2005 promises to be a year of significant activity on privacy and security issues, both in terms of new obligations and enforcement of older rules. For the health care industry, these developments fall into two primary categories - those that affect health care entities exclusively and those that encompass the health care industry within a wider range of regulated entities.
Keep an eye on the following hot topics:
HIPAA Security
In the health care industry, the primary immediate challenge is assessing and implementing the HIPAA Security Rule by April 20, 2005. This does not affect the health care industry alone - one of the largest sources of confusion to date has been the extent of requirements that must be imposed on those who do business with the health care industry, including the confusing and, perhaps, almost impossible-to-implement provisions relating to the reporting of "security incidents" by business associates. The HIPAA Security Rule, while primarily a "process" rule, is causing substantial confusion within the health care industry, with many companies stumbling with the first two steps of the Security Rule process - risk assessment and risk management. The Department of Health and Human Services (HHS), the responsible regulatory agency, has issued little guidance on the Rule. Some of the leading industry groups are promising "model" policies and procedures, but no specific guidance has been forthcoming. With the compliance date only a few months away, expect a barrage of activity in this area over the next few months, encompassing not only the core health care entities directly covered by the Rule, but also those vendors that provide services to health care industry entities.
Key Issues To Watch
- Will the health care industry achieve meaningful compliance with the Security Rule by April 2005?
- Will HHS follow the privacy enforcement approach, where enforcement has been slow and unaggressive, or will security enforcement be more active?
- Will there be significant security breaches in the health care industry, increasing enforcement pressure on HHS and business pressure on the health care industry and its business partners?
National Health Information Network
For the health care and information technology industries, one of the key developments for 2005 may be the initial steps toward development of the National Health Information Network. This "network" promises to implement widespread use of information technology for the health care industry over the next 10 years. This is a long-term issue to watch. However, some early steps are being taken this year. HHS issued a "Request for Information" related to development of this network (responses were due January 18, 2005) and now will work to take the next steps.
This development promises to present some of the primary tensions seen in the regulation of privacy - balancing the benefits of information technology with privacy protection. The premise of this network - as demonstrated by a widely shown television ad where a clerk pulls together all of a patient's medical records in seconds when the treating doctors cannot - is that enhanced use of information technology will increase medical efficiency and effectiveness, and reduce medical errors. Recent reports also have projected enormous cost savings throughout the health care system from more efficient use of information technology (Note: There were also predictions of substantial savings from the HIPAA standard transactions rule, but these savings have been much smaller than anticipated, while compliance costs have been higher). At the same time, the development of this network challenges fundamental tenets of the HIPAA rule (and other privacy rules)Ñthat medical records are the individual's information to control. This network also creates significant potential conflicts with existing HIPAA security and standard transactions rules. In any event, this network will involve substantial technology opportunities for many companies, and will play a significant part in the evolution of the health care industry over the next decade.
Key Issues To Watch
- How will HHS (or Congress) balance the health care benefits of a coordinated electronic network with the privacy and security requirements set out in HIPAA?
- Will there be a meaningful economic commitment by the Bush Administration to the electronic medical records project?
Do Not Call
The top enforcement issue this year will be the effort by the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) to oversee the national Do Not Call lists. Unlike most other laws protecting privacy rights, the Do Not Call lists have been both highly popular and actively enforced. Both the FTC and the FCC (which has jurisdiction over certain entities, such as insurers, who are typically not regulated by the FTC) have been actively investigating Do Not Call complaints. Wiley Rein & Fielding has represented a number of companies targeted by the two agencies. Their investigations have been swift and thorough. They also have been largely reasonable - meaning that the FTC and FCC staffs are both active inquisitors and capable listeners. These investigations have not been witch hunts, but, instead, have focused on determining what actually happened, and reviewed how a covered telemarketer has responded in its telemarketing activities to comply with the required compliance provisions.
In 2005, expect this active enforcement to continue. As the investigations move from an initial phase to a more specific enforcement stage, the number of penalty actions should increase. One key hint for companies that do any telemarketing: while it is an essential first step to have a strong Do Not Call program for calls conducted by your company or by telemarketing firms, watch out also for calls made by your agents, particularly outsiders who can make calls on your behalf. These "agents" - if they are selling your product - can get you in trouble just as much as your own employees. Consider whether you should be auditing compliance by your agents, or issuing new or enhanced guidance on Do Not Call restrictions for these agents.
Key Issues To Watch
- How aggressive will enforcement of the Do Not Call rules be in 2005?
- How should companies better police their agents on the Do Not Call rules?
Do Not Email Or Fax
While the Do Not Call rules have generated the most public attention, we also can expect new enforcement activity for the Do Not Call "second cousins"Ñthe Do Not Email (or spam) and Do Not Fax rules. While obviously directed at the same kind of unwanted sales activities as Do Not Call, each of these rules has its own set of guiding principles, making adoption of a consistent marketing policy difficult. With that said, any firm, regardless of the industry, needs to understand the differences between these rules, and to develop an appropriate compliance program to deal with each rule.
With the Do Not Email program fully in effect, the FTC already has begun enforcement action against overly aggressive spam marketers. While the activity so far has been directed at "non-mainstream" marketers (primarily pornography companies), we can expect broader activity in this area. The biggest wildcard involves the FTC's recent issuance of a rule defining the "primary purpose" of an email communication, which is the trigger point for Do Not Email obligations. Recognizing the difficulty of this definition, the FTC has postponed the effective date for this rule until July 2005, but companies should begin developing an appropriate compliance program now - particularly those that do not have centralized direction of email marketing programs.
The Do Not Fax rules are similarly in flux. The primary struggle involves whether existing customers have to agree - in advance - to receive faxes. The FCC and FTC have struggled with this issue, and have already missed self-imposed deadlines to create an effective regulatory structure. There is another deadline this summer. Keep an eye on this.
Key Issues To Watch
- Will enforcement of the Do Not Spam rules go beyond "non-mainstream" companies?
- Will the FTC (or Congress) agree on a Do Not Fax Rule?
- If so, will there be affirmative customer consent requirements even for current customers?
Identity Theft
While those in the privacy industry continue to debate the merits of certain privacy laws, no one doubts that identity theft is a growing problem. Legislative actions, such as the provisions of the Fair and Accurate Credit Transactions Act, have been designed to reduce the threat of identity theft. Enforcement against identity theft has been reasonably aggressive, yet there remains widespread concern about this problem.
Could an additional set of laws or rules make a difference in this area or are aggressive enforcement and education likely to be more effective? The only thing for sure in 2005 is that there will be substantial debate - at both the state and federal level - as to whether additional laws should be passed related to identity theft.
Key Issues To Watch
- Is there a need for additional tools to fight identity theft?
- Is there a legislative solution to this problem?
State Law
While Congress reviews spyware legislation (and perhaps other new privacy rules), the states likely will be much more active in debating and enacting new legislation, covering a broader range of topics. Once again, California is likely to lead the way. Many companies in a wide range of industries still need to implement some of the requirements of recent California laws, such as SB 27, related to certain disclosures concerning third-party marketing, and AB 1950, creating the obligation for any company that owns or licenses personal information to have "reasonable security procedures." The requirements of SB 1386 - related to notification obligations in the event of a security breach - continue to cause concern, as breaches are becoming more commonplace (or perhaps simply more noticeable) over time. California legislators are proposing a wide range of new laws, and, given recent experience, a number of these likely will become law in 2005.
For other states, the question will be how many of the California laws will "catch on," and whether states will act in other situations where federal action has not been forthcoming. California's Social Security Number legislation already has received endorsements in more than a dozen states, with more expected in 2005. The security breach legislation has not yet been passed in other states, but similar legislation was introduced in several states in 2004, with promises to revisit the legislation in 2005. Other topics for potential action at the state level involve spyware, financial privacy legislation (modeled on California's SB 1) and general security requirements.
Key Issues To Watch
- Will other states take action concerning security breaches?
- What will California come up with next?
- Will other states pick up any of the California privacy laws?
International Arena
While U.S. companies struggle with an increasing variety of privacy rules at the state and federal level, any company that has personal data of any kind crossing country borders also faces additional - and increasing - concerns at the international level. In the health care industry, these rules are likely to have the most significant impact on companies that utilize large volumes of health care data - such as pharmaceutical companies - or those companies that "outsource" substantial data functions.
On the whole, the array of compliance possibilities for U.S. companies continues to grow, although "more options" have not always translated to "better options." The primary option available to U.S. companies, the "safe harbor" program, has been, at best, a mixed success. A new development involving certain approved contract language presents some interesting possibilities for U.S. companies, but these remain at the "potential" level, with substantial uncertainty as to how effective they would be.
For American companies, navigating the international privacy regime remains risky, but, luckily, enforcement has been almost nonexistent. With additional compliance options in the works, analyzing how best to exchange information with non-U.S. countries remains a substantial challenge.
Key Issues To Watch
- Will there be increased enforcement of the EU privacy rules against U.S. companies?
- Will a meaningful Safe Harbor option emerge?
- Will other countries follow an EU model or some other sort of privacy principles?
Published March 1, 2005.
