Consumer Privacy:

Modifications to FCC Telemarketing Rules

and HIPAA Data Protection Regulations

Nancy L. Perkins

Arnold & Porter LLP

American Conference Institute

January 16, 2014

Overview

• Revised provisions of the Telemarketing Rules of the

Federal Communications Commission (“FCC”) -- took

effect in October 2013

New restrictions on “robocalls”

• Revised provisions of the privacy, security, enforcement

and data breach notification rules of the Department of

Health and Human Services (“HHS”) under the Health

Insurance Portability and Accountability Act (“HIPAA”) --

took effect in March 2013

expanded HHS jurisdiction over certain entities

changed security breach notification standard

2

New FCC “Robocall” Rules

3

Purpose of FCC Modifications

• Respond to consumer complaints about unwanted

autodialed and prerecorded telemarketing calls

Applies to calls to wireless numbers and residential landline

numbers

• Align the FCC’s rules with the Telemarketing Sales Rule

(“TSR”) of the Federal Trade Commission (“FTC”)

FTC’s rule also addresses robocalls

4

FTC v. FCC Jurisdiction

• FTC lacks jurisdiction over certain entities, including:

banks, credit unions, and savings & loan institutions

companies engaged in the business of insurance

common carriers

airlines

nonprofit organizations

• FCC, however, has jurisdiction over all these entities as

well as those regulated also by the FTC

5

FCC v. FTC Rules

• FTC TSR: prohibits telemarketing calls that deliver

prerecorded messages without prior express consent

FTC Regulations Implement the Telemarketing and Consumer

Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101-6108.

• FCC: TCPA - prohibits the use of an Automatic

Telephone Dialing System (“ATDS”) to make phone calls

or send text messages without prior express consent.

Telephone Consumer Protection Act, 47 U.S.C. § 227.

6

Two Major Changes to FCC Rules Went into Effect

October 16:

• Elimination of “established business relationship”

exception. A prior relationship is no longer an exception

to the consent requirements for prerecorded

telemarketing calls to either wireless or residential

landline phone numbers.

• Prior express consent. - Written consent is now required

for such telemarketing calls.

7

No “Established Business Relationship” Exception

• Formerly, robocalls to residential landlines were permissible if

there was an “established business relationship” – defined as:

“a prior or existing relationship formed by a voluntary two-way

communication between a person or entity and a business or residential

subscriber with or without an exchange of consideration, on the basis of

an inquiry, application, purchase or transaction by the business or

residential subscriber regarding products or services offered by such

person or entity, which relationship has not been previously terminated

by either party.”

• Now, such a relationship does not relieve the caller of the

requirement to obtain prior express written consent.

8

Prior Express Written Consent

• A signed written agreement clearly authorizing

autodialed or prerecorded calls to a wireless number or a

prerecorded calls to a residential landline.

• No "grandfathering" of consents obtained under the

FCC's prior rules.

• BUT: Electronic signatures qualify as “written” consent,

including in the form of:

E-mail

Text message

Telephone keypress

Voice recording

9

Elements of Express Consent

• Each written consent must expressly:

Bear the signature (hard copy or electronic) of the person

providing consent;

Specify the telephone number to which the person is

consenting to be called;

Clearly authorize calling the person using an ATDS or

prerecorded message for telemarketing purposes; and

Acknowledge that provision of the consent is not a

condition of purchasing goods or services.

Note: FTC TSR simply says that a seller may not require

consent as a condition of purchasing goods or services

10

What Is an ATDS Call?

• The term “automatic telephone dialing system” is defined

as equipment that has the capacity –

to store or produce telephone numbers to be called, using

a random or sequential number generator; and

to dial such numbers

• Thus, courts have held that even where a plaintiff could

not prove that the defendant used an ATDS to make allegedly

illegal telemarketing calls, it may be liable if the system it used

had the capacity to make the automated call.

11

Informational Calls vs. Telemarketing Calls

• Purely informational calls may be made to residential lines

without prior written express consent.

• No autodialed or prerecorded calls, even purely

informational calls, may be made without prior express

consent to wireless lines

• “Telemarketing” is broadly defined as:

“the initiation of a telephone call or message for the

purpose of encouraging the purchase or rental of, or

investment in, property, goods, or services, which is

transmitted to any person.”

12

Examples of Informational Calls

• debt collection calls

• airline notification calls

• bank account fraud alerts

• school and university notifications

• research or survey calls

• and wireless usage notifications

• travel itinerary changes

• fraud alerts

• payment reminders

• flight status notifications

• utility outage notifications

• appointment reminders.

13

Liability & Enforcement

• FCC enforcement actions

• Private right of action

• State laws are not preempted

• $500 per violation. Penalty can be increased to $1500

per violation by courts for willful or knowing violations.

• TCPA violations carry significant risk and TCPA litigation is

on the rise.

14

FTC and FCC Cooperation

• In 2003, the FCC and the FTC entered into a

Memorandum of Understanding, in which they agreed to

joint enforcement:

“The FCC and the FTC will work together in a cooperative and

coordinated fashion to implement consistent, comprehensive,

efficient, and non-redundant enforcement of federal telemarketing

statutes and rules.”

"The agencies will endeavor to avoid unnecessarily duplicative

enforcement actions.”

“The agencies will engage in joint enforcement actions, when

necessary, appropriate and consistent with their respective

jurisdictions.”

15

2013 Modifications to HIPAA Rules on

Business Associates and Data

Security Breaches

16

New Rules on Business Associates and

Security Breach Notifications

• The January 2013 final rule implementing the Heath

Insurance Portability Act (“HIPAA”) and the Health

Information Technology for Economic and Clinical Health

(“HITECH”) Act made key changes to:

The definition of “business associate”

The trigger for notifications of data security breaches

• What is the significance of these changes and what new

risks do they pose?

• How can those risks be mitigated?

17

Business Associates: Key Issues

• Who is now a business associate (“BA”) and who is not?

• When is a data transmitter a “conduit” and not a BA?

• When is a BA an agent, and why does that matter?

• What is newly required in a business associate

agreement (“BAA”)?

• Must existing BAAs be revised and if so, when?

18

Business Associates:

Who Are They Now?

19

Business Associate Definition

• A person who, for or on behalf of a covered entity (but not

as a member of the covered entity’s workforce), creates,

receives, maintains, or transmits protected health information

(“PHI”) to perform:

a healthcare-related function or activity, or

legal, actuarial, accounting, consulting, data aggregation, management,

administrative, accreditation, or financial services

20

New Additions to “Business Associate” Definition

• Patient Safety Organizations

• Health information exchange organizations

• E-prescribing gateways

• Vendors of personal health records

• Subcontractors

Each subcontractor of a BA is now itself a BA

Direct HIPAA liability for all BAs and BA subcontractors

HIPAA penalties applicable even to a sub-sub-sub-

contractor

21

Business Associates versus Conduits

• An entity that transmits PHI for a covered entity may be either

a BA or a mere “conduit”

• It is a BA if it requires access to the PHI on a “routine” basis

• It is a conduit if it has access to PHI only incidentally on a

random or infrequent basis

• Distinction is fact-specific, depends on:

nature of the services provided

extent to which the entity needs access to PHI to perform the service for

the covered entity

22

Ambiguities of Conduit Definition

• Conduit example: telecommunications company, even though

it has access to PHI when it reviews whether the data

transmitted over its network, because the access is random

and infrequent

• BUT: a “cloud” data storage entity, because it maintains PHI

on behalf of a covered entity, is a BA (not a mere conduit),

even if it does not actually view the PHI

• In both situations, the entity providing the service has the

opportunity to access PHI -- the difference between the two

situations is the transient versus persistent nature of that

opportunity

23

How to Help Determine if You Are a BA

• Key questions:

Are you acting on behalf of any HIPAA covered entity?

Do your activities fit within the BA definition?

• Insufficient questions:

Has any of my business partners asked me to enter into a HIPAA BAA?

Is there a BAA between any of my business partners and a covered entity?

Do I need access to PHI to perform my job?

24

Example: Researchers (context 1)

• Medical researchers generally need PHI to perform clinical or other

investigatory research, and

• Researchers frequently enter into agreements with covered entities

to obtain PHI

BUT:

• Research is not among the types of services listed in the “business

associate” definition

• BAAs with researchers do NOT permit covered entities to disclose

PHI for research without an individual’s written authorization

25

Example: Researchers (context 2)

• Researchers often need PHI to identify potential research subjects for human clinical trials

• A covered entity may not, without obtaining individual authorizations, share PHI with researchers for purposes of contacting potential research subjects

BUT:

• Covered entities, as part of their health care operations activities, may use PHI to contact individuals to obtain authorizations for disclosure of their PHI to others, including researchers

• A covered entity may enter into a BAA a with researcher, so the researcher, acting as a BA, can contact individuals to obtain their authorizations for disclosure and/or use of their PHI for the intended research

26

Example: Document Storage Company

• A document storage company has numerous customers, including accountants and lawyers

• Among the documents stored by the company are some containing PHI, to which the company has ready access

• None of the company’s customers has suggested the need for a BAA

NEVERTHELESS:

• The company should ask its customers whether the documents being stored contain PHI, and if the customers obtained the PHI from any covered entities

• NOTE: The company may be a sub-BA even if there are no BAAs between its customers and covered entities, if there are BA relationships

27

BAs as “Agents”

• BAs may be “agents” of a covered entity (or of another

BA of whom they are a sub-BA)

Common law rules determine when an independent

entity/contractor is an “agent”

Generally, common law defines an “agent” as a

person acting on another’s behalf, i.e., as a

representative of another -- but there are nuances

28

Indicia of Agency Relationship

• Right or authority of an entity to control conduct of another in the course of the other’s performance of a function or service on behalf of the entity

• Key questions in the BA context:

Can the covered entity direct the specific actions of the BA after the relationship is established?

Or does the BA have autonomy to decide how to perform its service for the covered entity?

• Every circumstance must be examined on its facts

• Labels or titles of entities or of their relationship are not determinative

29

Nuances of Agency Determinations

• A BA can be an agent of a covered entity even if:

The covered entity cannot control all aspects of the

BA’s activities

The covered entity does not actually exercise its

authority to control the BA’s activities

The covered entity is not physically close to the BA for

oversight purposes

30

Significance: Liability for Conduct of Agents

• Liability for an agent’s conduct is imputed to the principal, but:

• A covered entity is not liable for acts/omissions of its agent-BA if the covered entity acted with reasonable diligence, i.e., it:

did not know about the act/omission, and

could not, by exercising reasonable diligence, have known about the act/omission

• A covered entity is liable for acts/omissions of its agent-BA if the covered entity acted with willful neglect, i.e., it :

had actual or constructive knowledge of the act/omission, or

acted with “reckless indifference” with respect to the agent’s acts/omissions

31

Example: Imputed Knowledge of Data Security

Breach

32

Business

Associate

Is Not

Covered Entity’s Agent

Knowledge of a breach will be imputed to the

covered entity as of the date of notification of the

covered entity by its business associate

Business

Associate

Is

Covered Entity’s Agent

Knowledge of a breach will be imputed to the

covered entity as of the date of discovery of the breach by

the business associate

Business Associate

Agreements

33

BAA Requirements and Significance

• Business Associate Agreements are required:

Between a covered entity and each of its BAs

Between a business associate and each of its subcontractor BAs (“sub-BAs”)

• But: being a business associate does not depend on entering into a BAA

• Business associates are liable for violations of the HIPAA rules even if no BAA is in place

34

Timing for BAA Compliance

• New BAAs: Any BAA executed after January 25, 2013

must be in compliance by September 23, 2013.

• Transition Rule for “Grandfathered” BAAs:

If a written BAA was in place before January 25, 2013, and

The BAA is in compliance with the HIPAA Rules then in effect,

and

The BAA was not and will not be modified between March 26,

2013 and September 23, 2013, then:

The BAA will be deemed compliant until earlier of (1) the date it

is renewed or modified or (2) September 22, 2014.

35

Newly Required Content of BAAs

• Each BAA must now include:

Statement that BA must comply with the HIPAA Security Rule

Requirement for BA to report to the covered entity any breaches of the

security of unsecured PHI

Mandate for BA to execute formal, written BAAs with each subcontractor

(each of which is now itself a BA)

Requirement for BA to provide access to electronic PHI in electronic form,

as requested by an individual

Statement that any fulfillment by the BA of the covered entity’s

responsibilities under the HIPAA Rules (such as delivering privacy notices or

breach notifications) must be in compliance with the Rules as they apply to

the covered entity

36

Content to Consider for BAAs

• Timing for performance of obligations

Provision of access to PHI

Amendment of PHI

Reporting of breaches of security

• Use of subcontractors

Qualification for subcontractors (e.g., cloud data storage providers)

Timing for security breach notification from subcontractors

• Disclaimer of Agency Relationship or Third-Party Beneficiary Rights

• Specificity of BA obligations so BA is not deemed subject to interim direction by covered entity (as would be an agent)

37

Data Security Breach

Notifications

38

New Standard for Breach Notification

39

Interim Final Rule: Risk of

Individual Harm

Final Rule: Presumption of Need to Notify

Prior Notification Trigger

• Under the Interim Rule, breach notification was required

when:

PHI was acquired, accessed, used or disclosed in a manner not

permitted by the Privacy Rule that

compromised the security or privacy of the protected health

information, and

• The unauthorized acquisition, access, use or disclosure

would reasonably be deemed to pose a significant risk of

financial, reputational, or other harm to the individual

40

New Notification Trigger

• The Final Rule eliminates the harm standard

• Now, there is a presumption that a breach has occurred

unless:

The covered entity can demonstrate, through a

documented risk assessment, that:

there is a low probability that the PHI has been

compromised

41

Risk Assessment

• Unless covered entities simply prefer to notify affected individuals, they must conduct a risk assessment of any known or suspected breach

• A risk assessment must evaluate all of the following factors in determining whether notification is required:

1. The nature and extent of the PHI involved

2. The type of unauthorized person in receipt of the PHI as a result of the breach

3. Whether the PHI was actually “acquired or viewed”

4. The extent to which the risk to the PHI has been mitigated

• Other factors may also be considered

42

Risk Assessment Questions (Part 1)

43

• What type and amount of PHI was subject to

disclosure? For example:

Was it just a list of a dentists’ charges to a particular

medical account number?

Or was it a record of an abortion or a prescription for

AIDS medication?

Risk Assessment Questions (Part 2)

44

• Who impermissibly used or accessed the PHI?

• Do the HIPAA Privacy and Security Rules, or any similar

statutory or regulatory protections for data privacy, apply

to the unauthorized recipient?

If so, there may be a lower probability that the protected

health information has been compromised, since the

recipient is required to keep the information confidential

and protect its security.

Risk Assessment Questions (Part 3)

45

• Was the PHI returned before there was an opportunity

for it to be actually acquired or viewed?

For example if the PHI was in a file stored on a laptop computer

that was lost or stolen but then recovered, and a forensic

analysis shows that file was not opened or transferred, the

probability of compromise of the PHI is low.

In contrast, if a fax containing PHI went to the wrong patient,

there would be a higher probability of misuse.

Risk Assessment Questions (Part 4)

46

• Were steps taken to mitigate risk of harm, such as

obtaining satisfactory assurances from the unauthorized

recipient of PHI that the PHI will not be retained or

further used or disclosed?

• If a written confidentiality agreement is obtained that

provides commitments to that effect, it may be

reasonable to conclude that there is a low probability that

the PHI was compromised.

Security Breach Response Plan

47

• Do you have a security breach response plan in place?

Require reporting of any known of suspected security breach

Train employees and agents on reporting obligations

Identify individuals to head up breach investigations

Ensure investigations will identify key criteria for breach

notification

• Are you ready to provide timely notifications of a breach?

Inventory your contact information for patients

Obtain permission to notify them by e-mail

Prepare standard breach notification letters

For Further Information, Contact:

Nancy L. Perkins

Arnold & Porter LLP

Nancy.Perkins@aporter.com

202.942.5065

48