Life Sciences Legal Update : Life Sciences Lawyers & Attorneys : Reed Smith Law Firm : Healthcare, Food and Drug Law, Biotechnology, Privacy, Product Liability

HHS has just released its proposed rule modifying the HIPAA Privacy, Security, and Enforcement Rules to implement the privacy, security, and certain enforcement provisions of subtitle D of the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009).  The advance version of the rule can be accessed here; the official version will be published July 14.  A press release should be available later this morning.

Pursuant to the announcement of the proposed rulemaking on the HHS Privacy website, the proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

Importantly, HHS has stated that the new HIPAA regulations will not be enforced until 180 days after the final rule has become effective. Comments will be due on or about September 13, 2010.

More to come . . . 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On May 28, 2010, just shy of the June 1st compliance deadline, the Federal Trade Commission announced that it would again be postponing enforcement of the Red Flags Identity Theft Prevention Rule through December 31, 2010. This delay comes at the request of Congress, which has been considering legislation (which has been referred to the Senate Committee on Banking, Housing, and Urban Affairs) that would affect the scope of entities covered by the Rule. The FTC "urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays." If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark S. Melodia, Cynthia O'Donoghue and Anthony S. Traymore

On April 27, 2010, the Mexican Senate passed Ley Federal de Protección de Datos Personales en Posesión de los Particulares (the Federal Law for Protection of Personal Data (FLPPA)).  President Felipe Calderon is expected to sign the FLPPA into law soon, and thereafter, the FLPPA will be published and its regulatory provisions enacted. The objective of the FLPPA is to provide regulatory mechanisms for the newly established replacement agency, Instituto Federal de Acceso a la Información y Protección de Datos (the Federal Institute of Information Access and Data Protection (FIIADP), to enforce the FLPPA in relation to any individual or entity engaging in the collection, storage and/or transfer of personal data, including life sciences and health care clients.

To read the full alert, click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Privacy and data security are hot topics for everyone doing business in today's rapidly developing climate, and no less for those in life science and health-related industries. With new federal statutes, new regulations from HHS and FTC, and new state laws covering private health information, now is a good time for businesses to take stock of the applicable laws and take steps to ensure that their use, transfer, and storage of private data are secure and compliant. In this article, Reed Smith's Paul Bond gives his "Ten Data Security Questions Faced by Every Company," a one-stop survey of how every business should approach these issues.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On October 30, 2009 the Federal Trade Commission (FTC) issued a News Release announcing that it is granting industries under the FTC's jurisdiction an additional 7 months (i.e., until June 1, 2010) to develop and implement their identity theft prevention programs as required under the FTC's Identify Theft Red Flags Rule. According to the FTC News Release, this additional extension has been provided at the request of members of Congress. In making this announcement, the FTC attempts to refocus the attention of creditors and financial institutions to the FTC's dedicated Red Flags Rule website, which contains various compliance guidance documents designed to assist affected industries with the development of Identity Theft Protection Programs. 

Also on October 30, 2009, the U.S. District Court for the District of Columbia ruled that the FTC may not apply the Red Flags Rule to attorneys. The FTC's New Release acknowledges this ruling, and further cautions that the FTC's additional postponement of Red Flags Rule enforcement remains distinct from whatever timeline may be associated with the aforementioned court proceeding and any possible appeals.

The announcement of the additional extension is available at www.ftc.gov, and our prior posts on the Red Flags Rule are available here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On July 29, 2009 the Federal Trade Commission (FTC) issued a News Release announcing that it is granting industries under the FTC's jurisdiction an additional 3 months to develop and implement their identity theft prevention programs as required under the FTC's Identify Theft Red Flags Rule. Additionally, the FTC staff will "redouble" its education efforts and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.   By extending the enforcement date of the Rule until November 1, 2009, the FTC intends to give creditors and financial institutions more time to review the forthcoming guidance and to develop and implement written Identity Theft Prevention Programs. The announcement of the extension is also available at www.ftc.gov, and our prior posts on the Red Flags Rule are available here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Carol Loepere.

On April 30, 2009 the Federal Trade Commission (FTC) issued a News Release announcing that it is granting industries under the FTC's jurisdiction an additional 3 months to develop and implement their identity theft prevention programs as required under the FTC's so-called Identify Theft Red Flag Rule. The FTC also stated that that some entities, particularly those that are small, non-traditional creditors, would benefit from the availability of a template Red Flags program in developing their programs. The Commission staff intends to publish such a template for low-risk entities shortly. The FTC said that the extension, coupled with the release of the template, should be sufficient to enable low-risk entities to prepare their programs without undue burden. The announcement of the extension is also available at www.ftc.gov.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Karl A. Thallner, Jr., Carol C. Loepere, Debra A. McCurdy, Brad M. Rostolsky, Jacqueline B. Penrod, and Amie E. Schaadt.

On February 17, 2009, President Obama signed into law H.R. 1, the American Recovery and Reinvestment Act (the “ARRA”). The sweeping $790 billion economic stimulus package includes a number of health care policy provisions. Reed Smith's Health Care Memorandum summarizes the major health policy provisions of the Act.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This Client Alert, written by Debra L. Hutchings, Paul J. Bond and Carol C. Loepere, updates information received from the Federal Trade Commission (“FTC”) concerning application of its Address Discrepancy and Red Flag rules aimed at combating identity theft as they apply to health care providers and suppliers. As reported previously these rules, collectively known as the Red Flag Regulations, 16 C.F.R. § 681.1 et seq. (“Red Flag Regulations”), apply to users of consumer reports and “creditors,” which may include many participants in the health care industry.

Past posts on this subject describe the FTC's decision to delay enforcement of a portion of the regulations and our initial discussion of the implications of the FTC's Red Flag Regulations for health care providers.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In "Ex Parte Talks Allowed Under Georgia Law For Counsel, Doctors Preempted by HIPAA" (password required), the United States Law Week discusses in detail Moreland v. Austin, Georgia Sup. Ct. No. S08G0498, a November 3, 2008 decision holding that defense attorneys who wish to engage in ex parte communications with plaintiffs' treating physicians must comply with HIPAA privacy rules. Since HIPAA affords more patient privacy than a Georgia law that permitted ex parte contact once a plaintiff put his or her medical condition at issue, the Georgia law was preempted.

Preemption giveth, and preemption taketh away.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

On Monday, the District Court of Massachusetts issued a notable attorney's fee award decision in a class action arising from a data privacy breach, In re TJX Companies Retail Securities Litig. Along with a class settlement, class counsel urged the court to approve a $6.5 million attorney's-fees award, arguing that hundreds of millions of dollars in potential value had been created for the class. However, the payout depended entirely on class members making claims, and only a small fraction of the supposed potential - $6 million - were made. The court quite reasonably rejected class counsel's suggestion that the potential (but unrealized) claims supported the requested fees. That said, the court still approved the fee request pursuant to the lodestar method ($3.3m in lodestar * 1.97 multiplier = $6.5m).

The court finished with a cautionary note, which is where the baby step comes in: "In the future . . . Plaintiff's counsel can expect that this court, when confronted with reversionary common fund or claims-made settlements, will award attorney's fees by reference to the value of benefits actually put in the hands of class members." (emphasis in original). In reality, however, it would have been entirely reasonable for the court to use this standard for attorney's fees now, without waiting for the next time.

UPDATE: Drug and Device Law also has a November 11, 2008 post about this TJX case.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Data breaches can occur in any industry, but those that involve medical information create unique problems. Starting January 1, they also will carry unique penalties, at least in California. The new California laws, Senate Bill 541 (SB 541) and Assembly Bill 211 (AB 211).

Health care providers clearly need to take heed of the laws' directives that they take additional affirmative steps to prevent “unauthorized access” to patient information. But AB 211 is particularly broad in scope, covering “any person or entity" that "negligently discloses" or "knowingly or willfully obtains, discloses, or uses medical information," which mean other players in the life sciences industry probably should take note as well. A full discussion of SB 541 and AB 211, written by Janet H. Kwuon and Rachel A. Rubin, is here.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Carol C. Loepere.

Today, the Federal Trade Commission (FTC) issued a press release to announce that it will suspend enforcement of the new “Red Flag Rules” until May 1, 2009, to give "creditors" and financial institutions additional time in which to develop and implement written identity-theft prevention programs. Reed Smith has worked on behalf of the American Health Care Association (AHCA) to question the applicability of the rules to health care providers, and to request a delay in the effective date of the rule. For more on the possible application of the FTC's Red Flag Rules to health care providers, see our prior post. 

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

This post was written by Debra L. Hutchings, Paul J. Bond, and Carol C. Loepere.

In November 2007, the Federal Trade Commission (“FTC”) issued sweeping regulations aimed at deterring, detecting and preventing identity theft. Under these rules, known as the Red Flag Regulations, 16 C.F.R. § 681.1 et seq. and Final Rule (“Red Flag Regulations”), financial institutions and creditors of covered accounts must establish a program to detect, prevent and mitigate identity theft. While somewhat unclear and perhaps counterintuitive, the breadth of the Red Flag Regulations and the FTC’s current interpretation indicates that these rules apply to many participants in the health care industry. The rules become effective November 1, 2008.

The Red Flag Regulations have three parts, two of which pertain to the health care industry. The first part applies to anyone who uses “consumer reports” for employment, insurance or credit purposes. The second part places obligations on “creditors and financial institutions” to detect, prevent and mitigate identity theft in relation to accounts covered under the Red Flag Regulations. This Client Alert addresses each part in turn.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link