“Special Areas” - HIPAA, COPPA & State Laws

ISBA Privacy CLE:

HIPAA: Privacy

Health Information Privacy• Protection against the disclosure of Personally Identifiable Health Information

• demographic information• individual physical or mental health• provision of or payment for health care • Transmitted or maintained in any form or medium by a Covered Entity or its

Business Associate 45 CFR § 160.103• “Covered Entities” = any entity that bills electronically or stores electronic

medial records

HIPPA: Rules

Three Key Concepts1. The Privacy Rule:

– Federal standards to protect medical records & health information

– Provide patients with access to medical records & control over disclosure

2. The Security Rule: – Standards to protect creation, receipt, use, or

maintenance – Requires appropriate administrative, physical and

technical safeguards – 45 CFR Part 160 and Subparts A and C of Part 164.

3. Breach Notification Rule: – requires HIPAA covered entities and their business

associates to provide notification following a breach – 45 CFR §§ 164.400-414

HIPPA: Risk Areas

Where It Arises(Need a Business Associate Agreement)

1. IT2. Lawyer3. Accountant4. PR5. Auditor6. Marketing/Social Media7. Photocopier/Fax Repair

person

HIPPA: Common Vulnerabilities

– Paper files – Flash drives– Laptops– Social media– HER– Safeguards not in place

(white boards, conversation where others can hear)

– Who owns devices? – Encrypted information– Remote wipe of devices– Training

COPPA Pt. 1

What it Is:– Enacted October 1998 - Applies to web sites

that target /collecting information from a child

What it Requires:– Privacy Policy that 1) explains what info is

collected, 2) by whom, 3) the intended use, 4) 3d parties who might access, and 5) how to access or delete

– VERIFIABLE PARENTAL CONSENT before collecting info, and delete all info previously collected

– Initial "opt-in" with a continuing "opt-out”– Sites prohibited from extracting extras information

from children as a prerequisite for participation – Requires “reasonable procedures” to protect

confidentiality, security and integrity of information obtained

COPPA Pt. 2

Common Pitfalls:– FTC particularly concerned about mobile apps– Apps automatically collect & disclose broad

range of info: geolocation, phone numbers, contacts and unique device identifiers

– REPORT: Most apps failed to adequately disclose data practices on store pages and the landing page of their websites prior to download

Enforcement Highlights:– United States v. W3 Innovations, LLC - 1st COPPA

enforcement action: $50,000 and a 6 year record-keeping obligation

Practice Guidelines:– FTC did NOT approve proposed device-signed

form as a method to obtain verifiable parental consent, consisting of a multi-step method requiring entry of a code sent by text message to a mobile device

State Legislative Response

California: “Do not Track”" law effective January 1, 2014

• Who: Any operator of a website, online service, or mobile app

• How: If personally-identifiable info about CA residents is collected

• What: Must include do-not-track disclosures in its privacy policy

• Implications: Applies to ANY online business

State Legislative Response

California: S.B. 568 enacts two new statutes under the title “Privacy Rights for California Minors in the Digital World.”

• Business & Professions Code section 22580, prohibits advertising certain products to minors online

• Business & Professional Code section 22581, requires business to provide an online “eraser button” for remorseful minors

• Implications: Applies to ANY online business

Privacy In Pleadings

Use Of Fictitious Name Under 735 ILCS 5/2-401(e)

• Why? Anonymous Plaintiff• How? (Include reasons in the initial Pleadings)

– Under Seal? NO. After the Fact = Courts balance Free Speech & Public Right of Access Skolnick v. Altheimer & Gray 191 Ill.2d 214 (2000)

– Fictitious Name - “Upon application and for good cause shown, the parties may appear under fictitious names.” 735 ILCS 5/2-401(e)

– Party seeking to use pseudonym MUST show privacy interest that outweighs the publics interest in open judicial proceedings. Doe v. Doe 282 Ill.App.3d 1078, 1088 (1st Dist. 1996)

– Privacy interest must be exceptional (matters of a highly personal nature e.g. abortion, adoption, sexual orientation, religion, privacy of children, rape victims particularly vulnerable parties or witnesses) A.P. v. M.E.E., 345 Ill.App.3d 989, 1003 (1st Dist. 2004)

– Damage defendant's family's reputation defendant's own reputation in alleged sexually molestation of minor NOT sufficient good cause Doe 282 Ill.App.3d at 1082

best practices1. Review collection practices

best practices2. Review marketing partners

best practices3. Privacy Policy Tune-up | DNT, Online Eraser

best practices4. Put systems in place

best practices5. Data, Collection, Storage, Use, Sharing

Thank You! David M. Adler

Adler Law Group Safeguarding Ideas, Relationships & Talent®

Tel.: 866.734.2568Web: www.adler-law.comEmail: David@adler-law.comBlog: adlerlaw.wordpress.comTwitter: @adlerlaw