isba privacy cle “special areas”
TRANSCRIPT
“Special Areas” - HIPAA, COPPA & State Laws
ISBA Privacy CLE:
HIPAA: Privacy
Health Information Privacy• Protection against the disclosure of Personally Identifiable Health Information
• demographic information• individual physical or mental health• provision of or payment for health care • Transmitted or maintained in any form or medium by a Covered Entity or its
Business Associate 45 CFR § 160.103• “Covered Entities” = any entity that bills electronically or stores electronic
medial records
HIPPA: Rules
Three Key Concepts1. The Privacy Rule:
– Federal standards to protect medical records & health information
– Provide patients with access to medical records & control over disclosure
2. The Security Rule: – Standards to protect creation, receipt, use, or
maintenance – Requires appropriate administrative, physical and
technical safeguards – 45 CFR Part 160 and Subparts A and C of Part 164.
3. Breach Notification Rule: – requires HIPAA covered entities and their business
associates to provide notification following a breach – 45 CFR §§ 164.400-414
HIPPA: Risk Areas
Where It Arises(Need a Business Associate Agreement)
1. IT2. Lawyer3. Accountant4. PR5. Auditor6. Marketing/Social Media7. Photocopier/Fax Repair
person
HIPPA: Common Vulnerabilities
– Paper files – Flash drives– Laptops– Social media– HER– Safeguards not in place
(white boards, conversation where others can hear)
– Who owns devices? – Encrypted information– Remote wipe of devices– Training
COPPA Pt. 1
What it Is:– Enacted October 1998 - Applies to web sites
that target /collecting information from a child
What it Requires:– Privacy Policy that 1) explains what info is
collected, 2) by whom, 3) the intended use, 4) 3d parties who might access, and 5) how to access or delete
– VERIFIABLE PARENTAL CONSENT before collecting info, and delete all info previously collected
– Initial "opt-in" with a continuing "opt-out”– Sites prohibited from extracting extras information
from children as a prerequisite for participation – Requires “reasonable procedures” to protect
confidentiality, security and integrity of information obtained
COPPA Pt. 2
Common Pitfalls:– FTC particularly concerned about mobile apps– Apps automatically collect & disclose broad
range of info: geolocation, phone numbers, contacts and unique device identifiers
– REPORT: Most apps failed to adequately disclose data practices on store pages and the landing page of their websites prior to download
Enforcement Highlights:– United States v. W3 Innovations, LLC - 1st COPPA
enforcement action: $50,000 and a 6 year record-keeping obligation
Practice Guidelines:– FTC did NOT approve proposed device-signed
form as a method to obtain verifiable parental consent, consisting of a multi-step method requiring entry of a code sent by text message to a mobile device
State Legislative Response
California: “Do not Track”" law effective January 1, 2014
• Who: Any operator of a website, online service, or mobile app
• How: If personally-identifiable info about CA residents is collected
• What: Must include do-not-track disclosures in its privacy policy
• Implications: Applies to ANY online business
State Legislative Response
California: S.B. 568 enacts two new statutes under the title “Privacy Rights for California Minors in the Digital World.”
• Business & Professions Code section 22580, prohibits advertising certain products to minors online
• Business & Professional Code section 22581, requires business to provide an online “eraser button” for remorseful minors
• Implications: Applies to ANY online business
Privacy In Pleadings
Use Of Fictitious Name Under 735 ILCS 5/2-401(e)
• Why? Anonymous Plaintiff• How? (Include reasons in the initial Pleadings)
– Under Seal? NO. After the Fact = Courts balance Free Speech & Public Right of Access Skolnick v. Altheimer & Gray 191 Ill.2d 214 (2000)
– Fictitious Name - “Upon application and for good cause shown, the parties may appear under fictitious names.” 735 ILCS 5/2-401(e)
– Party seeking to use pseudonym MUST show privacy interest that outweighs the publics interest in open judicial proceedings. Doe v. Doe 282 Ill.App.3d 1078, 1088 (1st Dist. 1996)
– Privacy interest must be exceptional (matters of a highly personal nature e.g. abortion, adoption, sexual orientation, religion, privacy of children, rape victims particularly vulnerable parties or witnesses) A.P. v. M.E.E., 345 Ill.App.3d 989, 1003 (1st Dist. 2004)
– Damage defendant's family's reputation defendant's own reputation in alleged sexually molestation of minor NOT sufficient good cause Doe 282 Ill.App.3d at 1082
best practices1. Review collection practices
best practices2. Review marketing partners
best practices3. Privacy Policy Tune-up | DNT, Online Eraser
best practices4. Put systems in place
best practices5. Data, Collection, Storage, Use, Sharing
Thank You! David M. Adler
Adler Law Group Safeguarding Ideas, Relationships & Talent®
Tel.: 866.734.2568Web: www.adler-law.comEmail: [email protected]: adlerlaw.wordpress.comTwitter: @adlerlaw