HIPAA and Emerging Technologies
Originally Authored by M. Scott Koller and Marcia L. Augsburger and published by the American Health Lawyers Association, HIPAA and Emerging Technologies, 14 HIT News 3, 6 (November 2011).
The Health Insurance Portability and Privacy Act of 1996 (HIPAA) is 15 years old this year – still acting a bit like an uncertain, wide-eyed teenager responding to new developments. Although more mature, clarified by regulations, and supplemented by the HITECH Act, at its core HIPAA has remained relatively unchanged since its enactment. Societal changes implicating HIPAA, however, have been significant. Over the past five years alone, we saw the rise of Facebook, the domination of Google, and the introduction of powerful personal electronic devices such as Apple’s iPhone and iPad. In addition, technologies such as cloud computing, wireless communication, and telemedicine have reached a level of reliability and affordability that has allowed healthcare providers to expand their reach and services. With every emerging technology, the specter of HIPAA compliance remains a key concern, while its application becomes more murky.
Read the full article here: HIPAA and Emerging Technologies Article
Flood of Class Actions Follow Supreme Court Decision in Pineda
Last month, the International Association of Privacy Professionals published my article discussing Pineda v. Williams-Sonoma, where the California Supreme Court determined that ZIP codes are considered personally identifying information. You can read the full text of that article here. In the wake of that decision, a flood of class action have been filed against various retailers throughout California. IAPP Staff Reporter Angelique Carson wrote this follow-up piece discussing these developments.
Retroactive zip code ruling incites flurry of class-actions
03.07.2011
By Angelique Carson
In the month’s time since the California Supreme Court decided that zip codes are personal information, 106 class-action lawsuits have been filed. That’s because the court asserted that the ruling, which reversed a 2008 Court of Appeals decision, would apply retroactively.
As attorney M. Scott Koller, CIPP, of McKennon Schindler wrote in the Privacy Advisor, the decision in Pineda v. Williams-Sonoma followed a class-action lawsuit filed by Jessica Pineda.
“In 2008, Pineda visited a Williams-Sonoma store in California and was asked to provide her zip code but was not informed of the purpose for which the data was collected. Later, Williams-Sonoma used the information Pineda provided to conduct a ‘reverse’ lookup and was able to determine Pineda’s mailing address by matching her zip code and name in a third-party database. Williams-Sonoma later stored the information in their own database for direct marketing purposes,” Koller wrote.
Pineda’s suit alleged that such action violates California’s Song-Beverly Credit Card Act of 1971, which states that retailers may not collect and store personally identifiable information from cardholders in credit card transactions.
Williams-Sonoma requested that the court’s interpretation of the act apply only prospectively, as the company was operating under the provisions of the law at the time. But in its 7-0 ruling, the presiding justices wrote, “We are not persuaded. In our view, the statute provides constitutionally adequate notice of proscribed conduct,” adding that the court could identify “no reason that would justify a departure from the usual rule of retrospective application.”
Koller says given the court’s opinion, the flurry of class actions is not surprising.
“The court said, ‘look, if you’d read the statute you’d have known that zip codes are personally identifying information,’ so that was pretty much a signal to the plaintiff’s bar and class-action firms out there that it was going to be open season,” Koller said.
Linda Woolley of the Direct Marketing Association (DMA) called the court’s decision and its retroactive liability provision “very troubling.” The DMA, which represents more than 3,400 companies in the U.S. and 48 other nations, disagrees with the court that a zip code is personal information.”
“A zip code is pretty benign,” she said. “It doesn’t identify somebody individually. You don’t need a zip code to mail a letter.”
Woolley said the DMA has received “unbelievable amounts of feedback” from its members well outside of California’s borders.
“This has great implications for what marketers do in terms of data collection,” she said.
David McDowell, a partner at Morrison Foerster, said the court’s decision to apply the ruling retrospectively is an example of the court “not being particularly in touch with the reality of what their decision is going to mean,” resulting in the multitude of class-action suits filed within the last month.
McDowell said the Song-Beverly Act was passed in order to protect consumers from dumpster-diving criminals aiming for carbon copies of credit card slips, which often contained personally identifiable information--such as phone numbers, for example--in addition to the customer’s credit card number.
Twenty years later, fraud protection was built into credit card transactions involving providing personal information; to protect consumers against fraud, gas pumps and retailers, among others, began prompting customers for zip codes.
“The world changed pretty dramatically in those 20 years,” McDowell said.
Martin Abrams, executive director of the Center for Information Policy Leadership at Hunton & Williams, says defining what constitutes personal information is the wrong approach.
There is no such thing as personal information vs. non-personal information anymore, not in a highly connected online world, Abrams said. Rather, there is information that is easily linkable to the individual, like a name and address together, or information that requires more work to link, like a zip code, Abrams said.
“The answer to this question is not to figure out what is technologically easy to link, because technology will increasingly make things easy to link,” Abrams said. “It’s about taking a different road based on a policy perspective. What do we promise never to link, and what are the sanctions around those promises?”
Ellen Giblin, CIPP, CIPP/C, CIPP/G, an attorney at Littler Mendelson, P.C., said she believes the court’s decision doesn’t extend beyond what’s reasonable in that it simply narrowly defines what constitutes an address. In the future, information collected by the retailer for authentication purposes should be “separate and distinct” to the customer from information collected for marketing purposes.
The Pineda v. Williams-Sonoma case illustrates a growing tension in the U.S., Abrams said, between a freedom to observe and make sense of what we observe—the hallmark of commercial data usage since credit reporting files were first computerized in the late 1960s—and a sense of seclusion that is highly valued in America but is diminishing.
It will be interesting to see what happens next, Koller said, who predicts that courts will likely take the suits’ retroactive nature into account when it comes to establishing compensation.
“I think we’re going to see some limitation in terms of the amount of damages on some of these companies,” he said, adding that the companies were relying on a Party City Corp. v. Superior Court decision in 2008, which said that a zip code does not constitute personally identifiable information.
Morrison and Foerster partner D. Reed Freeman, CIPP, said the number of class-action lawsuits indicates a sea change in the U.S.
“These cases leave corporate America with little doubt that the era of the privacy class action, which was largely dormant for the last decade, is back in full force. “
Source:
IAPP - California Supreme Court rules that ZIP codes are personal identification information by M. Scott Koller
IAPP - Retroactive zip code ruling incites flurry of class-actions
California Supreme Court Rules That Zip Codes Are Personal Identification Information
Retail stores across California routinely ask customers to provide a ZIP code when making a purchase. This practice may now be prohibited following the California Supreme 
Court decision in Pineda vs. William Sonoma, __ Cal. 4th__ (February 10, 2011), holding that ZIP codes are "personal identification information” for the purposes of the Song-Beverly Credit Card Act.
In 2008, Jessica Pineda visited a Williams-Sonoma Store in California. While making her purchase, the cashier asked for her zip code, but did not tell her what the information would be used for. Thinking the information was necessary to complete the transaction, Pineda provided the information. Later, using specialized computer software, Williams-Sonoma conducted a “reverse lookup” and was able to determine Pineda’s previously unknown mailing address by matching her name and zip code in a third-party database. This information was then stored in Williams-Sonoma’s own database for use in direct-mail marketing campaigns. Pineda learned of this and filed a class-action lawsuit, alleging that the store's conduct violated the Song-Beverly Credit Card Act (“Credit Card Act “) and Business and Professions Code section 17200 et seq.
California's Credit Card Act prohibits retailers from asking customers for their personal identification information and recording it during credit card transactions. Specifically, section 1747.08(a) provides that no firm shall “[r]equest, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the . . . firm . . . accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise."
Personal identification information is defined in subsection (b) as “information concerning the cardholder . . . including, but not limited to, the cardholder's address and telephone number.” However, prior to the court’s recent decision, an individuals’ zip code was not considered to be personal identification information. In fact, the opposite was true. As recently as 2008, California 4th District Court of Appeals addressed this specific issue in Party City Corp. v. Superior Court, 169 Cal.App.4th 497 (2008) where it held that ZIP codes were too general to be covered by the Credit Card Act because they pertain to a group of individuals, not a specific individual.
In Pineda, the Supreme Court construed the definition of “personal identification information” broadly to include any information concerning the cardholder. The Court reasoned that since a cardholder’s ZIP code refers to the area where a cardholder lives or works, it would qualify as information that pertains to the card holder. In addition, since a ZIP code is part of the address, the statute “should be construed as encompassing not only a complete address, but also its components.” Further, in reversing Party City, the Court rejected the argument that a ZIP code should not be protected because it does not pertain to a specific individual. An address or phone number, both of which are explicitly defined as personal identification information by section 1747.08, might also pertain to individuals other than the cardholder. Therefore, the fact that a ZIP code could pertain to multiple individuals did not render it exempt from the Credit Card Act.
The Court found further support in “the legislative history of the Credit Card Act in general, and section 1747.08 in particular, [which] demonstrates the Legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction.” Here, the ZIP codes at issue were not collected for identification purposes nor were they necessary in order to complete the credit card transaction. Instead, Williams-Sonoma collected the ZIP codes specifically for marketing purposes. The difference is key. Had Williams-Sonoma collected ZIP codes for identification purposes, it would have been governed by Civil Code section 1747.08(d). This statute allows a business to require reasonable forms of identification from cardholder, such as a driver’s license, but it may not record any of the information on that license, including the cardholder's ZIP code. It would be inconsistent with the intent of the Legislature to allow in subdivision (a) what would be explicitly forbidden in subdivision (d) - namely the requesting and recording of a ZIP code. The logical conclusion, the court held, is that the term “personal identification information” as used in section 1747.08, includes a cardholder's ZIP code.
Within California, the effect of this ruling is significant. Retail stores routinely ask customers for their ZIP code for both marketing and regional sales forecasting. The potential effect is compounded by the fact that in 2008, this practice was considered exempt from the Credit Card Act by the court’s holding in Party City. Seemingly overnight, actions that were previously authorized could now subject retail stores to statutory penalties up to $250 for the first violation and $1,000 for each subsequent violation. Further, as privacy expert and CIPP Tanya Forsheit pointed out, “it is not clear how collection of zip codes, while perhaps unnecessary to credit card transactions, is of any potential harm to the consumer. And that, as the Court notes, is the point of the statute - consumer protection.” Outside of California, it is unclear what impact this case will have. The Credit Card Act was modeled after a similar New York statute passed in 1990 and several other states have similar laws but none of those prohibit the collection of ZIP codes. At a minimum, California retailers should take a close look at their information collection practices and consider updating those policies in light of this decision.
The Supreme Court opinion is available here: Pineda v. Williams-Sonoma, __ Cal. 4th__ (February 10, 2011).
M. Scott Koller is an attorney with McKennon Schindler LLP in its Newport Beach office in California. His practice specializes in civil litigation involving privacy, data security, and intellectual property.
Stored Email Protected by the 4th Amendment
The very first email message was sent in 1971 by a computer engineer named Ray Tomlinson. It was just a simple test message sent between two computers sitting next to each other on a desk. At the time, Tomlinson had no idea of the ultimate ramifications of this invention.
Today, email has revolutionized the way we communicate. With an estimated 250 billion messages sent every day, email is used by individuals and corporations alike to both conduct business and share information across the internet. From bank statements to greeting cards, information that was once sent via the U.S. Postal service is now sent by email. Although not completely replacing either the telephone or the U.S Postal service, email has become the de facto standard for daily communication for millions of Americans. Until recently, email enjoyed far less privacy protection.
The Fourth Amendment to the Constitution provides that “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause....” The purpose of this amendment is to protect against unreasonable searches and seizures where there is a reasonable expectation of privacy. As a result, this protection requires the government to obtain a warrant before searching your home or recording your telephone conversations. At issue in United States v. Warshak, --- F.3d ----, 2010 WL 5071766 (6th Cir. 2010), was whether that same protection should be extended to email.
Steven Warshak owned and operated a company called Berkeley Premium Nutraceuticals, Inc., whose activities drew the attention of the U.S Government due to allegations of money laundering and wire fraud. As with many businesses, email played a vital role in the day-to-day operations of the company. During its investigation, the U.S. Government directed Berkeley’s internet service provider (“ISP”) to preserve the contents of any email sent to or from Warshak’s email account. This request was made pursuant to the Stored Communications Act 18 U.S.C. §§ 2701-2712 (“SCA”). Passed in 1986, the SCA governs the compelled disclosure of "stored wire and electronic communications and transactional records." In certain situations, the SCA allows the government to obtain email without a warrant. That is precisely what happened in Warshak. For almost two years, Warshak had no idea that his ISP was storing copies of his email for the U.S. Government. Eventually, the government obtained approximately 27,000 emails, many of which could be considered highly incriminating. Warshak challenged the government’s action on the grounds that without a warrant, it amounted to an unlawful search and seizure.
On appeal, the Sixth Circuit sided with Warshak and subsequently extended the Fourth Amendment to include electronic mail. The court reached this conclusion by building on the Supreme Court case of Katz v. United States, 389 U.S. 347 (1967) which found that wiretapping telephone calls implicated the Fourth Amendment due to “the vital role the public telephone has come to play in private communication.” As with the telephone, the court reasoned, email is an indispensable part of the Information Age. People use email to communicate with children, with spouses, or with employers. Confidential information is shared via email with doctors, lawyers and various financial institutions. When you consider the full range of information shared and the level of detail available, email has the potential to be more intrusive then a phone call could ever be.
As reasonable as this conclusion may sound, the court still had to overcome several key objections. The government argued that there was no reasonable expectation of privacy because the ISP’s terms of service specifically allowed it to access user emails for certain purposes. Further, since the user disclosed the context of his email to a third party, in this case the ISP, he could not reasonably expect the conversation to be private. However, the court wisely rejected both of these arguments. Instead, the court described an ISP as the functional equivalent of a post office or telephone company. Just as the telephone company has the ability to listen in on telephone calls, ISPs also have the ability to access a user’s email. Similarly, a physical letter must be entrusted to the post office for delivery in the same way an email is entrusted to an ISP. That is entrustment is necessary for the communication to be possible and therefore does not divest the communication of its Fourth Amendment protection. Given the similarities between email and traditional forms of communication, the court held that “it would defy common sense to afford emails lesser Fourth Amendment protection.”
Interestingly, the court declined to rule that the terms of service would never be sufficient to eliminate the reasonable expectation of privacy in emails. It is possible that an ISP’s intent to audit, inspect or monitor a subscriber’s email could remove the protection granted under the Fourth Amendment. Some email providers, such as Google’s popular Gmail service, scan the content of email for the purposes of delivering targeted ads and web links. Google maintains that this process is completely automated and that no “human” reads a user’s email. The question remains whether this level of third-party disclosure is sufficient to negate protections of the Fourth Amendment.
For now, this decision is a big win for privacy advocates who have sought greater privacy protection for email communication. One additional holding that should not be overlooked is that the SCA was ruled unconstitutional to the extent that it allows the government to obtain emails without a warrant. The SCA has long been considered outdated based on the antiquated way in which it distinguished between online service providers but also because it was enacted before much of the internet’s potential was realized or even understood. It should come as no surprise that a few days after this opinion was released, the Obama administration called for the creation of a “Privacy Policy Office” to work with the Federal Trade Commission and other agencies to assess privacy protections. Hopefully, this decision will pave the way for Congress to reform the SCA to reflect the changing technological landscape.
M. Scott Koller is an associate of McKennon | Schindler in its Newport Beach office. His practice specializes in civil litigation involving privacy, data security, ERISA, and insurance. See www.californiainsurancelitigation.com for the firm's blog.
New DMCA Exemption Allow Jailbreaking of iPhones
The Thursday August 5, 2010 edition of the Los Angeles Daily Journal featured my article entitled “Cell Phone Users Catch a Break,” in the Perspective column. It discusses the U.S. Copyright Office's recent announcement regarding its decision to exempt wireless telephone handsets from the anti-circumvention provision under the Digital Millennium Copyright Act. The article is posted below with permission of Daily Journal Corp. (2010).
Identity of Anti-Gay Marriage Supporters May Be “Out”-ed by Supreme Court Ruling
Upon entering or leaving my neighborhood grocery store, I am usually confronted by either children selling cookies or individuals seeking my signature or vote on a variety of political causes. Even thought I am more likely to purchase a box of cookies than I am to sign a political petition, I have never considered the privacy implications of signing a petition, until now.
In Doe v. Reed, __ U.S. __ (Decided June 24, 2010), the Supreme Court addressed the narrow question of whether disclosure of referendum petitions would violate the First Amendment. The facts are fairly straightforward. In May of 2009, the State of Washington enacted a bill that would expand the rights and responsibilities of domestic partners, including same-sex domestic partners. This bill, known as Senate Bill 5688, was drafted by the legislature and signed into law by Washington’s Governor Christine Gregoire.
Seeking to repeal the bill, a group by the name of Protect Marriage Washington started collecting signatures in order to place a referendum on the ballot that would give the voters the opportunity to vote on the bill. Protect Marriage collected the required signatures and the referendum was placed on the ballot. Prior to election night, the Secretary of State received several public records requests seeking disclosure of the names of the individuals who signed the petition. This information would include the names, address and county of residence for each of the 137,000 signatures submitted. The Washington Public Records Act (“PRA”) makes available for public inspection “any writing containing information relating to the conduct of government or the performance of any governmental or proprietary function.” Since the Secretary of State considered the referendum petition to fall under that definition, the identity of those who signed the petition was considered a public record. Protect Marriage objected to the disclosure citing privacy concerns and sought a preliminary injunction to enjoin the disclosure of the petition signatories.
In an 8-1 decision, the Supreme Court held that the disclosure of referendum petitions do not, as a general matter, violate the First Amendment. Writing for the majority, Chief Justice Roberts wrote:
“Public disclosure thus helps ensure that only signatures counted are those that should be, and that the only referenda placed on the ballot are those that garner enough valid signatures. Public disclosure also promotes transparency and accountability in the electoral process to an extent other measures cannot.”
As a result, the Court held that the State’s interest in preserving the integrity of the electoral process is sufficient to defeat the argument that the PRA is unconstitutional when applied to referendum petitions.
On the surface, this holding seems to be relatively clear-cut. However, when you dive a bit deeper into the Court’s opinion, you find that this issue is far from over On appeal to the Ninth Circuit, the plaintiff asserted two key arguments: first, that the PRA was unconstitutional when applied to referendum petitions in general and second, that the PRA was unconstitutional when applied this specific petition. Since the Appellate decision was based solely on the first argument, the Supreme Court declined to address the second argument, which is arguably the stronger of the two. Therefore, in the event this case returns to the Supreme Court, would the outcome remain the same?
In Reed, Chief Justice Roberts acknowledged that those resisting disclosure can prevail under the First Amendment if they can show “a reasonable probability that the compelled disclosure [of personal information] will subject them to threats, harassment, or reprisals from either Government officials or private parties.” Reed citing Buckley v. Am. Constitutional Law Found. (Buckley II), 525 U.S. 182, 197, 119 S.Ct. 636, 142 L.Ed.2d 599 (1999). In this case, the Respondents acknowledged their intent to publicly identify those who had signed the petition and broadcast the signers’ political views via a searchable internet website. This, plaintiff argued, would be a blueprint for harassment and intimidation, effectively chilling future political participation. However, a number of the Justices seemed to disagree. Justice Stevens argued that “there would have to be a significant threat of harassment directed at those who sign the petition that cannot be mitigated by law enforcement measures” and that such harassment “is unlikely to occur in cases involving the PRA.” Further, Justice Sotomayor, who was joined by Justice Ginsburg and Stevens, viewed the burden on public speech as “minimal” and wrote that “disclosure of the identity of petition signers, moreover, in no way directly impairs the ability of anyone to speak[.]” Even Justice Scalia, compared the act of signing a petition to the act of legislating, which he noted, “Our Nation’s longstanding traditions of legislating and voting in public refute the claim that the First Amendment accords a right to anonymity in the performance of an act with governmental effect.”
Apart from Justice Thomas, who believe the PRA was unconstitutional as applied to referendum petitions in general, the only other support came from Justice Alito. Even though he voted with the majority, Justice Alito noted that “plaintiffs in this case have a strong argument that the PRA violates the First Amendment as applied to the Referendum 71 petition.” Since it appears that at least five of the justices seem to be predisposed toward rejecting even a narrow First Amendment challenge to the PRA, its seems unlikely that signatories to the referendum petition will be able to remain anonymous. Accordingly, anyone who is deciding whether to sign a referendum petition, should decide if they want to be publicly identified with that particular political issue.
Court Opinions
