Crowell & Moring

HHS proposes new substance abuse information confidentiality rules; HHS releases PHI disclosure fact sheets; U.S.-EU Safe Harbor replacement announced; OCR levies civil monetary penalties; and FTC settles charges with technology company for installing apps without consent.

HHS Proposes Update to Substance Abuse Confidentiality Rules

The U.S. Department of Health and Human Services (“HHS”) announced a proposed rule to modernize the federal substance abuse confidentiality rules (42 C.F.R. Part 2), which were last substantively updated in 1987. The proposed updates are intended to help health care providers improve integrated care efforts in the electronic environment. For further information, see our C&M Health Law blog post on the topic.

HHS Releases PHI Disclosure Fact Sheets

In order to clear up misconceptions about Health Insurance Portability and Accountability Act (“HIPAA”) limitations on disclosing Protected Health Information (“PHI”), HHS Office of the National Coordinator for Health Information Technology (“ONC”) released two new fact sheets providing guidance regarding common situations.

Both fact sheets provide common data exchange scenarios, briefly describe the HIPAA rules that govern the transfers, and if/when the safeguarding responsibility transfers. The first fact sheet addresses the permitted exchange of information for health care operations. The examples given include hospitals or providers exchanging information directly with each other, health care providers exchanging information with care planners, and inpatient facilities sending information to rehab facilities. The second fact sheet addresses the permitted exchange of information for treatment. The examples given include the exchange of information for case management by a payer, the exchange of quality assessment or quality improvement, and quality improvement among several covered entities for population health. The fact sheets are a useful desktop reference tool to help covered entities and business associates discern when PHI may be exchanged without further patient consent.

EU-U.S. Privacy Shield Announced as U.S.-EU Safe Harbor Replacement

The U.S. Department of Commerce and European Commission announced a political agreement on the data transfer mechanism that will replace the U.S.-EU Safe Harbor. The new program, called the EU-U.S. Privacy Shield, is expected to be operational within the next three months. For further details, see our Client Alert on the new Privacy Shield and our Client Alert on the European regulators’ initial reaction to the new agreement and their enforcement plans during the interim.

For further information about how the European Union Member State data protection authorities are handling enforcement related to the use of the invalidated U.S.-EU Safe Harbor framework, see our previous blog post.

OCR Levies Civil Money Penalties in HIPAA Privacy Rule Case

The HHS Office of Civil Rights (“OCR”), for only the second time in its HIPAA Privacy Rule enforcement history, has sought civil money penalties (“CMP”) for Privacy Rule violations. The enforcement action results from an investigation OCR initiated after receiving a complaint that a Lincare, Inc. employee abandoned documents containing the PHI of 278 patients. An HHS Administrative Law Judge agreed that OCR’s $239,800 fine was justified based on Lincare’s PHI disclosures, inadequate policies and procedures to safeguard patient data, and inadequate response to the OCR investigation. For more information about the case, see our previous blog post.

FTC Charges Vulcun with Installing Apps on Mobile Devices Without Permission

The technology company Vulcun has agreed to settle Federal Trade Commission (“FTC”) charges the agency levied against it after consumers complained about the company installing apps on their Android devices without their permission. Vulcun acquired a popular Google Chrome browser extension game, Running Fred, and unilaterally replaced it on consumers’ systems with Vulcun’s own extension, which reportedly opened advertisements on consumers’ browsers and downloaded apps without their consent (even re-installing the apps after consumers deleted them). Vulcun also allegedly misrepresented its product when stating that it was named a hot app by media sources (which was not the case) and had thousands of positive reviews (when in fact those reviews belonged to the acquired and unrelated game, Running Fred).

The FTC charged the company with unfair and deceptive trade practices because the extension takeover and changes left consumers vulnerable to privacy violations from apps that were downloaded without notice or consent, which potentially left the consumers’ personal data on their mobile devices open to access by the new third party apps.

FTC settlements, including the Vulcun consent order terms, provide insight into FTC enforcement priorities with regard to privacy and cybersecurity and create a de facto set of best practices that other companies should follow. Consent order violations may result in a civil penalty of up to $16,000 per violation. Here, the terms of the Vulcun settlement require Vulcun to (1) tell consumers about the types of information a product or service will access and how it will be used; (2) display any built-in permissions notice associated with installing the product or service; and (3) obtain affirmative consent before installation or material changes to a product or service. The settlement prohibits Vulcun from misrepresenting (1) whether products have been endorsed by third parties or been covered by the media; (2) how personal information is collected or used; (3) the level of control consumers have over collection/use/sharing of their data; and (4) the extent to which Vulcun maintains the privacy or security of consumer information.