Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

HHS news release, part of the penalty stems from Cignet’s denying 41 patients their right to access their medical records when requested between September 2008 and October 2009. Under HIPAA, a covered entity must provide access to a patient who requests such access to his or her medical record within 30 days of the request, subject to various exceptions and limited rights to extend such time period. (Numerous state laws include similar obligations that health care providers provide a patient with access to his or her own records, often within shorter time frames than is required by HIPAA.) Thirty-eight separate complaints of such denial of access had been filed with OCR, pursuant to which OCR began its investigation of Cignet. HHS has indicated that $1.3 million of the $4.3 million penalty is attributable to this denial of access to a patient’s records.  

Notably, out of the over 50,000 complaints of alleged HIPAA Privacy Rule violations that OCR has resolved, the denial of a patient’s access to his or her own records has been the third most cited reason for such a complaint every year since 2003, when compliance with the Privacy Rule was first legally required. But every other such complaint of denial of access was informally resolved with OCR. According to various news reports, Cignet never attempted to informally resolve the complaints with OCR.

In Cignet’s case, $3 million of the penalty is attributable to OCR finding that Cignet repeatedly failed to respond to various requests from OCR for more than a year (March 17, 2009 to April 4, 2010), resulting in per-day penalties, up to the maximum permissible penalties per year pursuant to applicable enforcement rules. Under HIPAA, covered entities are required to cooperate with HHS investigations. Even after Cignet finally produced the applicable patient records to HHS (in response to a federal court order), Cignet’s cooperation was limited in that it produced records relating to thousands of patients in addition to the 41 at issue. In various communications from OCR during the course of the investigation and the initial proposal of penalties, Cignet was notified of its rights to offer defenses and mitigating factors, and subsequently, of its rights of appeal. Cignet never exercised any of its rights.

The lesson to be learned from Cignet is that if you violate the HIPAA Privacy Rule, be prepared to pay, but if you fail to cooperate with OCR investigations into such violations, be prepared to pay even more (potentially 200% more). The question remains as to whether or not the extent of this fine is a true example of a new approach to enforcement of HIPAA, or whether Cignet’s ignoring official inquiries, failing to pursue informal resolution and not exercising its rights under HIPAA warranted unusual measures.

National Privacy Law: Major players in the online marketing sphere, such as Microsoft and Google, already have expressed support for a generally-applicable privacy law to preempt a growing number of state laws that impose varying requirements on the collection, use, storage and disclosure of personal information. Whether a federal law emerges governing the collection and use of personal data, including for marketing purposes, is the looming question in the new administration.

Behavioral Advertising: Behavioral advertising -- the practice of tracking of an Internet user’s activities online in order to deliver advertising targeted to an individual consumer’s interests -- which Congress examined extensively over the summer -- should continue to generate interest under an Obama administration. Indeed, the Federal Trade Commission (“FTC”) is expected to announce its final guidance concerning the self-regulation of behavioral advertising even before President-elect Obama takes office in January. We are also likely to see behavioral advertising legislative proposals at the state level, with efforts gaining traction in states like New York, where both Houses are now controlled by the Democrats.

Electronic Health Records: A key component of President-elect Obama’s health care plan is the migration of health care records from paper to more universally accessible forms of electronic media. The incoming president believes strongly that the use of technology will help lower the cost of health care. But as many commentators have suggested, greater accessibility carries greater risk, and the shift toward computerized health records is one area in which President-elect Obama’s aggressive technology and innovation policies may outgrow existing consumer protection safeguards. President-elect Obama’s commitment to providing robust protections against the misuse of this kind of sensitive information likely will require the development of additional, and more broadly-applicable, regulations to shore up existing safeguards provided under the Health Insurance Portability and Accountability Act (“HIPAA”) and other existing legal regimes. 

Data Breach Notification:  Over the past few years, states have been very active passing legislation that requires businesses that retain information about state residents to notify such residents when that information is compromised. Efforts to pass a preemptive national law have stalled largely because of the greater discretion proposed for business regarding the need to notify. That issue will likely continue to impede consensus on a national law, and the state framework is likely to be with us for a while.  

Legislative activity at the state level concerning the protection of personal information, however, is likely to continue as lawmakers try to respond to several high profile information security breaches from previous years. Moreover, as we are seeing in Massachusetts and Connecticut where new data security laws have been passed, we may see a stronger push at the state level toward requiring affirmative steps to protect personal information, rather than just requiring businesses to respond to a breach incident.

More Robust Federal Trade Commission: President-elect Obama plans to enlarge the FTC budget and enforcement power to aid in the implementation of his technology and innovation policies. The FTC’s expanded powers will likely be used to enforce the Commission’s new identity theft Red Flags Rule, which requires financial institutions and creditors to implement comprehensive written identity theft prevention programs by May 1, 2009. The FTC’s decision to extend the original November 1, 2008 compliance deadline for an additional six months portends relatively immediate enforcement activity in Summer 2009 that will help define precisely what is required, and from whom, under the Rule. The push for more enforcement power may also spur the expansion of the FTC’s authority to seek civil penalties and other monetary remedies for violations of the statutes and regulations the Commission enforces.

Location Data & Government Surveillance: President-elect Obama’s desire to develop and better utilize available technologies to create real change in America will likely create some friction in the areas of government surveillance and the collection of location data where the interests of national security and personal privacy diverge. Moreover, the private sector’s collection and use of location data and other “tracking” information to more effectively market to consumers raises concerns on both sides of the aisle since these technologies arguably can be misused to compromise national security or personal privacy. While we expect the Obama administration to back away from the aggressive government surveillance policies and programs implemented by the previous administration in the wake of September 11, 2001, the success of these efforts will require a delicate balance between a strong stance on national security and a shift toward protecting the privacy of Americans at home.