As one of the last states to retain highly restrictive (and arguably anti-competitive) telemedicine practice standards, health care providers, regulatory boards, technology companies, payors and other stakeholders have been actively monitoring Texas’ approach to telemedicine regulation and the related Teladoc case. Texas has eliminated its most restrictive requirement for delivering care via telemedicine in Texas, increasing opportunities for providers to reach patients using technology. Senate Bill 1107 was passed on May 11, 2017, and the House added an amendment in passing Senate Bill 1107, which was approved in the Senate on May 18. The bill was signed into law by Governor Abbott last weekend.
On March 23, 2017, the New York Attorney General’s office announced that it has settled with the developers of three mobile health (mHealth) applications (apps) for, among other things, alleged misleading commercial claims. This settlement highlights for mHealth app developers the importance of systematically gathering sufficient evidence to support their commercial claims.
In an age where providers are increasingly taking the management of their patient’s health online and out of the doctor’s office, the creation of scalable and nimble patient engagement tools can serve to improve patient experience, health care outcomes and health care costs. While the level of enthusiasm for these tools is at an all-time high, there is a growing concern about the unexpected deterrent to the adoption of these tools from an unlikely source: the Telephone Consumer Protection Act of 1991 (TCPA).
Many professionals in the health industry have come to share two misconceptions about the TCPA: first, that the TCPA only applies to marketing phone calls or text message “spam,” and second, that the TCPA does not apply to communications from HIPAA covered entities to their patients/health plan members. These misconceptions can be costly mistakes for covered entities that have designed their patient engagement outreach programs without include a TCPA compliance strategy.
As discussed in a previous post, the TCPA was originally intended to curb abusive telemarketing calls. When applying the law to smarter and increasingly innovative technologies (especially those that we see in the patient engagement world), the TCPA poses significant compliance challenges for the users of these tools that arguably threaten to curb meaningful progress on important public health and policy goals.
Despite its initial scope of addressing robocalls, the TCPA also applies to many automated communications between health care providers and their patients, and between plans and their members. There is a diverse array of technical consent requirements that apply depending on what type of phone call you make. For instance, most auto-dialed marketing calls to cell phones require prior express written consent, meaning that the caller must first obtain written consent before making the call. To make compliance more compliance, callers remain responsible for proving consent and the accuracy of the numbers dialed.
Indeed, the TCPA presents a serious challenge for patient engagement tools, especially when violations of the TCPA can yield statutory damages of up to $1,500 per call or text message. While Federal Communications Commission orders over the past several years have added some clarity and a “safe harbor” for HIPAA-covered entities to help entities achieve compliance, there is still no “free pass” from the TCPA’s requirements. Therefore, covered entities and the business associates who work for them should not assume that compliance with HIPAA offers any security of defense against a successful claim under the TCPA.
The Joint Commission (TJC) recently clarified that licensed independent providers (LIPs) or other practitioners may not utilize secure text messaging platforms to transmit patient care orders. TJC’s earlier position provided that use of secure text messaging platforms was an acceptable method to transmit such orders, provided that the use was in accordance with professional standards of practice, law and regulation, and policies and procedures.
TJC identified the rationale for the reinstated prohibition against secure text messaging for patient care orders as one of patient safety—after “weighing the pros and cons” TJC and the Centers For Medicare and Medicaid Services (CMS) concluded that as the impact of the modality on patient safety remained unclear, and determined that approving its use was premature.
Read more here about how this clarification impacts health care organizations.
Last Friday, July 10, 2015, the Federal Communications Commission (FCC) released Declaratory Ruling and Order 15-72 (“Order 15-72”) to address more than 20 requests for clarity on FCC interpretations of the Telephone Consumer Protection Act (TCPA). The release of Order 15-72 follows a June 18th open meeting at which the FCC adopted the rulings now reflected in Order 15-72 that are intended to “close loopholes and strengthen consumer protections already on the books.”
Keys rulings in Order 15-72 include:
- Confirming that text messages are “calls” subject to the TCPA;
- Clarifying that consumers may revoke their consent to receive robocalls (i.e., telemarketing calls or text messages from an automated system or with a prerecorded or artificial voice) “at any time and through any reasonable means”;
- Making telemarketers liable for robocalls made to reassigned wireless telephone numbers without consent from the current account holder, subject to “a limited,one-call exception for cases in which the caller does not have actual or constructive knowledge of the reassignment”;
- Requiring consent for internet-to-phone text messages;
- Clarifying that “nothing … prohibits” implementation of technology that helps consumers block unwanted robocalls;
- Allowing certain parties an 89-day (after July 10, 2015) window to update consumer consent to “prior express written consent” as the result of an ambiguous provision in the 2012 FCC Order that established the “prior express written consent” requirement; and
- Exempting from the consent requirement certain free “pro-consumer financial- and healthcare-related messages”.
We are reviewing the more than 135 pages of Order 15-72, as well as the separate statements of FCC Commissioners Wheeler, Clyburn, Rosenworcel (dissenting in part), Pai (dissenting) and O’Rielly (dissenting in part). Please check back soon for more information and analysis.
On the third anniversary of the EU Commission’s proposed new data protection regime, the UK ICO has published its thoughts on where the new regime stands. The message is mixed: progress in some areas but nothing definitive, and no real clarity as to when the new regime may come into force.
The legislative process involves the agreement of the European Commission, the European Parliament and the Council of Europe (representing the governments of the member states). So far the European Parliament has agreed its amendments to the Commission’s proposal and we are still waiting for the Council to agree it’s amendments before all three come together and try and find a mutually agreeable position.
The Council is guided by the mantra “nothing is agreed until everything is agreed”, and so even though there has been progress with the Council reaching “partial general agreement” on international transfers, risk-based obligations on controllers and processors, and the provisions relating to specific data processing situations such as research and an approach agreed on the one-stop shop principle (allowing those operating in multiple states to appointed and deal with a single authority), this progress means nothing until there is final agreement on everything. At this stage that means all informal agreements remain open to renegotiation.
It is noted that Latvia holds the presidency of the Council until June 2015. The Latvians have already noted that Anydata protection reform remains a key priority but progress has been slow and time may be against them. Where Latvia fails, Luxembourg will hopefully succeed as it takes up the presidency from June.
The ICO is urging all stakeholders to push on with the reform, although they see the proposed timetable of completion of the trilogue process by the end of 2015 as being optimistic. Instead a more reasonable timetable may be a final agreement by mid-2016 with the new regime up and running in 2018.
In 2014, regulators around the globe issued guidelines, legislation and penalties in an effort to enhance security and control within the ever-shifting field of privacy and data protection. The Federal Trade Commission confirmed its expanded reach in the United States, and Canada’s far-reaching anti-spam legislation takes full effect imminently. As European authorities grappled with the draft data protection regulation and the “right to be forgotten,” the African Union adopted the Convention on Cybersecurity and Personal Data, and China improved the security of individuals’ information in several key areas. Meanwhile, Latin America’s patchwork of data privacy laws continues to evolve as foreign business increases.
This report furnishes in-house counsel and others responsible for privacy and data protection with an overview of key action points based on these and other 2014 developments, along with advance notice of potential trends in 2015. McDermott will continue to report on future updates, so check back with us regularly.
For those Of Digital Interest readers attending the Brand Activation Association’s (BAA) 36th Annual Marketing Law Conference, please join McDermott partner – and Of Digital Interest editor – Julia Jacobson as she moderates a panel titled “New and Unexpected: Developments in Mobile Marketing – Mobile Tracking, Apps and Mobile Payments.” She will be joined by Ira Schlussel of HelloWorld, Inc., Paul Twarog of Google Inc. and co-moderator Terese Arenth. The panel session starts at 3:20 pm on Thursday, November 6. We hope to see you there.
A recent ruling by the Ninth Circuit took an expansive view of vicarious liability under the Telephone Consumer Protection Act (TCPA). Reversing the district court’s grant of summary judgment, the court in Gomez v. Campbell held that a marketing consultant could be held liable for text messages sent in violation of the TCPA, even though the marketing consultant itself had not sent the texts and even though the texts were sent on behalf of the marketing consultant’s client, not the consultant itself.
Among other things, the TCPA prohibits (with certain exceptions) the use of automatic telephone dialing systems in making calls to cellphones. Both the Federal Communications Commission (FCC) and the courts have interpreted this provision to bar the use of automated systems to send unsolicited texts to cellphones. In Gomez, the Campbell-Ewald Company had been hired by the Navy to conduct a multimedia recruiting campaign. Campbell-Ewald had then outsourced the text-messaging component of the campaign to a third party, Mindmatics. Mindmatics then allegedly sent text messages to the plaintiff and others who had not given consent.
On appeal, Campbell-Ewald raised two variations of the arguments that it should not be held liable for texts that it had not itself sent. First, Campbell-Ewald argued that it did not “make” or “initiate” any calls under the TCPA because Mindmatics had sent the texts. As the statue only provides for liability for those that “make” or “initiate” prohibited calls, Campbell-Ewald argued that it could not be held liable. Second, addressing another potential avenue of liability, Campbell-Ewald noted that the FCC had interpreted the TCPA to allow for liability against those “on whose behalf” unsolicited calls are made. But, Campbell-Ewald argued, it could not be held liable on this ground either because the texts had been sent on behalf of its client, the Navy, not Campbell-Ewald.
In the end, the Ninth Circuit sidestepped both these arguments and found Campbell-Ewald potentially liable on a third basis, “ordinary tort-related vicarious liability rules.” The court noted that where a statute is silent on vicarious liability—as the court judged the TCPA to be—traditional common law standards of vicarious liability apply. Thus, the court held, Campbell-Ewald could be liable under the TCPA based on the agency relationship between Campbell-Ewald and Mindmatics. The court further noted that FCC had stated that the TCPA imposes liability “under federal common law principles of agency,” and held that the FCC’s interpretation was entitled to deference.
Finally, the court noted that it made little sense to subject both the actual sender and the ultimate client to liability, while absolving the middleman marketing consultant, noting, “a merchant presumably hires a consultant in party due to its experience in marketing norms.”
The decision reinforces the importance for companies to closely monitor anyone sending texts or placing calls on their behalf or at their direction. Following Gomez, it is clear that any company that had a role in sending unsolicited calls or texts can potentially be held liable under the TCPA; and the company with the deepest pockets usually becomes the target, no matter home minimal its role in the alleged violation.
Changes Impacting Businesses that Process Personal Data in Russia
On July 21, 2014, a new law Federal Law № 242-FZ was adopted in Russia (Database Law) introducing amendments to the existing Federal Law “On personal data” and to the existing Federal Law “On information, information technologies and protection of information.” The new Database Law requires companies to store and process personal data of Russian nationals in databases located in Russia. At a minimum, the practical effect of this new Database Law is that companies operating in Russia that collect, receive, store or transmit (“process”) personal data of natural persons in Russia will be required to place servers in Russia if they plan to continue doing business in that market. This would include, for example, retailers, restaurants, cloud service providers, social networks and those companies operating in the transportation, banking and health care spheres. Importantly, while Database Law is not scheduled to come into force until September 1, 2016, a new bill was just introduced on September 1, 2014 to move up that date to January 1, 2015. The transition period is designed to give companies time to adjust to the new Database Law and decide whether to build up local infrastructure in Russia, find a partner having such infrastructure in Russia, or cease processing information of Russian nationals. If the bill filed on September 1 becomes law, however, that transition period will be substantially shortened and businesses operating in Russia will need to act fast to comply by January 1.
Some mass media in Russia have interpreted provisions of the Database Law as banning the processing of Russian nationals’ personal data abroad. However, this is not written explicitly into the law and until such opinion is confirmed by the competent Russian authorities, this will continue to be an open question. There is hope that the lawmakers’ intent was to give a much needed boost to the Russian IT and telecom industry, rather than to prohibit the processing of personal data abroad. If this hope is confirmed, then so long as companies operating in Russia ensure that they process personal data of Russian nationals in databases physically located in Russia, they also should be able to process this information abroad, subject to compliance with cross-border transfer requirements.
The other novelty of this new Database Law is that it grants the Russian data protection authority (DPA) the power to block access to information resources that are processing information in breach of Russian laws. Importantly, the Database Law provides that the blocking authority applies irrespective of the location of the offending company or whether they are registered in Russia. However, the DPA can initiate the procedure to block access only if there is a respective court judgment. Based on the court judgment the DPA then will be able to require a hosting provider to undertake steps to eliminate the infringements. For example, the hosting provider must inform the owner of the information resource that it must eliminate the infringement, or the hosting provider must restrict the owner’s access to the information that is processed with the infringements. In case of the owner’s refusal or inaction, the hosting provider is obliged to restrict the access to the respective information resource altogether. If the foregoing steps are not performed by the hosting provider in due course, the DPA may request that the communication service provider restrict access to the respective information resource altogether, in particular to web address, domain name and references to the web pages in the internet.
Changes Impacting Businesses that Process Internet Communications
In addition to the new Database Law, a new Federal Law № 97-FZ dated May 5, 2014 (Moderator Law) amends an existing Federal Law “On information, information technologies and information protection” to create new obligations for organizers of information distribution in the internet (moderators). The term “moderator” is defined as those maintaining information systems or software designed or used to receive, transfer, deliver or process electronic messages on the internet. The relevant Russian regulator has clarified unofficially that the Moderator Law is addressed only to instant messaging, blogging, social media and e-mails (see clarification at http://rkn.gov.ru/press/publications/news26545.htm). However, the broad and ambiguous definition makes it possible to apply the Moderator Law to every website that has a chat or comment feature, or that is capable of sending or receiving messages from users. The definition as it is might also apply to e-commerce, services of cloud storage, and more.
The amendments impose several new obligations on moderators, some of which give sweeping new rights of access to the Russian Government:
- All moderators must file notification to the state authorities upon commencing moderating activity (meaning, upon maintaining information systems or software designed or used to receive, transfer, deliver or process electronic messages on the internet). The entity shall file notification upon respective request of competent state authority or at its own initiative. The entity then will be qualified as moderator after its inclusion into special Register of moderators. The particular procedure of notification is specified in the Governmental Regulation №746 dated July 31, 2014 which became effective August 12, 2014.
- All moderators are obliged to store (in the territory of Russia for not less than six months) information on the facts of reception, transfer, delivery, processing of electronic messages of users and the data of such users. The types of information to be stored are determined in recently published in Governmental Regulation № 759 dated July 31, 2014 which became effective August 14, 2014. The Regulation also specifies categories of the users whose electronic messages and data should be stored. Moderators also are under obligation to transfer such information to competent state authorities upon their request. The requested information should be provided by the moderator within the specified term which is under general rule 30 days. However, there might be urgent requests which imply requirement to provide information within three days.
- The moderators are obliged to comply with requirements for technical equipment as well as software and hardware tools established by the state authorities responsible to ensure security (for example, Federal Security Service), as well as those conducting criminal investigation in order to let them perform their functions. For example, if the state authority cannot decrypt requested information on the moderator’s information systems, the moderator must assist authorities by taking required steps to grant access to the information it needs. The detailed procedure on liaising of moderators with state authorities on technical requirements is specified in the Governmental Regulations №743 dated July 31, 2014, which became effective August 12, 2014.
Note, however that the outlined obligations are not applicable to operators of state (municipal) information systems, communications operators (i.e., legal entities rendering communications services under the respective license) as well as to the individuals acting as moderators for private (personal) purposes.
If a moderator fails to comply with the Moderator Law or its implementing Regulations, the competent state authority is entitled to restrict access to the informational resources of the moderator by following statutory specified procedure set forth in the Governmental Regulation №745 dated July 31, 2014, which became effective August 12, 2014.
The violation of the Moderator Law and its implementing Regulations exposes the company and its officers to the following potential fines:
- Failure to file required notifications can result a company fine from 100,000 to 300,000 RUR ($2,695.84 up to $8,087.52 USD) and a fine for company officers ranging from 10,000 to 30,000 RUR ($269.58 to $808.75 USD);
- Failure to store information or ensure access by authorities can result in a company fine ranging from 300,000 to 500,000 RUR ($8,087.52 up to $13,479.20 USD) , and a fine for or company officers – from 30,000 to 50,000 RUR ($808.75 up to $1,347.92 USD); and
- Failure to comply with technical requirements can result in a company fine ranging from 300,000 to 500,000 RUR ($8,087.52 up to $13,479.20 USD) and a fine for company officers ranging from 30,000 to 50,000 RUR ($808.75 up to $1,347.92 USD).
Guest author, Maria Ostashenko is Of Counsel at ALRUD Law Firm based in Moscow, Russia. Ms. Ostashenko and the ALRUD Firm are part of McDermott’s worldwide network of local privacy counsel who enable us to deliver seamless advice to multinational clients with the speed, efficiency and quality that our clients have come to expect from our team.