On May 31, 2017, the US Department of Justice announced a Settlement Agreement under which eClinicalWorks, a vendor of electronic health record software, agreed to pay $155 million and enter into a five-year Corporate Integrity Agreement to resolve allegations that it caused its customers to submit false claims for Medicare and Medicaid meaningful use payments in violation of the False Claims Act.
The Final Rule published by the US Department of Health and Human Services on January 18, 2017, largely avoids major modifications to the Common Rule. However, it specifically addresses creation of biospecimen and data repositories and use of those repositories for secondary research. All stakeholders involved in federally funded research should be aware of the Final Rule’s changes and prepare to implement them.
On January 18, 2017, the Department of Health and Human Services (HHS) and 15 other federal agencies issued a final rule overhauling the federal human subjects research regulations known as the “Common Rule.” These are the first revisions to the Common Rule since its original enactment in 1991, and have been in progress since HHS first published an Advanced Notice of Proposed Rulemaking in July 2011. According to the press release accompanying the final rule, HHS made “significant changes” to its most recent proposals (published in September 2015) in response to the 2,100+ public comments they received.
The majority of the Common Rule’s changes and new provisions will go into effect in 2018. We are reviewing the final rule in detail, and a summary of changes and new provisions is forthcoming.
On January 4, 2017, the Department of Health and Human Services (HHS) submitted a draft final rule to amend the federal human research regulations to the Office of Management and Budget (OMB). These regulations, often referred to as the Common Rule, were originally developed in 1991 and have been adopted by multiple federal departments and agencies. OMB review is the last step before final publication and suggests that HHS is trying to release a final rule before President Obama leaves office on January 20, 2017.
Through its Office for Human Research Protections (OHRP), HHS initially published an Advanced Notice of Proposed Rulemaking in July 2011. The Advanced Notice generated significant controversy and OHRP did not publish a notice of proposed rulemaking (Proposed Rule) for over four years, ultimately doing so on September 8, 2015. The Proposed Rule, like its earlier Advanced Notice counterpart, suggested major changes to the Common Rule, including changes to its overall jurisdictional scope, requirements relating to secondary use of biospecimens and individually identifiable information, and the general research review and oversight process.
Since the Proposed Rule’s publication, OHRP has received significant feedback from both industry and expert advisory groups about the proposed changes and their overall impact. While certain proposed changes have been applauded, the Proposed Rule has also generated considerable concern and uncertainty among stakeholders.
The current status of OMB’s review is pending.
The Joint Commission (TJC) recently clarified that licensed independent providers (LIPs) or other practitioners may not utilize secure text messaging platforms to transmit patient care orders. TJC’s earlier position provided that use of secure text messaging platforms was an acceptable method to transmit such orders, provided that the use was in accordance with professional standards of practice, law and regulation, and policies and procedures.
TJC identified the rationale for the reinstated prohibition against secure text messaging for patient care orders as one of patient safety—after “weighing the pros and cons” TJC and the Centers For Medicare and Medicaid Services (CMS) concluded that as the impact of the modality on patient safety remained unclear, and determined that approving its use was premature.
Read more here about how this clarification impacts health care organizations.
On August 17, 2015, the Federal Trade Commission (FTC) announced settlements with 13 companies on charges that they misled consumers by claiming that they were certified members of the U.S.-EU or U.S.-Swiss Safe Harbor programs when in fact their certifications had lapsed or never existed in the first place. The FTC’s announcement comes on the heels of two previous settlements reached in late May 2015 with companies that had lapsed certifications despite representations to the contrary made to online consumers. This recent activity by the FTC serves as yet another reminder to businesses to monitor their Safe Harbor program certification renewal dates and to exercise care when making representations in privacy policies related to Safe Harbor program certification.
The Safe Harbor programs provide a method for U.S. companies to transfer personal data outside of the European Union (EU) or European Economic Area (EEA) consistent with the requirements of the European Union Directive on Data Protection or the Swiss Federal Act on Data Protection. To participate in a Safe Harbor program, a company must self-certify to the U.S. Department of Commerce that it complies with seven privacy principles and related requirements. Once certified, a company is required to renew its certification with the Department of Commerce each year to maintain its status as a current member of the Safe Harbor program.
The companies at the center of the recent enforcement actions represent a variety of industries, including app development, pharmaceutical and biotechnology research, medical waste processing and wholesale food manufacturing. This broad industry representation suggests to us that the FTC is committed to ongoing enforcement. Accordingly, we want to remind readers of these tips:
- Check your company’s certification status to ensure that it is marked “current” on the Department of Commerce website: https://safeharbor.export.gov/list.aspx;
- Review any privacy policies and online statements referencing the Safe Harbor programs to ensure that they properly reflect the certification status and the company’s actual privacy and data security practices;
- Institute a systemic reminder six months prior to the recertification date that triggers compliance review activity with a due date for completion prior to the recertification deadline, together with a requirement that the actual online recertification be completed prior to the annual deadline;
- Remove all references to the Safe Harbor programs from publicly available privacy policies and statements if the company’s certification status is unclear; and
- Review substantive compliance with the Safe Harbor programs and institute corrective action and controls to ensure that compliance is maintained.
On July 6, 2015, the Korean National Assembly passed a bill containing several amendments to the Personal Information Protection Act (PIPA). This bill (the Amendment Bill) combines a number of major provisions from nine previous different bills – e.g., one introduced in 2013 and eight proposed in 2014 following the massive data breach of three major credit card companies that occurred in January 2014 (the Credit Card Company Data Breach). Although the amended version of the PIPA (the Amended Act) will take effect upon its promulgation (yet to be determined), most of the provisions that will significantly affect the obligations and responsibilities of data handlers are scheduled to take effect either a year after the Amended Act’s promulgation or on January 1, 2016. For timely compliance with the amended law, companies processing customer or employee data need to keep an eye on the respective effective dates of provisions of the Amended Act that are particularly applicable to them.
1. Significance of the Amendment
The PIPA was adopted in 2011, among others, to protect the privacy of individuals and their personal information from unlawful collection, leakage, appropriation and misuse. However, even after the PIPA’s enactment in 2011, large-scale data breaches were not uncommon, and the Credit Card Company Data Breach last year was the final straw that prompted a call for stricter data protection and privacy regulations across the board to raise awareness of the significance of data protection and security and potential serious risks. The Amendment Bill keeps pace with the stricter rules of the recently amended version of the Utilization and Protection of Credit Information Act.
More specifically, the Amendment Bill extends stronger protection measures to individuals affected by data breaches by providing for punitive damages and statutory damages. Further, heavier penalties are imposed on those who violate certain provisions of the PIPA, and illegal proceeds generated from such violations are subject to forfeiture and collection. Whereas the current version of the PIPA provided for the recovery of damages in the event an individual’s personal information was stolen, lost, leaked, falsified or damaged, the Amendment Bill explicitly prescribes “fabrication” of personal information as an additional type of data breach, so that affected individuals will also be able to claim damages if their personal information is fabricated. The Amendment Bill also awards broader authority to the Personal Information Protection Committee (PIPC) to address loopholes relating to the practical operation of the PIPC in the PIPA, and provides for the legal grounds for the designation of institutions for data protection certification. Overall, the Amendment Bill contains provisions that increase the level of penalties imposed on violators.
Some of the key changes to the PIPA pursuant to this amendment are summarized below.
2. Adoption of Punitive Damages and Statutory Damages Provisions
The Amendment Bill deletes Article 39(2) of the PIPA which sets forth the mitigating circumstances of a data handler’s liability for damages incurred by a data subject whose personal information is mishandled. Furthermore, under the Amendment Bill, if a person suffers damages due to his/her personal information being stolen, lost, leaked, fabricated, falsified, or damaged due to the data handler’s willful misconduct or gross negligence, the court may award the victim punitive damages of up to three times actual damages (Article 39(3)); i.e., the “punitive damages provision”). Statutory damages of up to KRW 3,000,000 (approximately $3,000) are also available to those whose personal information is stolen, lost, leaked, fabricated, falsified, or damaged due to the data handler’s willful misconduct or negligence (Article 39-2). By holding the data handler liable for punitive and statutory damages, the Amendment Bill increases the level of responsibility placed on those handling personal information and introduces stronger measures for redress.
3. Heavier Sanctions Imposed on Violators; Illegal Proceeds Now Subject to Forfeiture/Collection
A person who falsely or by other fraudulent means or methods acquires personal information processed by another person and then provides such personal information to a third party for profit-seeking or other illegitimate purpose will be subject to imprisonment of up to 10 years or a fine of up to KRW 100,000,000 (Article 70(2)). Meanwhile, if personal information is stolen, lost, leaked, falsified, fabricated, or damaged because the data handler failed to implement the necessary security measures for the protection of personal information, then he/she will be subject to a fine of up to KRW 20,000,000 (whereas so far under the PIPA, the maximum fine amount is KRW 10,000,000) (Article 73(1)). The Amendment Bill now also allows for any criminal proceeds that a person acquires from the illegal distribution or the like of personal information to be confiscated or collected by the courts (Article 74-2).
4. More Authority Awarded to the PIPC
Under the Amendment Bill, the PIPC is entitled to: (i) recommend improvements of policies and systems, (ii) inspect whether the recommendations are being implemented properly, (iii) request the submission of materials (Articles 8, 11(1) and 63(4)), and (iv) appoint or commission mediators to the Personal Information Dispute Mediation Committee (Article 40(3) and (4)). Meanwhile, the PIPC is allowed to directly handle matters that are necessary for settling disputes (Article 40(8)).
5. Statutory Basis for PIPL
The Amendment Bill provides a statutory basis for using the Personal Information Protection Level (PIPL) certification system (which was under the control and supervision of the National Information Society Agency) as a legitimate means for determining whether the safeguards and measures taken with regard to personal information processing are in compliance with the PIPA (Article 32-2). The Amendment Bill also provides a statutory basis for marking and advertising the substance of the PIPL certification that is duly obtained (Article 32-2(6)). As such, more entities are expected to utilize the PIPL certification system that was introduced in 2014.
Conclusion – Significance of Advance, Ex-Ante Compliance Checkup
Following the amendments to the Act on Promotion of Informemation and Communications Network Utilization and Information Protection, and the Credit Information Act in the wake of the Credit Card Company Data Breach, the Amendment Bill represents one of the final steps by Korean legislators to revamp Korea’s privacy-related laws and regulations. The implications of these amendments are far-reaching, as they signify the adoption of legal remedies such as punitive damages and statutory damages, and the implementation of various new regulatory measures across all areas involving the processing of personal information, not just information and communications technology and finance. Apart from the fact that heavier sanctions are imposed on companies for failing to adequately protect the personal information of its employees and customers, many companies will now be forced to revise their everyday practices and policies for handling personal information in order to meet the stricter requirements under the amended laws. As such, companies are now more than ever expected to perform advance inspections of their personal information protection measures in place and make any necessary improvements, in addition to utilizing various certification systems such as the PIPL.
The Argentinian Data Protection Authority (DPA) beefs up penalties to fight robocalls and unconsented-to video surveillance by enacting Do Not Call and CCTV regulations.
Because robocalls are cheap and efficient, they have become a quite popular form of advertising in Argentina. In order to curb the variety of abuses that can come from robocalling–such as deceptive and abusive marketing–Argentina is injecting into their regulatory regime penalty-driven regulations that will address the problems presented by robocalls. This will preserve their beneficial use while still complying with Argentina’s privacy law requirements. Specifically, the February 2015 sanctions regulation addresses the recently adopted national Do Not Call registry that was implemented at the start of this year.
To comply with the Do Not Call regulations, companies need to register and download the database of individuals who do not want to be called. If companies fail to do so, they can be subject to various serious fines of up to USD $12,000. Examples of serious breaches include the processing of personal data without the DPA registration or breach of the Do Not Call regulation in marketing campaigns (even if the caller is located abroad). Any international transfers in breach of the Data Protection Act and its regulations would be considered a more serious breach. Indeed, the DPA has already issued 60 enforcement notices based on this new sanctions regulation.
In February, the DPA also enacted a law regulating the use of closed-circuit television (CCTV) cameras for video surveillance in the private and public sphere. The new CCTV regulation requires data controllers to apply, if possible, notice and consent provisions to CCTV-related data processing. It also requires that a conspicuous sign be included for the purpose of informing the data subject of the name and domicile of the data controller, as well as where to exercise the data protection rights. Additionally, CCTV databases must be registered and the personal data collected shall not be used for any purpose incompatible with that which gives rise to their collection. It is important to note that some CCTV processing is exempted from consent, such as public government databases and processing data within private property for private purposes.
These regulations were enacted in an effort to round out and complete Argentina’s privacy legal framework.