The European Commission’s proposed changes to the current legal framework on data protection will soon be adopted and will impact on EU and non-EU businesses alike.
As we enter into the new year, the health industry continues to see expanded access to telehealth services. After a whirlwind 2015 in which we saw over 200 telehealth-related bills introduced in 42 states, New York and Connecticut emerge as the first states in 2016 to implement laws that expand patients’ access to telehealth services.
Effective January 1, 2016, three new laws will greatly expand telehealth services across the state of New York. The first law, A.2552-A, amends section 2999-cc of the New York Public Health Law regarding coverage of telehealth services by insurers, including Medicaid, and with respect to telehealth-related definitions. As defined in the New York Public Health Law, telehealth is “the use of electronic information and communication technologies by telehealth providers to deliver health care services, which include assessment, diagnosis, consultation, treatment, education, care management and/or self-management of a patient.” Among other things, A.2552-A provides that health care services delivered by means of telehealth will be entitled to reimbursement under New York’s Medicaid program, and private insurers may not exclude from coverage a service that is otherwise covered under a patient’s insurance policy because the service is delivered via telehealth. Under this law, reimbursement for telehealth services is contingent upon services being delivered by a telehealth provider when the patient is located at an approved originating site. The second law, A.7488, amends 2999-cc of the Public Health Law, by adding physical therapist and occupational therapist to the list of telehealth providers that are able to provide telehealth services. Lastly, the third law, A.7369, amends section 2999-cc, by including a dentist office as an “originating site” for the delivery of telehealth services.
Connecticut, like New York, started off 2016 with continued efforts to promote telehealth services. Connecticut’s existing telehealth law, which became effective in October 2015, broadly defines “telehealth” as “the mode of delivering health care or other health services via information and communication technologies to facilitate the diagnosis, consultation and treatment, education, care management and self-management of a patient’s physical and mental health, and includes (A) interaction between the patient at the originating site and the telehealth provider at a distant site, and (B) synchronous interactions, asynchronous store and forward transfers or remote patient monitoring.” Under the new Connecticut law, CT Public Act No. 15-88, effective January 1, 2016, commercial insurers must cover telehealth services in the same manner that they cover in-person visits and telehealth coverage must be subject to the same terms and conditions that apply to all other benefits under a patient’s insurance policy.
As the importance of improving access to care and care coordination and identifying cost savings in the delivery of health care services increases, states should continue to steadily expand efforts to allow health care services via telehealth. While many states have made strides to expand the use of telehealth services, many more have not taken steps to require reimbursement by Medicaid programs or private insurers. At the same time, the multi-state licensure compact developed by [...]
Continue Reading
Remember KITT? KITT (the Knight Industries Two Thousand) was the self-directed, self-driving, supercomputer hero of the popular 1980s television show Knight Rider. Knight Rider was a science fiction fantasy profiling the “car of the future.” The self-directed car is science fiction no more. The future is now and, in fact, we’ve seen a lot of press this year about self-driving or driverless cars.
Driverless cars, equipped with a wide variety of connected systems including cameras, radar, sonar and LiDar (light detection and ranging), are expected on the road within the next few years. They can sense road conditions, identify hazards and negotiate traffic, all from a remote command center. Just as with most connected devices in the age of the Internet of Things (IoT), these ultra-connected devices claim to improve efficiency and performance, and enhance safety.
Though not quite driverless yet, connected vehicles are already on the market, in-market and on the road. Like many IoT “things”, ultra-connected vehicles systems may be vulnerable to hacker attacks.
Christopher Valasek and Charlie Miller, two computer security industry leaders, have presented on this topic at various events, including the 2014 Black Hat USA security conference . They analyzed the information security vulnerabilities of various car makes and models, rating the vehicles on three specific criteria: (1) the area of their wireless “attack surface” (i.e., how many data incorporating features such as Bluetooth, Wi-Fi, keyless entry systems, automated tire monitoring systems); (2) access to the vehicles network through those data points; and (3) the vehicle’s “cyberphysical” features (i.e., connected features such as parking assist, automated braking, and other technological driving aides). This last category of features, combined with access through the data points outlined in items (1) and (2), presented a composite risk profile of each vehicle make’s hackability. Their conclusions were startling: radios, brakes, steering systems were all found to be accessible.
Miller and Valasek claim that their intent was to encourage car manufacturers to consider security in vehicle system connectivity and cyberphysical attributes. They approached vehicle manufacturers and shared their report with the Department of Transportation and the Society of Automobile Engineers. Some manufacturers promised to investigate their vehicle systems and correct the deficiencies. Some seemingly ignored the report altogether. They did, however, catch the attention of Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT). On July 21, 2015, Senators Markey and Blumenthal introduced legislation that would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure vehicles and protect drivers’ privacy. The Security and Privacy in Your Car Act, aptly coined “the SPY Car Act”, would also require manufacturers to establish a ‘cyber dashboard’ that rates vehicle security, informing consumers as to the security performance of their vehicle.
As proposed, the SPY Car Act would require that all motor vehicles manufactured in the U.S. be “equipped with reasonable measures to protect against hacking attacks.” All “entry points” are to be protected through “reasonable” measures against hacking. Internal networks are to [...]
Continue Reading
Is a social media promotion part of your organization’s branding plans? Please join Julia Jacobson (McDermott partner and Of Digital Interest editor) and her co-panelists next Tuesday, July 28, 2015, at 2:00 pm for “Sweeps, Contests & Games in Social Media”. The webinar, the second in a three-part series hosted by the Brand Activation Association (a division of the Association of National Advertisers (ANA)) will explore endorsement, intellectual property and privacy legal issues, as well as the practical aspects of balancing brand wants with compliance needs and participation verification and fulfillment.
For more information, please click here.
With no Congressional consensus to adopt a federal data privacy and breach notification statute, states are updating and refining their already-existing laws to enact more stringent requirements for companies. Two states recently passed updated data privacy laws with significant changes.
Rhode Island
The Rhode Island Identity Theft Protection Act (Rhode Island Data Law), an update to Rhode Island’s already-existing data security and breach notification law, introduces several new requirements for companies that store, collect, process, use or license personal identifying information (PII) about Rhode Island residents.
A few of these provisions are particularly noteworthy. First, the new law requires entities to “implement and maintain a risk-based information security program which contains reasonable security procedures and practices,” scaled to the size of the entity and the type of personal information in its possession. Second, the Rhode Island Data Law requires that any entity that discloses PII to a third party have a written contract with the third party pursuant to which the third party will also implement and maintain an information security program to protect the personal information. Third, the Rhode Island Data Law requires any entity that experiences a data breach of personal information to notify affected residents within 45 calendar days after it knows that a breach has occurred. (Rhode Island also required this under its previous law, but there was no precise time frame.) Among other information, the notification must now contain information about data protection services to be offered to the resident, as well as information about how the resident can request a security credit freeze.
Under both the old and new laws, a health care provider, insurer or covered entity that follows the medical privacy and security rules established by the federal government pursuant to the Health Insurance Portability and Accountability Act (HIPAA) is deemed compliant with the law’s requirements. The Rhode Island Data Law will become effective June 26, 2016.
Connecticut
The Connecticut Act Improving Data Security and Effectiveness (Connecticut Data Law) similarly updates Connecticut’s existing law and introduces more stringent requirements for entities that that store, collect, process, use or license PII about Connecticut residents.
Perhaps most noteworthy, the Connecticut Data Law puts in place important new requirements about notification following a data breach. Unlike the older Connecticut breach notification law, the Connecticut Data Law now requires an entity to notify affected individuals of a data breach within a set time period of 90 days. In addition, if the breach involves disclosure of Social Security numbers, the entity must also provide free credit monitoring services to individuals for one year. Many companies provide credit monitoring at no cost to their customers affected by a data breach voluntarily. However, laws like Connecticut’s make credit monitoring a mandatory part of any company’s response.
Additionally, the Connecticut Data Law imposes significant new requirements on insurers and state contractors that handle PII. Health insurers are required to develop and follow a written data security program, and to certify annually to [...]
Continue Reading
Last Friday, July 10, 2015, the Federal Communications Commission (FCC) released Declaratory Ruling and Order 15-72 (“Order 15-72”) to address more than 20 requests for clarity on FCC interpretations of the Telephone Consumer Protection Act (TCPA). The release of Order 15-72 follows a June 18th open meeting at which the FCC adopted the rulings now reflected in Order 15-72 that are intended to “close loopholes and strengthen consumer protections already on the books.”
Keys rulings in Order 15-72 include:
We are reviewing the more than 135 pages of Order 15-72, as well as the separate statements of FCC Commissioners Wheeler, Clyburn, Rosenworcel (dissenting in part), Pai (dissenting) and O’Rielly (dissenting in part). Please check back soon for more information and analysis.
McDermott partners Heather Egan Sussman and Jennifer Geetter are scheduled to speak at the upcoming Privacy + Security Forum in Washington, D.C. on October 21–23, 2015. The Forum is an exciting new annual event, organized by Professors Daniel Solove and Paul Schwartz, that will bring together many of the biggest names in privacy and security to (1) break down the silos between privacy and security; and (2) bring more rigor to conferences so that participants gain useful practical knowledge. Ms. Sussman and Ms. Geetter have been invited to share their knowledge and experience in helping multi-national companies build highly successful and functional privacy and security programs.
Held in Washington, D.C., the Forum’s pre-conference workshops are on Wednesday, October 21, and the conference is on Thursday, October 22–Friday, October 23. There are now 100+ confirmed speakers with more to be announced soon. Click here for more information on speakers and sessions.
Want to attend? Contact Ms. Sussman or Ms. Geetter to receive the McDermott discount: 25 percent off the registration fee.
On June 30, 2015, the Federal Trade Commission (FTC) published “Start with Security: A Guide for Businesses” (the Guide).
The Guide is based on 10 “lessons learned” from the FTC’s more than 50 data-security settlements. In the Guide, the FTC discusses a specific settlement that helps clarify the 10 lessons:
The FTC also offers an online tutorial titled “Protecting Personal Information.”
We expect that the 10 lessons in the Guide will become the FTC’s road map for handling future enforcement actions, making the Guide required reading for any business that processes personal information.
Just prior to recessing for the summer, the Canadian government enacted the Digital Privacy Act. It includes a number of targeted amendments to strengthen existing provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA), but falls short of providing the Privacy Commissioner of Canada (Commissioner) with direct enforcement powers, as some stakeholders—including the former Commissioner—had proposed.
The Digital Privacy Act was introduced in April 2014 as part of the government’s “Digital Canada 150” strategy. While it was touted as providing new protections for Canadians when they surf the web and shop online, there is nothing that is particularly “digital” about the bill, which will equally affect the bricks and mortar, paper-based world.
Of particular note, the Digital Privacy Act creates a duty to report data breaches to both the Privacy Commissioner and to affected individuals “where it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.” Failure to report data breaches in the prescribed manner could result in fines of up to $100,000 for non-compliant organizations. While the majority of the new law is currently in force, the provisions relating to breach notification have yet to be proclaimed in force by the government.
Once in force, the mandatory breach-reporting regime will bring the federal law into alignment with many international laws, as well as with Alberta’s own Personal Information Protection Act, which has had a breach notification provision since 2009. However, unlike the Alberta law, the Digital Privacy Act would also require organizations to maintain records of all data breaches involving personal information under their control—even if they do not require reporting to the Commissioner or to affected individuals—and to provide these records to the Commissioner on request. Failure to comply with these requirements could also result in a fine of up to $100,000.
The law also creates an explicit authority to enable the federal Privacy Commissioner to enter into a compliance agreement with an organization, where the Commissioner believes on reasonable grounds that the organization has, or is about to, contravene the Act. If such an agreement is later contravened, the Commissioner will be able to apply to the Federal Court of Canada for a remedial order, even if the original limitation period for such an application has lapsed. The law also extends the limitation period for an application to the Federal Court for damages or injunctive relief to one year after the Commissioner issues a report of findings or otherwise discontinues an investigation. Previously, such applications had to be brought by either the Commissioner or a complainant within 45 days of a report of findings or discontinuation.
The Digital Privacy Act also imposes new requirements on the form of consent that the Act requires from individuals respecting the handling of their personal information. Going forward, any consent will be valid only if an individual to whom an organization’s activities are directed would understand the nature, purpose and consequences of the collection, use and disclosure of [...]
Continue Reading
The mission of the French data protection authority—the Commission Nationale Informatique et Libertés (CNIL)—is “to protect personal data, support innovation, [and] preserve individual liberties.”
In addition to its general inspections, every year the CNIL establishes a different targeted-inspection program. This program identifies the specific areas that CNIL’s controls will concentrate on for the following year. The 2014 inspection program was focused on everyday life devices, such as online payment, online tax payment and dating websites, among other things.
On May 25, 2015, the CNIL announced its 2015 inspection program and identified a focus on six issues in particular: contactless payment, Driving Licenses National File (Le Fichier National des Permis de Conduire), the “well-being and health” connected devices, monitoring tools used for attendance in public places, the treatment of personal data during evaluation of psychosocial risks and the Binding Corporate Rules.
The last two issues caught our attention:
In addition to focusing its 2015 inspection program on BCR compliance, the CNIL also announced, earlier this year, the simplification of intra-group data transfers. Prior to simplification, companies whose BCRs had been approved by the CNIL were also required to obtain the CNIL’s approval for each new type of transfer. The CNIL has since declared that a new, personalized “single decision” will be given to companies with approved BCRs. In return, the companies must keep an internal record of all transfers detailing certain information (the general purpose of each transfer based on the BCR; the category of data subjects concerned by the transfer; the categories of personal data transferred; and information on each data recipient) in accordance with the terms of the single decision issued.
With respect to its targeted inspection program, the question still remains: How many inspections will the CNIL conduct in 2015? In 2014, the CNIL performed a total number of 421 inspections. The CNIL declares that, in 2015, the objective is to achieve 550 inspections. However, only 28 percent of the CNIL’s inspections typically result from the annual inspection program. Forty percent are initiated by the [...]
Continue Reading
Subscribe
