Media publications, interviews & quotes

It is well known that the Health Insurance Portability and Accountability Act's (HIPAA) Privacy and Security regulations have limitations on their reach. One such limitation is that HIPAA only applies to covered entities and their business associates, not health data in general. To address this issue, Washington's legislature passed House Bill 1155 on April 17, 2022, also known as the My Health, My Data Act (the Act). The bill aims to regulate health data collected by entities not covered by HIPAA, (think apps and websites).

If signed into law, it will take effect on March 31, 2024, with certain parts of the legislation possibly taking effect earlier.

Under the Act, a “Regulated Entity” is defined as an entity that conducts business in Washington, produces or provides products or services targeted to consumers in Washington, and determines the purposes and means of collecting, processing, sharing, or selling consumer health data. The law creates a subgroup of Regulated Entities called “small businesses” to provide additional time to comply. Small businesses collect, process, sell, or share consumer health data of fewer than 100,000 consumers during a calendar year or derive less than 50% of gross revenue from the collection, processing, selling, or sharing of consumer health data and control, process, sell, or share consumer health data of fewer than 25,000 consumers.

The Act is intended to protect “consumer health data,” defined as personal information that identifies a consumer's past, present, or future physical or mental health status, linked or reasonably linkable to a consumer. Health status includes:

• Individual health conditions
• Treatment
• Diseases
• Diagnosis
• Social, psychological, behavioral, and medical interventions
• Health-related surgeries or procedures
• Use or purchase of prescribed medications
• Bodily functions, vital signs, symptoms, or measurements of health-related functions
• Diagnoses or diagnostic testing
• Treatment or medication
• Gender-affirming care information
• Reproductive or sexual health information
• Biometric data
• Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services and supplies, and data that identifies a consumer seeking health care services

Under the Act, a protected consumer is a natural person who is a Washington resident or a natural person whose consumer health data is collected in Washington. The law only protects consumers for actions taken as individuals or on behalf of a household and not actions taken by an individual in an employment context.

Consumers have several rights under HIPAA with respect to their protected health information (PHI). The Act provides consumers with the right to:

• Confirm whether their consumer health data is being collected, shared, or sold
• Consent to or deny the collection or sharing of health data
• Withdraw consent from a regulated entity or small business to collect or share health data
• Delete health data collected by a regulated entity or small business
• Be provided clear and conspicuous disclosure of rights to consent or deny collection or sharing of health data

Regulated entities and small businesses must maintain a consumer health data privacy policy prominently on their homepages that includes categories of:

• Consumer health data collected and the purpose for which the data is collected
• Sources from which the consumer health data is collected
• Consumer health data that are shared
• A list of third parties and specific affiliates with whom consumer health data is shared

The Act also mandates contracts be in place with processors of consumer health data and codifies specific data security obligations for regulated entities and small businesses, including specific access management requirements. Regulated entities and small businesses may not discriminate against a consumer for exercising any rights included under the law. They must also respond to requests from consumers to withdraw consent to collect or share health data and to delete their consumer health data.

The law makes it unlawful for any person (not merely Regulated Entities or Small Businesses) to implement geofence technology around an entity that provides in-person health care services used to:

• Identify or track consumers seeking health care services
• Collect consumer health data from consumers
• Send notifications, messages, or advertisements to consumers related to their consumer health data or health care services

The Act is enforceable either by the Washington’s State Attorney General or via a statutory private right of action by affected consumer(s).

The Department of Financial Services released their Proposed Second Amendment to the Cybersecurity Regulation, 23 NYCRR Part 500. This amendment requires Class A Companies to implement additional cybersecurity controls, such as independent audits or their cybersecurity programs at least annually, monitoring privileged access activity, and using external experts to conduct a risk assessment at least once every three years.

Additionally, the Proposed Second Amendment states a Class A Company is a covered entity within the meaning of the statute. Further, Class A Companies are a covered entity with at least $20 million in gross annual revenue in each of the last two fiscal years from the business operations of the covered entity and (1) has over 2,000 employees averaged over the last two fiscal years, or (2) over $1 million in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and its affiliates.

The most significant proposed changes under the Second Amendment include:

• Section 500.3: covered entities are required to implement and maintain a written policy, approved at least annually, by the senior governing body of the covered entity that must be development, documentation, and implementation in accordance with the entity’s written policies.  
• Chief Information Security Officer Section 500.4: covered entities are required to designate a qualified individual as Chief Information Security Officer (“CISO”) to ensure cybersecurity risks are appropriately managed. The CISO should report at least annually to the senior governing body or senior officer responsible for the entity’s cybersecurity program.  
• Vulnerability and Penetration Testing Requirements Section 500.5: covered entities are required to develop and implement written policies and procedures for vulnerability management. These policies ensure entities conduct penetration testing from both inside and outside the information system’s boundaries by a qualified internal or external independent party at least annually and automated scans of information systems and a manual review of systems not covered by such scans to analyze and report vulnerabilities. Covered entities are also required to have monitoring processes for emerging security vulnerabilities and the timely remediation of such vulnerabilities.  
• Access Controls Section 500.7: Covered entities shall limit the use of privileged accounts with access to nonpublic information to the privileges necessary to perform the user’s job.  
• Use of Multifactor Authentication Section 500.12: Covered entities should use multifactor authentication for (1) remote access to the entity’s information systems; (2) remote access to third-party applications; and (3) all privileged accounts.  
• Asset Management and Data Retention Requirements Section 500.13: Covered entities are required to implement written policies that include a method to track key information for each asset.  
• Encryption Section 500.15: Covered entities are required to implement a written policy requiring encryption that meets industry standards to protect nonpublic information.  
• Business Continuity Section 500.16: Covered entities are required to establish written plans that contain proactive measures to investigate and mitigate disruptive events, including incident response, business continuity, and disaster recovery plans to address different types of cybersecurity events.  
• Notice Requirements Section 500.17: Covered entities must provide the DFS with (1) notice of the cybersecurity event within 72 hours from occurrence, (2) information regarding the investigation of the cybersecurity event within 90 days of the occurrence of the event, and (3) notify the DFS in the event an entity is affected by a cybersecurity event at a third-party service provider within 72 hours of the occurrence of the cybersecurity event.  

The Proposed Amendment’s comment period expired on January 9, 2023, and has a planned phased rollout beginning 180 days from the effective date of the Proposed Second Amendment.

 

On February 1, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action for the first time under its Health Breach Notification Rule against the telehealth ad prescription drug discount provider GoodRx Holdings Inc. (“GoodRx”). The FTC’s Health Breach Notification Rule requires vendors of personal health records and related entities not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to notify consumers following a breach involving unsecured, personally identifiable health information. 

The FTC has taken this enforcement action against GoodRx for GoodRx’s alleged failure to notify customers and others of its unauthorized disclosures of consumer’s personal health information to Facebook, Google, and other companies. The proposed order, filed by the Department of Justice (“DOJ”) on behalf of the FTC, prohibits GoodRx from sharing user health data with applicable third-parties for advertising purposes. Further, GoodRx has agreed to pay a $1.5 million civil penalty for violating the Health Breach Notification Rule. However, for the proposed order to be enforced, a federal court must approve the order for it to go into effect.  

The California based GoodRx operates a digital health platform that offers prescription drug discounts, telehealth visits, and other health services, collecting personal and health information about its users. GoodRx has allegedly violated the Health Breach Notification Rule by sharing user’s sensitive personal health information for years with advertising companies and platforms, and failed to report these unauthorized disclosures in direct conflict to GoodRx’s own privacy promises and the Health Breach Notification Rule.  

Specifically, GoodRx has deceptively promised users it would not share personal health information with advertisers or other third-parties, to which GoodRx has repeatedly violated its own promise by sharing sensitive personal health information with third-party advertising companies and advertising platforms like Google, Facebook, and Criteo, among others. Further, GoodRx used the personal health information that it collected to target GoodRx’s own users with personalized health and medication specific advertisements on Facebook and Instagram. GoodRx also allowed third-parties it shared data with to use collected personal health information for their own research and development or improvement to advertising. GoodRx misrepresented its compliance with HIPAA and failed to implement and maintain sufficient policies and procedures to protect the personal health information of its users.  

The GoodRx enforcement action by the FTC under the Health Breach Notification Rule highlights the increased scrutiny regulators are placing on companies using and disclosing consumer health information. Because of the increased scrutiny of regulators and the emphasis on the protection of sensitive consumer health information, it is imperative that businesses implement and maintain policies and procedures that prevents the unauthorized disclosures to third-party advertisers.  

At The Beckage Firm, we have a team of professionals that are highly knowledgeable of HIPAA and the Health Breach Notification Rule and can help your business implement safeguards that are compliant with federal and state regulations surrounding sensitive health information. Info@thebeckagefirm.com  

 

---

Class Action* Filed (December 14, 2022) – Artificial Intelligence Resulting in Alleged Discrimination in Claims Processing and Procedures

 

ATTORNEY ADVERTISEMENT

Jaqueline Husky, on behalf of herself and all others similarly situated filed suit against State Farm Fire & Casualty Company, U.S. District Court, Northern District of Illinois, Case No. 22-cv-7014, dated December 14, 2022, alleging violations of the Fair Housing Act by State Farm.

Husky, and her counsel, claim that State Farm’s use of Artificial Intelligence (“AI”) disparately treats its Black homeowners’ claims relative to white homeowners’ claims in the Midwest (Illinois, Indiana, Michigan, Missouri, Ohio, and Wisconsin). The alleged disparate treatment involves “greater suspicion than claims made by their white counterparts,” “greater inconvenience as well as detrimental impact” to property values and “quality of life,” and delays in the claim adjustment procedures.

Husky alleges that State Farm’s use of AI in automated claims processing procedures, including “machine-learning algorithms,” effects “predictions and decisions about whether a claim might be fraudulent, how much scrutiny it requires, and how it should be processed,” relying upon “(1) biometric data that function as proxies for race, such as physical appearance, genetics, and voice; (2) intrusive behavioral data that function as proxies for race, such as geolocation, social media presence, and browser search history; and (3) historical housing and claims data that are themselves infected with racial bias.”

The AI algorithms, again as alleged, “too often have discriminatory effects, even where demographic data, such as race, are not included as inputs. This is because algorithms can “learn” to use omitted demographic features by combining other inputs that are correlated with race (or another protected classification), like zip code, college attended, and membership in certain groups.”

To support Husky’s allegations, the following information was provided:
Survey of 648 white and 151 Black policyholders demonstrated large and statistically significant racial disparities, regarding (1) the time for claims to be paid; (2) the supplemental paperwork required as part of claims adjudication; and (3) the number of adjustor/claimant interactions for each claim.
   (1) 39% of white compared to 30% of Black policyholders received payment for their claim within one month or less (Alleged difference would occur less than 5% of time as a result of random chance).
   (2) 46% of white compared to 64% of Black policyholders were required to submit additional materials beyond the materials that initiated their claims (Alleged difference would occur less than 1% of time as a result of random chance).
   (3) 51% of white compared to 42% of Black policyholders resolved their claims after only one to three interactions with State Farm, and 49% of white and 58% of Black policyholders needed three or more interactions.

The Complaint further alleges an industry shift from person-to-person claims handling to an AI-based analysis designed to separate claims into one of three buckets: “no touch,” “low touch,” and “high touch.” There is a newer reliance on analytics and AI learned algorithms to determine the level of Adjustor involvement. However, as Husky alleges, it is the social stratification of the data, the weighed importance relative to the benefits, and the AI interpretation of the data that creates the discriminatory results.

The Beckage Firm, a boutique data security and privacy firm with lawyers who are also technologists with AI backgrounds, understands AI and its positive, and potential legal compliance issues that may arise. As organizations adopt AI, or use third parties who use AI, legal compliance evaluation can help mitigate regulatory investigations and unintended outputs.

Scott Michael Lupiani, Esq.
Member, The Beckage Firm PLLC
 

 

---

FTC FINALLY CRACKS DOWN ON PRECISE GEOLOCATION PRACTICES
 

Posted 10/31/22
 

Post Dobbs, organizations are taking a closer look at their geolocation practices, data that they receive from third parties, including data brokers, and their operational practices. To further complicate this review, the FTC has shined a light on the issue with its recently filed suit against Kochava, who is in the data broker industry. This suit can provide insight on how the FTC and other agencies will look at geolocation data and what organizations should be on the lookout for.
 

With the FTC finally having a full complement of commissioners, Commissioner Lena Khan’s ambitious agenda appears to finally be kicking into motion. In addition to her efforts to tie antitrust law to data protection practices and jumpstarting the federal rulemaking process for badly needed updates to federal privacy law, Khan’s FTC brought an action in late August against Kochava, a data broker, for the sale of precise geolocation data of consumers in the U.S. District Court of Idaho.
 

 

Kochava claims to process more than 94 billion data transactions each month for 125 million monthly active users and 35 million daily active users. The consumer data is made available for purchase through a license or through a free sample that contains a rolling 7 day period.  Kochava denies the allegations in the complaint, stating their practices are in compliance with all applicable privacy laws and, “Kochava sources 100% of the geo data in our data marketplace from third party data brokers all of whom represent that the data comes from consenting consumers.”
 

The FTC is seeking a permanent injunction to stop this practice. Typically, the FTC has brought privacy cases under the “deceptive” practices prong of its authority under Section 5 of the FTC Act. Advancing this case on unfairness grounds represents an aggressive move against not just Kochava, but geolocation as a whole, enabling the FTC to seek a permanent injunction against the practice, not just about any statements related to the practice, of selling precise geolocation data. The FTC is choosing to advance a harder argument here – that the practice of selling precise geolocation data is uniquely unfair because a consumer cannot meaningfully consent to the transaction by companies it has no knowledge of and that the practice has and will substantially harm individuals – in order to have a greater impact on the business model as a whole.

A win by the FTC here would likely result in a substantial impact on not just data brokers and advertisers, but also analytics companies, retail groups, device tracking technologies (e.g. Apple Airtags) and automotive manufacturers who increasingly process substantial amounts of precise geolocation data for a wide variety of purposes. But key questions remain: Is Kochava the right target for this action if no particularized harm has been identified and alleged from the sale of its particular data set?
 

Precise geolocation data is also highly valuable to law enforcement. Earlier this week, the Associated Press released an article based on a joint investigation with the Electronic Frontier Foundation, unmasking a data broker called Fog Data Science LLC, licensing a tool to law enforcement and government agencies for a reputed $7,500/year fee, that would provide geofencing and location tracking capabilities without a warrant. Such practice is currently lawful because of the exception under 4^th Amendment caselaw for publicly available information.  

Precise geolocation data is considered highly sensitive data – a type of digital plutonium – because of the difficulty anonymizing the data and the rich insights that can be extracted from the feed. Precise geolocation tied to a time stamp and advertising identifier – the unique number each phone is assigned by Apple or Google for advertisers to use for targeting – can reveal an individual’s home address, work address, and other sensitive data. In 2021, a Catholic priest resigned after he was outed as visiting LGBTQ+ bars. His precise geolocation data was obtained through a data broker by a Catholic news organization who outed him. The data broker got it from Grindr, the LGBTQ+ dating app. Precise geolocation has revealed numerous national security implications as well. In 2018, the US military was forced to reexamine its security practices after fitness tracker Strava’s heatmaps revealed military bases and patrol routes. That story, among others, was part of a New York Times series on location data practices that included the ability to locate devices traveling to and from CIA Headquarters in Langley, Virginia. At the same time, the US military and other law enforcement agencies have been caught buying precise geolocation data from Muslim prayer apps, a move that clearly has First Amendment implications.

In a post-Dobbs’ America, the implications are profound with Republican governed states rapidly moving to criminalize women who seek abortions or the doctors who provide them. Some are even exploring enforcing their laws on women who seek abortions across state lines.  

*Attorney Advertising: Prior Results Do Not Guarantee Similar Outcomes

Thebeckagefirm.com
info@thebeckagefirm.com