U.S. Department of Commerce Launches Internet Privacy Review

The U.S. Department of Commerce has announced the commencement of a comprehensive review of the nexus between privacy policy and innovation in the Internet economy.  Through a Notice of Inquiry (NOI) published in the Federal Register [75 Fed. Reg. 21226 (April 23, 2010)], the Department seeks comment from all Internet stakeholders “on the impact of current privacy laws in the United States and around the world on the pace of innovation in the information economy.  The Department seeks to understand whether current privacy laws serve consumer interests and fundamental democratic values.” 

“Because of the vital role the Internet plays in driving innovation throughout the economy, the Department has made it a top priority to ensure that the Internet remains open for innovation while promoting an environment respectful of individual privacy expectations,” said Commerce Secretary Gary Locke.

The Commerce Department has created an Internet Policy Task Force whose mission is to identify key public policy issues in the Internet environment, including consumer and commercial perspectives.  The Task Force is comprised of staff members from the National Telecommunications and Information Administration (NTIA), the International Trade Administration (ITA), the National Institute of Standards and Technology (NIST) and the Patent and Trademark Office (PTO), and will be coordinated through the Commerce Department’s Office of Policy and Strategic Planning, which reports to the Commerce Secretary.   In addition to privacy and innovation, the Task Force will examine “cyber security, global free flow of information goods and services and online copyright protection, as well as other issues. 

The Task Force is currently seeking comment on the impact of the current privacy framework on commerce and innovation, as well as possible improvements to foster innovation.  Specifically, the Task Force is seeking input on the hurdles businesses face in complying with different state and international laws concerning privacy and data protection and the possible harmonization of such laws.  The Task Force also discusses and seeks comment on the challenges posed by cloud computing models in determining where data is stored and who has jurisdiction over the data.

On May 7, 2010, the Department of Commerce will hold a public meeting to discuss stakeholder views and facilitate public discussion on privacy policy in the United States. Comment submissions are due by June 7, 2010.  After analyzing public comments, the Department of Commerce will issue a report aimed at contributing to the Administration’s domestic and international policy in the area of Internet privacy.

Impact of HITECH Act on Business Associates

What is HITECH?

Title XIII of the American Recovery and Reinvestment Act of 2009, entitled the Health Information Technology for Economic and Clinical Health (“HITECH”) Act goes into effect on February 17, 2010 and was enacted principally as a stimulus bill. HITECH’s focus is to provide funding for electronic health records and related activities. In light of increased use of electronic health records, HITECH provides additional legal protections concerning protected health information (“PHI”) and expands the protections afforded by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) with regard to privacy and security. HITECH also provides for direct regulation of Business Associates by the Department of Heath and Human Services (“HHS”).

What is a Business Associate?

A “Business Associate” is defined by HIPAA to be a person or entity who provides certain functions, activities and services to or on behalf of a covered entity involving the use or disclosure of PHI. This definition may include technology providers and other vendors contracting with a covered entity. A “covered entity” under HIPAA is a health plan, health care clearing house and health care providers who transmit any health information in electronic form.

How does HITECH impact Business Associates?

  • HITECH requires Business Associates to comply with the HIPAA Security Rule (45 CFR parts 160 and 164, parts A and C) regarding implementation of administrative, physical and technical safeguards to protect PHI and development and enforcement of procedures and documentation standards. Security requirements that are applicable to covered entities are now also applicable to Business Associates.
    Business Associate must comply with HIPAA business associate safeguards, including accounting for disclosures and retuning or destroying PHI at contract termination if feasible.
  • HITECH security and privacy requirements are required to be incorporated into business associate agreements between Business Associates and covered entities.
  • HHS has the right to perform compliance audits of Business Associates.
  • Termination of the Business Associate Agreement or notification of HHS is required by Business Associates in the event of known breaches of the business associate agreement by the covered entity. The Business Associate will be deemed to violate the provisions of HIPAA if it knows of such breaches by a covered entity and it fails to cure the breach, terminate the business associate agreement or report the breach to HHS.
  • Business Associates are subject to enhanced criminal and civil penalties for violations.
  • HHS will issue annual guidance on the most effective and appropriate technical safeguards, which will also apply to Business Associates.

Breach Notification Regulations
In August, 2009, HHS issued an interim final rule implementing the new HITECH breach notification requirement described above. Sanctions for violations of this rule may be imposed commencing in February, 2010. A breach is an unauthorized use or disclosure that violates the HIPAA Privacy Rule. The rule requires covered entities to notify affected individuals when there is a breach of their “unsecured PHI”. Unsecured PHI is PHI that is not secured through the “use of technology or a methodology specified by the Secretary [of HHS] in guidance”. Under an existing HHS rule published in April, 2009 (74 FR 19006), encryption or destruction are currently the only sanctioned methods to secure PHI. Firewalls and other access controls will not be deemed to render PHI secure for purposes of HITECH.

HHS also clarifies in this rule that the HITECH breach notification requirement only applies if the breach passes a “harm threshold” such that the breach “poses a significant risk of financial, reputational or other harm to the individual”. This requires risk assessment to determine if the disclosure of PHI poses a significant risk of harm to the affected individual. Considerations include (i) who used the impermissibly disclosed information; (ii) to whom the information is disclosed (i.e. – another covered entity, as opposed to an entity under no obligation to maintain the privacy of the information); and the type and amount of PHI involved in the impermissible disclosure.
Notice must be provided to the affected individual and HHS no later than 60 days after the breach of unsecured PHI is discovered. If a Business Associate is responsible for the breach, it must notify the covered entity and provide the information necessary to provide the required notice.

More Guidance is Forthcoming
Comprehensive HHS regulations are forthcoming, and will be published in the coming weeks. Among other issues, these regulations should address the expansion of the definition of Business Associate and the extension of the HIPAA Security Rule and Privacy Rule to Business Associates. These regulations should also address requirements for approved technologies for electronic health records. Business Associates should analyze these new regulations carefully in implementing changes to their HIPAA compliance processes.