New Indian Privacy Law Impacts U.S. Companies

Posted by Peter Brown on July 29, 2011

In the United States, India is synonymous with outsourced data processing services and customer service call centers for credit card issuers, banks and retailers.  The flow of data between the two countries has been unrestricted and, to a large extent, unregulated.  This has now been changed.

In April 2011, India adopted new privacy regulations known as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.   These rules apply to all organizations that collect and use personal data and information in India and are likely to affect any corporation that outsources to India or collects personal information there in its business. 

One of the more important provisions relating to foreign companies is that no organization inside India may transfer sensitive personal data to a third party outside of India unless the transferee ensures the same level of protection that is required by the Indian Rules.  Sensitive personal data is defined as financial information; passwords; physical, physiological, and mental health condition; sexual orientation; medical records and history; and biometric information. 

Therefore, online retailers and other American companies that routinely receive such information from organizations inside India will need to meet Indian privacy standards in order to continue receiving the information.  In addition, because these rules appear to apply even to information gathered about non-Indians, companies which outsource sensitive personal data collection to India will need to ensure that they meet the standards required by these new Indian Rules. 

Because the Indian Rules are in some ways more strict than American and European privacy law, companies doing business in India may need to update their privacy practices in order to comply.  For example, companies that outsource their customer service to India might need to change their practices to explicitly notify callers that their information is being collected and explain why it is being collected.  Additionally, companies that collect information labeled sensitive under Indian law may also need the callers’ consent via mail, fax, or e-mail before collecting any such information. 

Since overseas companies that collect personal information in India may need to update their practices to comply with Indian law, a summary of the new Indian Rules can be found below.  The Rules place some obligations on all information collectors and stricter ones on sensitive information collectors. 

General Obligations

  • Privacy Policy.  Any organization covered by the rule must enact a privacy policy and make it available on its website.  This policy must include a description of the information that is collected, the purpose of collection, to whom the information may be disclosed, and security practices for protecting the information. 
  • Notice and Use.  Organizations must take reasonable steps to ensure that information providers (consumers) know that their information is being collected, the purpose of collection, the recipients of the information, and the name and address of the agencies collecting and retaining the information.  Organizations may only use personal information for the purpose for which it was collected. 
  • Access and Correction.  Information providers must be given the opportunity to have access to their information to review it for accuracy.  Organizations must correct any information found to be inaccurate. 
  • Security.  Organizations are strongly encouraged to have a comprehensive documented information security program and policies that contain managerial, technical, operational, and physical control measures commensurate with the information assets and nature of the business.  In order to escape liability in the event of a breach, the organization must demonstrate that (i) it implemented its security control measures as they are set out in the documentation and (ii) those measures were reasonable security practices.  If an organization has implemented an approved industry code of practice and its compliance has been audited, it is deemed to have complied. 

Specific Obligations for Sensitive Personal Data

  • Limitations on Acquiring Information.  An organization may only collect sensitive personal data from a person if it is necessary in order to provide the person with goods or services.  In addition, the organization must receive written consent from the provider by letter, fax, or e-mail, regarding the purpose of use, and the provider may opt out and withdraw consent at any time.  However, if the information provider opts out, the organization may also cease providing goods and services.  The organization may not retain the information longer than necessary. 
  • Transferring Information.  Unless disclosure has been agreed to by contract or is required by law, organizations need to obtain prior consent of the provider before transferring sensitive personal data to a third party.  Also, no transfer of information may be made overseas unless the overseas party ensures the same level of protection provided for under the Indian Rules.

HHS to Propose New Privacy Standards for Human Research Subjects

Posted by Lynn Sessions on July 27, 2011

The Department of Health and Human Services (HHS) provided an Advanced Notice of Proposed Rule Making (ANPRN) on July 22, 2011, to enhance protections for medical research subjects, including standards around privacy and data security. The ANPRN seeks comments on how better to protect human research subjects while facilitating valuable research. The current Common Rule was developed over 20 years ago and does not reflect changes in how medical research is conducted today and the advanced technology used to facilitate the research.

HHS acknowledges concerns with the current Common Rule and the increasing use of genetic information, biospecimens, medical and research records and administrative data. The risks related to these types of research are considered informational risks, such as the unauthorized release of information about the research subject. The HIPAA Privacy Rule addresses some of these risks by imposing restrictions on how protected health information may be used and disclosed, including for research. The HIPAA Security Rule protects subjects by requiring covered entities and their business associates to have physical, administrative and technical safeguards to protect information in electronic form. However, not all research investigators are subject to HIPAA. Too, the Privacy Act of 1974 does not apply to non-Federal researchers. Further, HHS acknowledges the Common Rule and the HIPAA Privacy Rule can be inconsistent which makes it difficult for researchers to comply with both. Current privacy regulations do not take into account the genetic and information technologies that make complete de-identification of biospecimens impossible and re-identification of sensitive health data easier.

HHS proposes establishing mandatory data security and information protection standards for all research studies that involve identifiable and potentially identifiable data and where data is collected, stored analyzed or otherwise reused. HHS also anticipates creating rules to protect against the inappropriate re-identification of de-identified information that is collected as part of a research study. The ANPRN advocates for adopting the HIPAA standards around de-identification and pulling in those investigators who are not covered entities or business associates. With these new rules, HHS expects to streamline the Institutional Review Board (IRB) process, and no longer require the IRB to assess the adequacy of the protections against informational risks. In addition to adopting the HIPAA Privacy Rule, HHS further proposes the following: 1) research involving identifiable data would be required to adhere to the HIPAA Security Rule, including the breach notification standards; 2) data could be considered de-identified or in a limited data set if the investigator sees the identifiers but does not record them in a permanent research file; and 3) retrospective audits and additional enforcement tools.

SAFE Data Act Approved by House Subcommittee

Posted by Craig Hoffman on July 21, 2011

The House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Mary Bono Mack (CA), approved the Secure and Fortify Electronic Data Act (H.R. 2577) (SAFE Data Act) following lengthy debate on July 20, 2011.  The SAFE Data Act contains information security requirements and breach notice obligations consistent with Rep. Bono Mack's statements following the subcommittee's hearing regarding the breaches at Sony and Epsilon.  The bill now moves to the full committee for consideration. 

The information security requirements would come from regulations to be issued by the FTC within one year.  The regulations must require companies that own or possess data containing personal information to implement policies and procedures to protect personal information, including: (1) a security policy for collection, use, and dissemination of personal information; (2) identifying a person to be responsible for managing information security; (3) a process for identifying foreseeably vulnerabilities, including regularly monitoring to detect system breaches; (4) a process for taking preventative action to mitigate any identified vulnerabilities; and (5) a process for disposing of data on paper and in electronic form.

The breach notification provisions of the Act require companies to notify law enforcement without unreasonable delay and notify the FTC and all affected individuals whose personal information “may have been accessed or acquired” within 48 hours of identifying the affected individuals.  The notification to affected individuals must begin no later than 45 days after discovery of the breach unless the company receives a written request to delay notification by law enforcement.

Notice to affected individuals is required when there is unauthorized access to or acquisition of personal information in electronic format.  Personal information is limited to a person’s name in combination with a: (1) Social Security number; (2) driver’s license number, passport number, military ID; or (3) financial account number or credit or debit card number along with any required code necessary to permit access to the account.  There is also risk of harm trigger­—notice is not required if the company makes a reasonable determination that the breach presents “no reasonable risk of identity theft, fraud, or other unlawful conduct” to the affected individuals.  A presumption exists that there is no reasonable risk of harm if the data was encrypted.  Companies are also required to provide at no cost, upon the request of affected individuals, either credit reports on a quarterly basis for at least two years or credit monitoring for two years (this does not apply if the only personal information at issue is a name associated with a credit or debit card number).

Importantly, the SAFE Data Act preempts all state laws concerning information security requirements and breach notification obligations.

Democrats offered many amendments to the bill, including expanding the definition of personal information and not preempting stronger state notification laws, but they were rejected by the subcommittee.  Representative Henry Waxman (CA), who offered some of the rejected amendments, contends that the bill is filled with "loopholes that sacrifice data security and privacy." 

The SAFE Data Act does not contain any provisions concerning privacy rights or Do Not Track.  You can view a summary of the other pending breach notification bills here.

New HIPAA Access Report: Proceed with Caution

Posted by Lynn Sessions on July 15, 2011

We previously reported on the HIPAA Proposed Rule on Accounting of Disclosures and the new Access Report requirements. Further analysis of the proposed rule raises additional concerns for healthcare entities and providers. As a reminder, the Access Report requirements will mandate that, upon a patient’s request, a covered entity or business associate must provide an accounting of all individuals who accessed the electronic health record in a designated record set, for any reason. This includes both uses and disclosures, regardless of the purpose.

Caution: Many electronic records are not equipped to automatically generate the list of all individuals that access a patient’s electronic health record. The Proposed Rule implicates not only those individuals caring for the patient, but those in the billing department processing the payments, and others who access the designated record set during the course of “operations.” The electronic record will not differentiate between the types of activities an individual does while accessing the patient’s designated record set. As a result, the Access Report while creating a great deal of transparency as to who has accessed a patient’s record, may generate a lot of confusion and unnecessary concern due to the sheer volume of people who access a patient’s medical record as part of treatment, payment and operations during a single hospitalization or complex outpatient visit.

The Proposed Rule does not specifically exclude activities that healthcare providers may consider privileged under various legal privileges, such as peer review, hospital committee, attorney-client, attorney work product or performance improvement privileges. Activities, such as root cause analyses, adverse patient event investigations, physician peer review, or even in-house attorney review of a designated record set, may be included as part of the access report when individuals conducting those activities access a designated record set to accomplish those duties. Importantly, those individuals who access the designated record set may become unwitting witnesses in a subsequent malpractice action. The information contained within an Access Report could provide the basis for determining when a provider anticipated litigation and/or a spoliation claim. An enterprising plaintiff’s attorney may have his/her client request an Access Report from the healthcare provider prior to filing suit to obtain such information. Health Information Management, Risk Management, Privacy/Compliance, Information Technology and the Legal departments should develop a coordinated process to ensure appropriate handling and notification when such requests are made and to evaluate potential litigation implications.

HIPAA Audits ARRA Coming! Is your PHI Secure?

Posted by John Mulhollan on July 14, 2011

In the growing world of RAC audits, Voluntary Disclosure Protocols, IRS Form 990 disclosures, “Never Events” and HIPAA breach notifications, there is a new kid on the block in the area of federal audit and oversight for health care providers, health plans and their business associates under the health information privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  During the next 18 months, HIPAA privacy and security audits mandated under the American Recovery and Reinvestment Act of 2009 (“ARRA”) will be conducted by the Office of Civil Rights (“OCR”) through an audit contractor, it was announced on  June 10, 2011.  The Department of Health and Human Services (“HHS”) awarded a $9.5 million contract to the KPMG accounting firm to “assist OCR in operating an audit program that effectively implements the statutory requirement to audit covered entity and business associate compliance with the HIPAA privacy and security standards as amended by ARRA.”  KPMG was awarded the contract one day after another contract had been awarded to Booz Allen Hamilton to conduct the “audit candidate identification” intended to identify the universe of covered entities and business associates subject to potential audit under this program.

Under Section 13411 of the Health Information Technology for Economic and Clinical Health Act, a part of ARRA (“HITECH”), HHS, through its Office of Civil Rights, is directed to conduct such audits for purposes of determining compliance with the privacy and security regulations under HIPAA.  Until now, the OCR has focused primarily on the investigation of alleged privacy and security violations in response to complaints, and has conducted a limited number of compliance reviews of covered entities, typically in response to publicized incidents.  The new audits will expand OCR’s activities in compliance enforcement and will raise the stakes for entities that have failed to appropriately implement HIPAA privacy and security safeguards.

Continue Reading

Restrictions on Commercial Advertising Speech in Vermont Data Mining Law Violate First Amendment

Posted by Craig Hoffman on July 06, 2011

As we briefly discussed here, on June 23, 2011, the U.S. Supreme Court in Sorrell v. IMS held that a Vermont statute restricting the sale, disclosure and use of pharmacy records containing the prescribing practices of doctors for marketing purposes by pharmaceutical companies violated the First Amendment’s protection of commercial advertising speech.  From a commercial advertising perspective, the decision sends a message that a government cannot restrict truthful, non-misleading advertising to prevent consumers from making a decision that the government disagrees with.  From a privacy standpoint, because the Court treated the creation or dissemination of data as speech, it will be difficult to enact laws restricting the disclosure of personal information without violating the First Amendment.  

The Vermont law was aimed at curtailing the use of “detailing” by pharmaceutical companies to promote their drugs to doctors.  Data mining companies purchase prescriber-identifying information collected by pharmacies when they process prescriptions, which they aggregate and analyze (typically with patient data de-identified and encrypted) and then use to produce reports on the prescribing behavior of individual doctors.  Pharmaceutical sales representatives use the reports to more effectively convince doctors to prescribe higher-profit brand-name drugs. 

To combat detailing, the Vermont law: (1) prohibited pharmacies and health insurers from selling prescriber-identifying information or allowing it to be used for marketing without the prescriber’s consent; and (2) barred pharmaceutical manufacturers and marketers from using prescriber-identifying information for marketing without the prescriber’s consent.  The restrictions were subject to a broad list of exceptions, including allowing such data to be used for research, patient education on treatment topics, law enforcement, and other purposes provided by law. 

Applying heightened scrutiny, the Court found that the Vermont law impermissibly enacted content- and speaker-based restrictions on the sale, disclosure, and use of prescriber-identifying information.  Because the law only restricted one type of speech (marketing) by one type of speaker (pharmaceutical companies), the law violated the First Amendment.  The Court noted that there is a strong argument that prescriber-identifying information is speech for First Amendment purposes, not conduct.  In so doing, the argument that information used to develop a commercial message was simply a commodity with no greater First Amendment protection than beef jerky was rejected.   Rather, the Court stated that: “Facts, after all, are the beginning point for much of the speech that is essential to advance human knowledge and to conduct human affairs.”  Although it recognized that technology has created “serious and unresolved issues with respect to personal privacy,” the Court stated that content-based discrimination cannot be used to advance the government’s opinion in the privacy debate. 

Although it applied heightened scrutiny, the Court found that the law would still fail under a lesser standard because Vermont did not show that the law was designed to directly advance a government interest.  Vermont did not argue that the law was designed to prevent false or misleading speech, and Vermont essentially conceded that the law did not advance confidentiality interests.  If Vermont’s interest was truly the privacy of patient information, the Court stated that it could have done so by only allowing disclosure of prescriber-identifying information in a few narrow and well-justified circumstances, citing HIPAA as an example.  The Court added that: “Privacy is a concept too integral to the person and a right too essential to freedom to allow its manipulation to support just those ideas the government prefers.”       

Vermont and supporters of its law attempted to frame it as a law protecting the privacy of sensitive medical data, and critics of the decision have argued that the Supreme Court chose to protect corporate interests instead of individual privacy rights.  But the law at issue in Sorrell v. IMS was not really designed to protect individual medical records—it was designed to promote the use of generic drugs to lessen Vermont’s health care costs.  The privacy implication of this decision is the recognition of the collection and dissemination of data as commercial speech protected by the First Amendment.  As the versions of Do Not Track legislation, designed to address the privacy concerns associated with behavioral advertising, and electronic health record laws are discussed at the federal and state levels, lawmakers will have to walk a tightrope to create a law that achieves the desired purpose without unduly restricting speech. 

If a government attempts to follow the road map articulated by the Court of only allowing disclosure of certain information in a few narrow and well-justified circumstances, a government would risk stifling technology and innovation.  Banning most or even all disclosures of personal information is not realistic because of the value associated with the data, especially “big data.”  For example, in the healthcare industry, a research study released in May 2011 by McKinsey Global Institute (and discussed here) predicted that in ten years there will be an opportunity to capture $300 billion annually in new value, “with two-thirds of that in the form of reductions to national health care expenditure.”  In the public sector, the McKinsey study projected that use of geolocation data will create $100 billion in revenue to service providers over the next ten years and as much as $700 billion in annual value to customers.          

Focus on Advertising to Children

Posted by Craig Hoffman on July 01, 2011

The Interagency Voluntary Working Group on Food Marketed to Children released Preliminary Proposed Nutrition Principles to Guide Industry Self-Regulatory Efforts to improve the nutritional profile of foods marketed to children in April 2011.  Today, FTC Commissioner David Vladeck addressed 12 myths about the recommendations, including: (1) providing reassurance that the guidelines do not provide a basis for regulatory enforcement by the FTC; (2) noting that the proposal does not ban any marketing or specific food—it only recommends that certain products marketed to children meet nutritional principles; and (3) confirming that the proposal does not mean the end of chocolate Easter bunnies or the banishment of Toucan Sam from the Froot Loops box.  

In May 2011, Rep. Edward J. Markey (D-Mass.) and Rep. Joe Barton (R-Texas) introduced a children’s online privacy bill, the “Do Not Track Kids Act of 2011.”  The bill would amend and expand the protection offered by the Children’s Online Privacy Protection Act of 1998 (COPPA).  COPPA, which was created before Facebook and the proliferation of smartphones, only prohibits the collection of personally identifiable information from children under 12 without parental consent (read the FTC’s FAQs about COPPA here).  The bill would expand the protection of COPPA by covering online and mobile applications, unique persistent identifiers like IP addresses, and it would establish new privacy rules for minors under 18.  According to the press release from Rep. Markey:

  The “Do Not Track Kids Act of 2011” strengthens privacy protections for children and teens by:

  • Requiring online companies to explain the types of personal information collected, how that information is used and disclosed, and the policies for collection of personal information;
  • Requiring online companies to obtain parental consent for collection of children’s personal information;
  • Prohibiting online companies from using personal information of children and teens for targeted marketing purposes;
  • Establishing a “Digital Marketing Bill of Rights for Teens” that limits the collection of personal information of teens, including geolocation information of children and teens;
  • Creating an “Eraser Button” for parents and children by requiring companies to permit users to eliminate publicly available personal information content when technologically feasible.

The bill adopts many of the principles set forth in the Common Sense Media white paper, Protecting Our Kids’ Privacy in a Digital World.

The FTC has been collecting comments on the costs and benefits of the regulations implementing COPPA since April, including whether COPPA is broad enough to apply to mobile applications, mechanisms for obtaining parental consent, and Safe Harbor.  The FTC is also seeking public comment on a proposed safe harbor program submitted by Aristotle International, Inc. for Commission approval under COPPA.