Privacy & Security
The California Consumer Privacy Act (CCPA) has been the first step away from the sectoral approach that United States’ privacy laws have followed for many years. While it is set to take effect on January 1, 2020—only recently was the first draft guidance published. Set forth by California’s Attorney General, Xavier Becerra, it states how the CCPA will be enforced. As is standard in notice and rulemaking standard in administrative law, a public consultation period is now in effect and will remain open for comments and hearings until December 6, 2019.
Despite industry groups’ and tech companies’ numerous efforts over the past few months to water down and ultimately halt the first-ever U.S. data privacy law, the California Consumer Privacy Act of 2018 (“CCPA” or “the Act”), the CCPA now has its final language set on September 13, 2019, the end of California’s legislative calendar, and will go into effect on January 1, 2020. The goal is to give California residents control of their personal information collected and processed by companies.
The Health Insurance Portability and Accountability Act (HIPAA) and the Patient Protection and Affordable Care Act (ACA) jointly create national standards for electronic transactions, code sets, and unique identifiers. The ACA introduced Administrative Simplification provisions in 2010 and now the Centers for Medicaid and Medicare Services (CMS) has launched a Compliance Review Program to ensure that HIPAA covered entities are abiding by the Administrative Simplification rules.
Despite all preventive measures that hospitals and health care systems put in place to stop data breaches from occurring, employees at these entities still have unsecured and un-encrypted laptops, which are susceptible to cybersecurity attacks. A report from a cybersecurity protection organization stated that a majority of high-risk scenarios that occur in health care entities were due to unsecure laptops. These unsecured laptops can lead to massive data breaches and can result in hefty fines imposed by the Office of Civil Rights. Proper encryption, tracking software, and rarely leaving laptops unattended are a few ways that employees and organizations can help safeguard protected health information and prevent data breaches.
The Children’s Online Privacy Protection Act (“COPPA”) prohibits unfair or deceptive collection, use, and disclosure of the personal information of children on the internet. COPPA covers both website operators and app developers, and prevents collection of personal information without verified, written consent of parents. On February 27, 2019, the Federal Trade Commission (“FTC”) filed a complaint in U.S. District Court against TikTok, previously known as Music.ly. The complaint alleged that Music.ly knowingly violated COPPA when it collected data from children without written consent of parents. Music.ly settled for $5,700,000.00, the largest civil penalty obtained by the FTC for violations of COPPA.
On March 12, 2019, the Department of Justice (“DOJ”) announced revisions of the Corporate Enforcement Policy in the Foreign Corrupt Practices Act. The changes now require company oversight of ephemeral messaging apps used by any employee, stock holder, or agent who discusses business records via the messaging platform. Publicly traded companies must now establish internal compliance policies to review use of ephemeral messaging services, provide ongoing oversight of the messaging services, and may want to completely prohibit the use of such messaging apps for business purposes.
Cook County General Administrative Order 18-1 pertains to the Standard HIPAA Qualified Protective Orders (QPO) that will be permitted in Cook County. These orders will only be allowed for cases that are in litigation where the Plaintiff and Plaintiff’s counsel authorize disclosure of a litigants’ protected health information (PHI). It also requires all entities who received PHI to either return the documents to the Plaintiff or destroy them at the end of the case. These changes mean that Plaintiff’s attorneys will see a change in the handling of Plaintiff’s medical records and other documents covered under the QPO containing PHI.
The Federal Trade Commission (“FTC”) recently proposed two amendments to the Privacy Rule and Safeguards Rule under the Gramm-Leach-Bliley Act (“GLBA”). The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security system. This rule went into effect in 2003. The Privacy Rule requires financial institutions to inform customers about its information-sharing practices and allows customers to opt out of having their information shared with certain third parties. This rule went into effect in 2000. The recent amendments to these two rules are intended to further protect consumers’ data from third parties. However, the changes could also adversely affect businesses.
On March 1, 2019, the College of Healthcare Information Management Executives (“CHIME”) sent a six-page letter to Congress which discussed how technology has impacted health care costs. CHIME believes that too much money is being allocated towards making sure that health care organizations are complying with the Office of Civil Rights (“OCR”) and the Department of Health and Human Services (“HHS”) requirements, while not enough resources are being given towards actually protecting against cybersecurity attacks. The letter contains multiple suggestions in which patient data could be better protected, such as incentivizing health care organizations to implement more cybersecurity safety measures. However, many of CHIME’s proposals would require Congress to amend multiple provisions in acts, such as the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”).
In 2014, Congress passed the Sunscreen Innovation Act in the hopes of encouraging innovation for new sunscreen ingredients. Recently, the United States Food and Drug Administration (FDA) proposed new regulations regarding over-the-counter sunscreens to keep up with recent scientific and safety information. This proposal will be available for ninety days from its announcement on February 21, 2019, and addresses safety concerns of common sunscreen ingredients. Further, the proposal addresses the labeling of sunscreen, trying to make it easier for consumers to identify the product information. While this proposal seeks to alleviate safety concerns, the regulation could potentially make it more difficult for new ingredients to be approved.