be able to show that your staff was appropriately trained.
  • Update your policies to address in full these new HIPAA rules.  The rules require it, and it will improve your compliance posture if HHS does conduct a review following a reported breach.

As noted above, our firm will issue a more comprehensive summary of these new HIPAA rules in coming days.

© 2013 Poyner Spruill LLP

Privacy of Mobile Applications

The National Law Review recently featured an article, Privacy of Mobile Applications, written by Cynthia J. Larose with Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.:

MintzLogo2010_Black

 

As we continue our “new year, new look” series into important privacy issues for 2013, we boldly predict:

Regulatory Scrutiny of Data Collection and Use Practices of Mobile Apps Will Increase in 2013

Mobile apps are becoming a ubiquitous part of the everyday technology experience.  But, consumer apprehension over data collection and their personal privacy with respect to mobile applications has been growing.   And as consumer apprehension grows, so does regulatory scrutiny.  In 2012, the Federal Trade Commission (FTC) offered guidance to mobile app developers to “get privacy right from the start.”    At the end of 2012, the California Attorney General’s office brought its first privacy complaint against Delta Airlines, Inc., alleging that Delta’s mobile app “Fly Delta” failed to have a conspicuously posted privacy policy in violation of California’s Online Privacy Protection Act.  And also in December, SpongeBob Square Pants found himself in the middle of a complaint filed at the FTC by a privacy advocacy group alleging that the mobile game SpongeBob Diner Dash collected personal information about children without obtaining parental consent.

In 2013, we expect to see new regulatory investigations into privacy practices of mobile applications.   Delta was just one of 100 recipients of notices of non-compliance from the California AG’s office and the first to be the subject of a complaint.  Expect to see more of these filed early in this year as the AG’s office plows through responses from the lucky notice recipients.   Also, we can expect to hear more from the FTC on mobile app disclosure of data collection and use practices and perhaps some enforcement actions against the most blatant offenders.

Recommendation for action in 2013:  Take a good look at your mobile app and its privacy policy.   If you have simply ported your website privacy policy over to your mobile app – take another look.  How is the policy displayed to the end user?  How does the user “accept” its terms?  Is this consistent with existing law, such as California, and does it follow the FTC guidelines?  

©1994-2013 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.