Posted on Sunday, September 7 2014 at 6:09 pm by

The New Healthcare Networks — Now

Kamadhenu_parijata

1. The Collision

Technology worlds are colliding now in ways that may give the US healthcare system its last and best chance both to heal itself and to improve health. The collision gives health care institutions an opportunity to remain at the center of US healthcare, but at the center of larger new networks not just of providers and health insurers, but networks that include both medical device manufacturers and 24/7 connectivity to patients who need it. Before this collision, US healthcare has been about curing us, not making us healthy, as the numbers make clear:

OECD

http://www.oecd.org/els/health-systems/Health-at-a-Glance-2013.pdf Source: OECD Health Statistics 2013, http://dx.doi.org/10.1787/health-data-en; World Bank for non-OECD countries.

What in particular is costing so much? Care for chronic illnesses and comorbidity (which is the same thing, because it just means patients with more than one chronic condition, who cost up to 7 times as much as patients with only one chronic condition):

chronic

http://www.chrt.org/publications/price-of-care/issue-brief-2010-08-health-care-cost-drivers/ Copyright © 2008–2014 Center for Healthcare Research & Transformation

Before the impending collision, there is a world of biomedical technology – generally bigger, heavier, more expensive equipment purchased by provider organizations and devoted to curing medical conditions, and a newer world of health and fitness apps – generally smaller, lighter and cheaper and purchased by consumers.

The role and functions of biomedical technology have been morphing ever-faster in the big data world. Now the technology generally needs to change and learn and produce valuable information as it is used, generally by gathering information that is protected health information (PHI) under HIPAA. So the manufacturer of the technology, previously exempt from HIPAA, now becomes a business associate directly subject to HIPAA’s security standards (We are seeing it happen both in the provider negotiations and in the business plans of the manufacturers.).

As a business associate of its health care institutional customer, the manufacturer can not only get PHI from the customer; it can create and send PHI back to the customer, the provider and potentially the patient. The “velocity” of big data will be most powerful as it generates real-time insights impacting care and health decisions, and for those insights to be effective, experts or expert systems need to be able to properly interpret their messages at the point of care or health decisions.

What of the other tech world of health and fitness apps, thought to be the province of fitness zealots, quantifiers of the self, Tom Wolfe’s “social x-rays,” and other people with more time on their hands than us average Joes (or lazy slugs, your choice)? The biggest problem/opportunity for those apps in solving the woes of our healthcare system is that people with chronic diseases are precisely those who need care when they are living their lives away from the bigger, heavier, more expensive technology, but the early adopters of the health and fitness apps that go anywhere your phone and other sensors go are those with health to burn. And because neither we as a society nor those early adopters as individuals have any really compelling reasons to care about incremental improvements in their health, the health and fitness apps can be and often are tossed as soon as their users tire of them. And being so healthy, what does a fitness app user care if his or her information is breached? Nobody loses insurance or a job due to a BMI of 21 rather than 20.

On the other hand, who needs real-time information 24/7 more than someone trying to manage her or his own chronic disease, or someone trying (or something designed) to improve the health or contain the health care costs of that person? And as the literature of health apps tell us, those apps will keep getting used if someone who cares and is respected by the user is at the other end. The impending collision between the disruptive consumer health tech and the established biomedical tech creates the huge opportunity for the disruptive tech to get to the people who need it and to whom we need to get it. But they need serious information security and privacy….

2. The New Networks

Four factors point the way to a structure of the new health care networks with the provider institution in the center:

  • The selection, interpretation and integration of information flowing both from the biomedical technology manufacturers and from consumer health apps all need an expert, experts and/or expert systems;
  • After all of our unsuccessful tinkering with the health care system, we still trust our doctors;
  • A strong and trustworthy maintainer of the privacy and security of health information is necessary for patients to consent (opt in) to participate in the new programs, which given current and likely future cyber-threats means sophisticated and adaptive security; and
  • Love it or hate it, HIPAA, the privacy/security legal/regulatory structure that was put in place when government had not yet come to a standstill (and therefore not likely to be repealed any time soon), made the provider the covered entity on whose behalf the business associates (here the medical technology manufacturer and connected health apps) create, store, use and communicate PHI.

Here, by “connected health apps,” I mean apps that can connect into the health care system because they can credibly enter business associate agreements. The increasing demand for such apps is leading to the creation of platforms and rules that help enable compliance with those agreements and business associate regulatory requirements by the apps developed on those platforms and in accordance with those rules. If such platforms succeed, then, patients/consumers will be able to trust the security and privacy of the system enough to connect (opt in) to it, and will be connected to someone they still appear to trust – their doctors – through a system strongly incented to maintain trust – a medical institution’s information systems.

Mobile health, biomedical devices, what else? To stimulate debate and thinking — and believe me, it did! — I even advocated health systems taking information from data brokers, because if data brokers become business associates, consumers will (for the first time) have many of the rights — e.g., access, amendment, accounting of disclosures — that those who seek due process in the “scored society” could want.

Being at the center of this collision and these new networks is very good news for US hospitals, in my humble opinion. When digital health leader Dr. Eric Topol said that in 20 years,

Hospitals, except for certain key functions like intensive-care units and operating rooms, will be completely transformed to data-surveillance centers,

I wondered whether he might be too optimistic about hospitals. Why put a data surveillance center in a hospital? Who or what will do the surveillance? The current collision and its aftermath, however, keep the medical system in the middle between the patient, physician and medical technology. That is why I humbly suggest that this collision may give the US healthcare system its last and best chance both to heal itself and to improve health.

Apollo_and_Daphne_by_Veronese,_San_Diego_Museum_of_Art

Posted on Thursday, August 28 2014 at 5:56 pm by

President Obama Nominates Kilpatrick Townsend’s Danny Marti as U.S. Intellectual Property Enforcement Coordinator

martidaniel0419201301-cx_304

WASHINGTON, D.C. (AUGUST 28) — Kilpatrick Townsend & Stockton announced today that President Obama has nominated firm partner Danny Marti as U.S. Intellectual Property Enforcement Coordinator. Mr. Marti, who is currently Managing Partner of Kilpatrick Townsend’s Washington, D.C. office, would become just the nation’s second U.S. Intellectual Property Enforcement Coordinator by replacing Victoria Espinel who stepped down from the position in August 2013.

The Office of the U.S. Intellectual Property Enforcement Coordinator is dedicated to the protection of the American intellectual property that powers the nation’s economy. The office works to foster and protect the United States’ global competitive advantage, which must discourage intellectual property theft while protecting the constitutional rights of our citizens. The office strives to make sure that the Federal government takes the most appropriate action to realize those goals.

“Danny is an exceptional intellectual property attorney who has been repeatedly recognized by his peers and clients across the country as one of the leaders in his field,” said Henry Walker, Kilpatrick Townsend Chair. “The White House has made a great choice in Danny. The entire firm congratulates him on this outstanding honor.”

“This position plays a critical role in implementing the President’s strategy for protecting some of the most important and powerful assets that help drive the nation’s economy,” said Susan Spaeth, Kilpatrick Townsend Managing Partner. “Having worked with Danny for many years, I have seen firsthand his tremendous leadership skills and he will bring the same intellect, commitment and passion to this position.”

Mr. Marti is the Managing Partner of Kilpatrick Townsend’s Washington, D.C. office – one of the firm’s largest of its 17 offices worldwide. He concentrates his practice on the protection, management, and enforcement of intellectual property assets in the United States and abroad. Mr. Marti advises clients in connection with domestic and international trademark portfolio management, licensing, and other intellectual property-based transactions.

Mr. Marti has represented clients in a wide range of cases involving trademarks, false advertising, unfair competition, copyrights, trade secrets, cybersquatting and computer fraud and abuse matters before various U.S. federal courts, as well as the Trademark Trial and Appeal Board (TTAB) and the World Intellectual Property Organization (WIPO).

Posted on Wednesday, August 27 2014 at 4:10 pm by

NLRB Rules That Employee’s Use of the Facebook “Like” Feature Can Be Protected Activity

Wakko_Wallpaper_no__7_by_sma_rmy

On August 22, 2014, the National Labor Relations Board (NLRB) ruled for the first time that an employee who participated in a Facebook discussion of his employer’s income tax withholding practices merely by using the “Like” feature in connection with the discussion was protected by federal law.

In Triple Play Sports Bar & Grille, the owners of a nonunionized restaurant discharged two employees – a waitress and a cook – for their participation in an off-duty, off-site Facebook discussion involving claims that several current and former employees unexpectedly owed additional state income taxes because of alleged accounting errors by their employer. A former employee of the restaurant posted a comment on her Facebook wall stating that the restaurant owners “can’t even do the tax paperwork correctly.” The cook clicked “Like” for this comment. The waitress responded to the comment with a comment of her own, stating that she too owed income taxes and referring to one of the restaurant’s owners with an off-color expletive. Neither the waitress nor the cook participated further in the discussion, although other employees and customers continued with comments, including one characterizing one of the restaurant’s owners as a “shady little man” who probably “pocketed” employees’ money.

The NLRB found the discharges unlawful. In this case, there was no dispute that the initial comment exchange among employees and a former employee about the restaurant owners not being able to “even do the tax paperwork correctly” was concerted activity relating to pay practices under the National Labor Relations Act (“NLRA”). The NLRA gives employees a general right to engage in concerted activity (that is, to act together with other employees) with respect to wages, hours, and other terms and conditions of employment and makes it unlawful for employers to base adverse employment actions on such protected concerted activities. In Triple Play, the NLRB equated merely clicking “Like” during a Facebook discussion to expressing agreement with the particular written comment to which the “Like” designation related and thus granted NLRA protection to the cook. The NLRB also found the waitress’s comment was protected, despite its use of a profane expletive to describe one of the restaurant owners. Significantly, the NLRB found that the waitress’s comment and the cook’s clicking of “Like” on one individual posting in the discussion effectively endorsed the former employee’s original complaint only, and the NLRB held that the discharged waitress and cook therefore could not be held responsible for the other comments posted in the exchange, some of which might not have been shielded by the NLRA. The NLRB further found that the employer’s Internet/Blogging policy, which prohibited employees from “engaging in inappropriate discussions about the company,” could be construed to prohibit the type of protected Facebook posts that led to the unlawful discharges and thus also violated the NLRA.

The NLRB’s decision in Triple Play is noteworthy because it expands the concept of “concerted activity” under the NLRA to include Facebook “Likes” that are inserted in a Facebook discussion of working conditions. It also continues the NLRB’s close scrutiny of and strict approach to social media policies.

 

Posted on Saturday, August 9 2014 at 8:21 am by

Walking the Last Mile to Connectivity in a Village in India — ग्राम इन्टर्नेट (Village Internet) Project

 

rajasthan art

(I have been working in a village in India with a team of hard-working, smart volunteers to invent, fund and implement a good demonstration project for other villages in India and beyond, designed to accelerate the use of the internet to improve the lives of women, public health and prosperity.  Below is a brief taste of what we’re doing; let me know if you want more!)

Kakelao is a village in Rajasthan of 4,000, the greatest untapped resource of which is its internet connectivity.  State-of-the-art cell towers loom above the village, and everywhere in Kakelao mobile phone reception proudly displays “five bars.”  Cell phones are ubiquitous, and smart phones common.  Yet the sales and supply networks of merchants remain as they were centuries ago, and to students in a geography class the world stops at the village’s edge or in Jodhpur.  In the government office, a good desktop computer distributed as part of the national “ePanchayat” initiative two years ago sits unused in a locked room.

photo 1 (5)

The vision of the Village Internet – ग्राम इन्टर्नेट — project of the Yale Alumni Service Corps and AFS India is to help the people of Kakelao walk the final mile to reap the benefits of the infrastructure and global opportunities that surround them, through e-commerce and information benefiting businesses, education and health.   The goal of the initiative is to disseminate the benefits of the internet as widely as possible in Kakelao, and our strategy to achieve that vision has three primary components:

1)      A public access component allowing both men and women regular, personally assisted internet access to:

a)     help them sell what they make and improve their supply chains via e-commerce, and offer them information about all aspects of their businesses; and

b)    offer health information, continuing education, banking alternatives, helpful daily information like changes in bus and train schedules, and greater awareness of global issues;

2)      Improved free computer training to children in grades 1-8 in the government primary school; and

3)      Broader accessibility of improved private computer training on a fee basis to those who can afford it.

Other carefully-designed village-based initiatives have provided broad public access to internet benefits throughout India, including for those facing literacy, language and connectivity issues.  The largest such initiative, e-Choupal, reached out to 4 million farmers in over 40,000 villages through 6,500 internet kiosks, providing information on crop pricing, weather and other agricultural conditions.  Like e-Choupal, we propose the use of intermediaries for the public access component, but not just as disseminators of information.  These intermediaries will be enabling direct access to internet resources such as e-commerce sites, online markets for crafts, mobile banking and mobile health programs designed for villagers in India, and health and educational information.  By providing that broad, direct access through guided public access points and education and training, Kakelao can hasten the viral adoption of the internet for all of the potential benefits.

The Government and many NGOs and other companies have been providing infrastructure for decades, including fiber, broadband, cell towers and devices, to help transform India’s 640,000 villages, comprising over 70% of India’s population (which will soon surpass China’s as the largest in the world).  Government-issued computers have all-too-often remained locked away and unused, and large infrastructure investments have often come to naught, particularly among those too poor to afford electricity or their own devices, illiterate, or otherwise isolated.   A strong NGO working locally can clearly help open the doors to opportunity, knowledge and health.

Now, as the Government makes bold and commendable promises to extend broadband to all villages in India, this demonstration project (and I would expect others with which we would eagerly partner) will provide valuable lessons for local integration of the Internet into the densely-woven human networks of communication, power, affinity and divisions in any village. Watching the children of Kakelao jumping onto the Internet at the public primary school was a powerful representation of the inevitability of change; how the village walks the last mile in connecting the human network and the Internet will have an important influence on the nature of that change.

Last mile

 

Posted on Thursday, July 24 2014 at 8:28 am by

Watershed Event on 21st C. Regulation of Privacy, Technology, Civil Liberties & Cybersecurity

OFB-Qianlongsatz03-Krieger

UPDATE: In my humble opinion, this hearing was the watershed we expected. Ranking Member Cummings really appeared at the very end of the hearing to be moved by the testimony, expressed it as a “critical moment,” and praised the hearing, which represented extraordinary movement from the party line at the beginning of the hearing. Politico, Mother Jones and all the rest failed to note that movement at all, focusing only on the most vitriolic moments of the hearing. Perhaps I am naive, but the final moments of the hearing appeared to open the door to bipartisan investigation in the public interest.

__________________________________________________________________________

Original Post:

One of the most interesting and potentially influential political events on privacy, cybersecurity, civil liberties and technology regulation in the US and beyond — and of course that is saying a lot in the age of Snowden — will take place online, free, now, and you simply cannot miss it. The US House Committee on Oversight and Government Reform is about to hold a hearing entitled:

The Federal Trade Commission and Its Section 5 Authority: Prosecutor,

Judge, and Jury

Yes, the event is political, like any Congressional hearing nowadays, and the partisan thunder has been rolling for days before the storm. Yesterday, Senate Commerce Chairman Jay Rockefeller (D-W.Va.) was so “troubled by the impropriety” of the related investigation by House Oversight Committee Chairman Darrell Issa (R-Calif.), which he considers “interference” in the important FTC proceeding against LabMD, that he determined he needed to take the rare step of himself trying to interfere in the House proceeding. The agenda for today’s hearing shows the weakness of Senator Rockefeller’s claim, however. Not only are the CEO of LabMD and another small businessperson on the agenda, but the legal scholars who, as I said in a previous post, have written the most important law review articles on opposite sides of the issue will each testify and take questions.

The ultimate issue at stake is one of the most important facing us in the 21st Century:

How can regulation keep up with exponential rates of change in technology?

The FTC has taken the position that in order to keep up, it needs to be able to enforce regulatory standards without specific notice of those standards. With help from FTC Commissioner Maureen Ohlhausen and the two scholars who will testify today, here’s how I can best express the issue to you:

Why would an agency trying to raise standards for the security of personal information avoid giving notice of its standards? Federal Trade Commissioner Maureen Ohlhausen recently offered remarks[1] that clarify just how important this strategy is to the FTC. In short, her argument is that given widespread innovation and the rate of change in technology, the information regulators need to gather in order to promulgate regulations is so widely dispersed and ephemeral that notice-and-comment rulemaking is stale by the time it is promulgated and carves regulatory categories unfit for their purposes. Her solution is the FTC’s Section 5 “unfairness” jurisdiction, which gathers information only from the parties and makes judgments on those specific facts, calling it “ex postregulation.” She notes that while the results only bind the parties, others can and should look to the results as evidence of how the FTC would regard similar facts, and that “when the FTC weighs that precedent in future cases, it can then consider any changes in the underlying facts.”

If you are trying to run a business, you might find ex post regulation an elegant solution for the regulator but at least worrisome in that the rules regarding your facts are not known in advance. Those who know the FTC’s settlement agreements – almost always involving 20 years of monitoring – find it more troubling. Perhaps most troubling is the knowledge that the consent orders obtained generally involved no admission of wrongdoing, and represent practical business decisions by enterprises wishing to avoid years of ruinous litigation and damage to their reputations, rather than judgments of courts on the merits.

Commissioner Ohlhausen is well aware of the amount of power ex post regulation gives the FTC, and perhaps for that reason starts her speech with “Principle 1: Regulatory Humility.”[2] Professors Solove and Hartzog made the case, in a very thoughtful and influential article written before her remarks and somewhat inconsistent with them, that the FTC has exercised, if not humility, then at least restraint in the actions it has brought, providing justification for current trend of viewing FTC privacy and information security consent orders under its Section 5 unfairness and deception authorities as development of a “common law.”[3]

The FTC’s actions may not have lived up to the justification that Professors Solove and Hartzog have developed for them, nor to the principle of humility. For example, when an administrative law judge recently ordered the FTC to disclose its “unfairness” information security standards in the LabMD case,[4] the FTC did not claim that the security provisions mentioned in its more than fifty information security cases constitute precedent; it generally confirmed that every judgment is case-specific.[5] By the same token, the FTC does not ask its experts in the cases it brings to review its settlement agreements; rather it asks only for–and then relies on–a case-specific judgment based on the expert’s (mostly technical) security expertise; that is ex post information security regulation in action.[6]

Here’s the link again. Don’t miss it!

[1] The Procrustean Problem with Prescriptive Regulation , Remarks of Maureen K. Ohlhausen, Commissioner, U.S. Federal Trade Commission to the Sixth Annual Telecom Policy Conference of the Free State Foundation, Washington, DC, March 18, 2014. Commission Ohlhausen noted that “The views expressed in these remarks are my own and do not necessarily reflect the views of the Federal Trade Commission or any other Commissioner.”

[2] For a good article on how fair notice principles could be considered by the FTC, see Stegmaier, Gerard M. and Bartnick, Wendell,Psychics, Russian Roulette, and Data Security: The FTC’s Hidden Data Security Requirements(May 9, 2013). George Mason Law Review, Vol. 20, No. 3, pp. 673-720, 2013. Available at SSRN: http://ssrn.com/abstract=2263037

[3] Solove, Daniel J. and Hartzog, Woodrow,The FTC and the New Common Law of Privacy(August 15, 2013). 114 Columbia Law Review 583 (2014); GWU Legal Studies Research Paper No. 2013-120; GWU Law School Public Law Research Paper No. 2013-120. Available at SSRN: http://ssrn.com/abstract=2312913 orhttp://dx.doi.org/10.2139/ssrn.2312913

[4] http://www.ftc.gov/system/files/documents/cases/140501labmdordercompel.pdf

[5] Transcript of the Testimony of Daniel Kaufman, May 12, 2014, athttp://assets.law360news.com/0543000/543678/LabMD-Kaufman-Transcript.pdfandhttp://www.phiprivacy.net/wp-content/uploads/LabMD-Kaufman-Transcript.pdf

[6] See, e.g., Expert Report of Raquel Hill, Ph.D., included on p. 19 athttp://www.ftc.gov/system/files/documents/cases/140502mtnlimitexpertrpt.pdf

Posted on Saturday, July 12 2014 at 2:42 pm by

The Presentation of Self in the Everyday Workplace

 

tecnomatixjack

How should employers and employees deal with US law’s new recognition that digital life on a phone or cloud is often as intimate as a diary?

Recent big, bold Supreme Court decisions on cellphone privacy have come at about the same time as the best summer business reading is presenting a cure for the dishonesty of the current employer-employee relationship. The confluence of these two unrelated developments may in fact offer some useful opportunities in connection with the lesser dishonesty of being employed while using the Internet.

The apparent new right in the privacy of cell phone data was immediately recognized asbased more on the richness of the personal data than where the data resides, potentially protecting data of comparable richness in all of its clouds and other travels far beyond the cell phone. Already, we can see ripples of these criminal cases in a civil case involving employees going after other employees’ cell phones.

The first big question for employers and employees is: As these ripples move into the workplace and employers realize that their BYOD policies and employee handbooks may not be clear enough regarding the search of personal cloud repositories or other personal information stores, will they continue to design policies, consents and acknowledgements as broadly as the law permits and to some extent requires? Or will they — and in which ways can they, in view of their obligations to monitor discrimination and harassment — think about zones or counterbalancing principles of privacy, because as the Supreme Court recognized the digital lives to which employees can grant access are as personal as the most intimate diary?

That question brought to mind the source of this post’s title, Erving Goffman, because it goes beyond the privacy of data elements to the composition of the employee self in relation to the employer and other employees. Goffman treated face-to-face interaction as theatrical performance, and distinguished a “backstage” in which people could be themselves and prepare for performance. In some ways, what we have done by not (in the US) extending employee privacy rights from the private physical spaces (e.g., lockers) to the employer-sponsored electronic media on which many employees live is to get rid of the backstage, and social media intensifies the self-expression. (Employee self-expression online has long resulted in countless workplace disputes and more recent broad NLRB protection of certain content.)

The big question, restated in Goffman’s terms, is to what extent and how employers will allow employees to have a backstage. Not all of us need a backstage to be creative and productive and authentic, but others are quite clear that they do.  So, as most work becomes more and more temporary and part-time, and employers focus more and more on creating honest, bilateral “alliance” relationships, a concrete question the employer bilingual in Goffman and Hoffman might ask is:

How can I monitor what I need to monitor while still providing enough of a backstage for the ones who need it, enabling the alliances we want?

And the digital workplace privacy policy may even become a document that applicants and employees want to read, because it might speak directly to their ability to have authentic relationships in the workplace.

482262_634181002280063750

Posted on Thursday, July 10 2014 at 9:21 am by

Healthcare in 20 Years & 10 Years, & How to Reconnect Your Brain and Body Now

1.  In 20 Years, It’s Plug & Play:

In 20 years, humans will finally attain the status of cars for their medical care. They’ll have wearable and embeddable sensors with predictive analytics, and, most importantly, autonomous driving capabilities. Most cases of cancer will be successfully treated, Alzheimer’s will be substantially delayed or even pre-empted. DNA sequencing will be performed for most individuals at birth (or as a fetus). Hospitals, except for certain key functions like intensive-care units and operating rooms, will be completely transformed to data-surveillance centers. People will look back and laugh about the old physical office visit and the iconic ‘stethoscope’ along with the way so much of health care was rendered in the pre-digital era.

— Eric J. Topol, chief academic officer of Scripps Health and professor of genomics at the Scripps Research Institute, quoted in the Wall Street Journal

2.  OK, So What About in 10 Years?

INFO-mHealth

Click on the infographic to enlarge

3.  But What About Now?  Surely you can’t rewire the connection between the brain and the body?

http://www.popsci.com/article/science/how-it-works-system-reverses-paralysis

For many more every day, read

Posted on Saturday, June 28 2014 at 7:20 pm by

Why Healthcare Providers Should Take from Data Brokers, & Why Privacy Advocates & Regulators Shouldn’t Try to Stop Them

3930592049_ef0299fa38_z

Many brilliant people with the very best of intentions felt or expressed dismay this week at a good article with the body-snatchers-invasion-class title, “Your Doctor Knows You’re Killing Yourself. The Data Brokers Told Her.” Surely the marauding hordes of data brokers (the targets of Federal Trade Commission investigations!), should be kept far away from the sacrosanct relationship between doctor and patient! The article ends with an ethicist intoning that the strategy “is very paternalistic toward individuals, inclined to see human beings as simply the sum of data points about them.”

I thought about that article and that ethicist yesterday as I sat with my family in a travel clinic giving us the shots we would need for a cultural exchange program in a village in India. The great doctor and nurse in the clinic knew nothing about us (Well, thanks to an electronic medical record, they knew about 1 pain med I didn’t even take a decade ago, which they dutifully asked me about). They didn’t even know any of the information we had entered on-line for them this week (The nurse explained that “On-line, you’re just a number.”).

My mind flashed as it often does between many years of helping friends in the public health world as they spent many years testing hypotheses in search of truths applicable generally across vast populations and my current life working with big data initiatives producing real-time, actionable, individual-focused information. I thought how eager the four of us (and I assure you that my professor wife and clever children are not big data lawyers) would have been for this doctor and nurse to get the scoop on us, in the case of the children to engage them more and in the case of the parents to give us the warnings we most need to hear. And I thought as I have for many years about paternalism in medicine.

I got into health care law in 1982, my first year of law school, in part because that was the year Paul Starr released his seminal book, “The Social Transformation of American Medicine.” It was a great study on the creation followed by the corporatization of a profession. There was a lot of talk from leaders as well as scholars in those days about medical costs and the profession of medicine; I for one will never forget Joe Califano’s “Medicine is too important to be left to doctors and politicians.” So many big failures and little successes followed; the constant of massive federal lobbying (in my humble opinion) served as birth control and an occasional abortion against effective health care reform.

If we fast-forward to today, so much has not changed yet in health care. The biggest changes on the immediate horizon may be role of apps, mobile devices and home monitoring in personal health. As even the U.S. Supreme Court acknowledged this week, mobile devices have our whole lives on them, incredibly rich information so much of which bears directly on our health. The next iterations of iOS and Android will make integration of that information work better than ever. And the data on the fitness apps to date shows that they become effective (like Weight Watchers and AA) when others are watching. When others are watching, a health or fitness app becomes an effective “commitment device;” when others are not watching, those apps can be a little like Odysseus tying himself to the mast with a slip knot, only to crash his ship into the same rocks that have sunk countless New Years’ resolutions.

In our “bowling alone” society distrustful of the unregulated purveyors of health and fitness apps, however, where can you find a trustworthy ship or crew to serve as your commitment device? Oh, look! The big failures to change our health care system into something better have left your doctor–not so deprofessionalized after all–as someone you trust! And look! Your doctor is regulated by relatively stringent privacy and information security rules (including rules against marketing to you without your authorization), and if she enters a relationship with one of those apps in which she shares your information or the app creates information on her behalf, it is subject to most of those same regulations! And then (to get back at last to the beginning of this post) there is all the other information on you both on and off your mobile device, information, e.g., about your food, your activity levels and your stressors; that information, too, when received by your provider, becomes subject to not only those privacy and information security rules, but to more stringent state rules and the rules of professional ethics.

Finally, I ask you this: Which is the most and least paternalistic to you as a patient: (1) to give you the choice about whether your healthcare provider really knows you or knows only your self-reported issues, (2) to force her to know things about you that you haven’t reported, or (3) to make sure that she tells you what to do knowing only the few facts you have given her that day? With electronic medical records and health information exchanges, we have apparently already made the choice for (2) and are spending a great deal of money to try to make it work. Much more inexpensively, health care providers can have much richer information about you and your health than is often available on an EMR or in an HIE, and can be the most trusted repository available for that information. I submit to you for that reason that providers will not be serving their patients well if in the very near future they are not taking and using information from data brokers, at least giving patients the choice described in (1), and privacy advocates and regulators will be preventing important improvements in our health and healthcare systems if they prevent providers from taking and using such information.

Posted on Sunday, June 8 2014 at 3:18 pm by

Privacy for Franchisors: Tough Regulation without Standards or Scalability

 

WAR & CONFLICT BOOK ERA:  WORLD WAR II/THE HOME FRONT/RELOCATION

Where a zealous regulator has a great deal of power, but no published standards or accountability to legislatures or courts, and appears to exercise limited discretion in applying a single, onerous penalty on all entities it regulates, your object as a regulated entity might well be to escape the notice of the regulator.  At the time of this writing, that is the situation faced by franchisors whose privacy and information security practices are regulated by the Federal Trade Commission (FTC).

In the Aaron’s and Wyndham cases, the FTC made it clear that franchisors are in its crosshairs, but the FTC was shooting from opposite directions in the two cases.  Aaron’s[1] is fundamentally about holding the franchisor responsible for software installed by franchisees, and the FTC forges the link in ways that should give franchisors pause, i.e., through the communication and IT support platforms provided to franchisees.  For example, factors considered by the FTC included the following common “mistakes”:  The franchisor allowed franchisees to access software designer’s website (without which they couldn’t activate software), the franchisor’s server was used to transmit and store emails containing content obtained with the software, and the franchisor provided franchisees with tech support for the software.

In Wyndham,[2] on the other hand, the fundamental issue is whether the franchisor has exerted enough control, in a multitude of areas of information security, over the franchisees to establish an information security program that the FTC deems “reasonable.”  Aaron’s mistake of commission (and vicarious liability) was a piece of privacy-invasive software; Wyndham’s mistakes of omission were all the things it did not do to create a comprehensive information security program in the FTC’s eyes, as evidenced by its three security breaches in two years (not a large number for a large hospitality chain).  Both cases were built on both of the fundamental areas of authority claimed by the FTC over privacy and information security:  the relatively uncontroversial “deception” authority to enforce privacy and security “promises” in privacy policies, and the more controversial “unfairness” authority to enforce “reasonable security.” Unfairness authority lies at the heart of Wyndham, however, and when Wyndham became the first entity to challenge that authority in court, the FTC received its first judicial affirmation of both its unfairness authority and its ability to enforce that authority without published standards.[3]

Why would an agency trying to raise standards for the security of personal information avoid giving notice of its standards?  Federal Trade Commissioner Maureen Ohlhausen recently offered remarks[4] that clarify just how important this strategy is to the FTC.  In short, her argument is that given widespread innovation and the rate of change in technology, the information regulators need to gather in order to promulgate regulations is so widely dispersed and ephemeral that notice-and-comment rulemaking is stale by the time it is promulgated and carves regulatory categories unfit for their purposes.  Her solution is the FTC’s Section 5 “unfairness” jurisdiction, which gathers information only from the parties and makes judgments on those specific facts, calling it “ex post regulation.” She notes that while the results only bind the parties, others can and should look to the results as evidence of how the FTC would regard similar facts, and that “when the FTC weighs that precedent in future cases, it can then consider any changes in the underlying facts.”

If you are trying to run a business, you might find ex post regulation an elegant solution for the regulator but at least worrisome in that the rules regarding your facts are not known in advance.  Those who know the FTC’s settlement agreements – almost always involving 20 years of monitoring – find it more troubling.  Perhaps most troubling is the knowledge that the consent orders obtained generally involved no admission of wrongdoing, and represent practical business decisions by enterprises wishing to avoid years of ruinous litigation and damage to their reputations, rather than judgments of courts on the merits.

Commissioner Ohlhausen is well aware of the amount of power ex post regulation gives the FTC, and perhaps for that reason starts her speech with “Principle 1: Regulatory Humility.”[5]  Professors Solove and Hartzog made the case, in a very thoughtful and influential article written before her remarks and somewhat inconsistent with them, that the FTC has exercised, if not humility, then at least restraint in the actions it has brought, providing justification for current trend of viewing FTC privacy and information security consent orders under its Section 5 unfairness and deception authorities as development of a “common law.”[6]

The FTC’s actions may not have lived up to the justification that Professors Solove and Hartzog have developed for them, nor to the principle of humility.  For example, when an administrative law judge recently ordered the FTC to disclose its “unfairness” information security standards in the LabMD case,[7] the FTC did not claim that the security provisions mentioned in its more than fifty information security cases constitute precedent; it generally confirmed that every judgment is case-specific.[8]   By the same token, the FTC does not ask its experts in the cases it brings to review its settlement agreements; rather it asks only for–and then relies on–a case-specific judgment based on the expert’s (mostly technical) security expertise; that is ex post information security regulation in action.[9]

The LabMD case is a very important one in that there the FTC is applying its ex post standards not to an entity the information security obligations of which are uncertain, but to an entity whose obligations regarding consumer information security are covered by one of the most detailed regulatory structures in the country, the rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Moreover, HIPAA security standards – particularly as they apply to small health care providers like LabMD — are by Congressional design and regulation lower than FTC standards,[10] so the imposition of higher standards frustrates Congressional and HHS choices.  Thus if the FTC can apply its Section 5 authority to LabMD, it can arguably apply that authority to any entity in commerce, regulated or not.

The US health care marketplace resembles the franchise economy in consisting of dispersed networks of large and small entities, the smaller of which have limited resources for information security.  The 1996 HIPAA statute therefore stated that in promulgating information security regulations, the Secretary of HHS must take into account “the needs and capabilities of small health care providers and rural health care providers (as such providers are defined by the Secretary),”[11] and the preamble to the HIPAA Security Rule states accordingly that one of the foundations of the rule is that “it should be scalable, so that it can be effectively implemented by covered entities of all types and sizes.”[12]

This principle of scalability is not only a HIPAA requirement; it is basic to pragmatic information security; a small entity can only do what it can do, so it needs applications that take care of the security issue as much as possible, by default.  If a small entity takes on a big risk (e.g., a large data file), it cannot do so with the same IT staffing of a large entity, so it needs guidance to outsource, e.g. to a secure cloud provider, not guidance to use tools that–even if it could identify them–it would never properly deploy and integrate and effectively use.

FTC Chair Edith Ramirez expresses the starkly contrasting position of the FTC:

The FTC conducts its data security investigations to determine whether a company’s data security measures are reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities.[13]

Her statement is quite accurate: The FTC’s standards vary only by the risk associated with the information and the cost of “tools,” not including the availability of knowledge of those tools and not including – and this is critical in the information security area – the cost of implementing and integrating those tools, and the cost of taking action in response to the complex signals of many detection tools, which in fact require large IT staffs not feasible for small entities.  The FTC thus has neither a mandate nor a mission to consider the regulated entity and the feasibility of compliance, scalability, the availability of knowledge of which tools are the best, and the ability to integrate technical tools rather than just buying something off the shelf.

Judge William Duffey of the Northern District of Georgia got a look at this case before deciding that the federal courts have no jurisdiction to do anything about it yet, and offered a lot of advice in open court that underscores the big question of whether the FTC, now apparently “clothed with immense power” by the Wyndham decision, can exercise responsible discretion or Commissioner Ohlhausen’s first principle of “humility” (including whether federal courts can help with those lessons after the FTC”s administrative process is complete).  He said:

I think it’s the responsibility of the government to be fundamentally fair to the people that it’s regulating, and that it would be in your interest and I would hope your motivation as an employee of the government…. [H]ow does any company in the United States operate when they are trying to focus on what HIPAA requires and to have some other agency parachute in and say, well, I know that’s what they require, but we require something different, and some company says, well, tell me exactly what we are supposed to do, and you say, well, all we can say is you are not supposed to do what you did.[14]

Remarking at the notion that a small laboratory about to go out of business should be subject to the 20 years of monitoring that is a universal feature of the FTC’s consent decrees, he suggested that the FTC consider:

a good faith, transparent, authentic discussion about what your concerns are, and trying to get those allayed by some process which would not be a twenty-year monitoring. You know, I have defended people that had twenty-year monitoring responsibilities by an agency, big companies, and it’s very, very expensive, and it’s really intrusive, and in my personal opinion, having been on both sides, they generally are not necessary. But there is never a middle ground. There should be.[15]

For now, however, there is no middle ground.  A franchisor has no option but to act on some difficult decisions.

_____________________________________________________________________________________________________________________

Disclosure: KTS has represented LabMD.

Photo: Japanese-American-owned grocery, 1942.

[1] http://www.ftc.gov/enforcement/cases-proceedings/122-3256/aarons-inc-matter

[2] http://www.ftc.gov/enforcement/cases-proceedings/1023142/wyndham-worldwide-corporation

[3] FTC v. Wyndham Worldwide Corp., No. 2:13-cv-01887-ES-JAD, 2014 BL 94785 (D.N.J. Apr. 7, 2014).

[4] The Procrustean Problem with Prescriptive Regulation , Remarks of Maureen K. Ohlhausen, Commissioner, U.S. Federal Trade Commission to the Sixth Annual Telecom Policy Conference of the Free State Foundation, Washington, DC, March 18, 2014.  Commission Ohlhausen noted that “The views expressed in these remarks are my own and do not necessarily reflect the views of the Federal Trade Commission or any other Commissioner.”

[5] For a good article on how fair notice principles could be considered by the FTC, see  Stegmaier, Gerard M. and Bartnick, Wendell, Psychics, Russian Roulette, and Data Security: The FTC’s Hidden Data Security Requirements (May 9, 2013). George Mason Law Review, Vol. 20, No. 3, pp. 673-720, 2013. Available at SSRN: http://ssrn.com/abstract=2263037

[6] Solove, Daniel J. and Hartzog, Woodrow, The FTC and the New Common Law of Privacy (August 15, 2013). 114 Columbia Law Review 583 (2014); GWU Legal Studies Research Paper No. 2013-120; GWU Law School Public Law Research Paper No. 2013-120. Available at SSRN: http://ssrn.com/abstract=2312913 or http://dx.doi.org/10.2139/ssrn.2312913

[7] http://www.ftc.gov/system/files/documents/cases/140501labmdordercompel.pdf

[8] Transcript of the Testimony of Daniel Kaufman, May 12, 2014, at http://assets.law360news.com/0543000/543678/LabMD-Kaufman-Transcript.pdf and http://www.phiprivacy.net/wp-content/uploads/LabMD-Kaufman-Transcript.pdf

[9] See, e.g., Expert Report of Raquel Hill, Ph.D., included on p. 19 at http://www.ftc.gov/system/files/documents/cases/140502mtnlimitexpertrpt.pdf

[10]   See fns. 11 & 12, infra.

[11]42 U.S. Code § 1320d–2(d)(1)(A)(v).

[12] )68 Fed. Reg. 8,334, 8,335 (Feb. 20, 2003)

[13] PREPARED STATEMENT OF THE FEDERAL TRADE COMMISSION on Protecting Personal Consumer Information from Cyber Attacks and Data Breaches, Before the Committee on Commerce, Science, and Transportation, US Senate, Washington, D.C., March 26, 2014.

[14] http://docs.law.gwu.edu/facweb/dsolove/Information-Privacy-Law/files/LabMD%20Transcript%202014-05-07.pdf, at 94

[15] Ibid., at 89

Posted on Friday, May 30 2014 at 10:35 am by

KT IP Industry Summary: Rockes Get no Personal Jurisdiction over Pebble Beach from Keyword Ads

3Harikalar_Diyari_Flintstones_06018_nevit

Rocke v. Pebble Beach Co., CIV.A. 12-3372, 2014 WL 1725366 (E.D. Pa. Apr. 29, 2014)

On a vacation to California with her husband, Mrs. Rocke decided to get a massage at The Spa at Pebble Beach. After putting on the spa slippers supplied by the spa, Mrs. Rocke tripped, falling and hitting her head. When she returned to her home state of Pennsylvania, the Rockes brought suit against The Spa in district court.

In alleging jurisdiction, the Rockes claimed that the defendant had sent direct mailings and email solicitations to Pennsylvania citizens and had also advertised in national golf magazines and solicited the business of Pennsylvanians through its website.

The district court dismissed the complaint for lack of personal jurisdiction, and the Third Circuit affirmed, likewise finding no general or specific jurisdiction, but nevertheless remanded, holding that the plaintiffs were entitled to jurisdictional discovery.

Following discovery, the plaintiffs argued a new basis for jurisdiction—the defendant’s practice of purchasing keyword advertisements from Google. The plaintiffs contended that “[t]he intent behind the advertising campaign [was] to attract customers from around the world, including Pennsylvania, to Pebble Beach Resorts.”

The court rejected the argument, reasoning that “[b]y purchasing AdWords, Pebble Beach (like many other businesses utilizing the same marketing technique) seeks to make itself more visible to anyone in the world who searches Goggle using certain keywords or search terms.” The court found that plaintiffs failed to produce any evidence that the defendant purchased Pennsylvania-specific AdWords in order to solicit Pennsylvania business” and held that “[t]he mere fact that Pennsylvania residents are potentially swept up in the broad ocean of people to whom Pebble Beach is advertising through AdWords is not even direct a contact, much less continuous and systematic one.”

While the decision leaves open the possibility that keywords targeted to Pennsylvanians might have yielded a different result, the court made clear that simply purchasing keyword advertisements is insufficient to subject a defendant to nationwide jurisdiction.