On September 9 Apple is hosting its ‘Wish We Could Say More’ event. In the interim we will be deluged with usually uninformed speculation about the new iPhone, an iWatch wearable, and who knows what else. What we do know, because Apple announced it back in June, is that iOS 8, Apple’s mobile operating system will include an App called ‘Health’ (backed by a ‘HealthKit’ API) that will aggregate health and fitness data from the iPhone’s own internal sensors, 3rd party wearables, and EMRs.
What has been less than clear is how the privacy of this data is to be protected. There is some low hanging legal fruit. For example, when Apple partners with the Mayo Clinic or EMR manufacturers to make EMR data available from covered entities they are squarely within the HIPAA Privacy and Security Rules triggering the requirements for Business Associate Agreements, etc.
But what of the health data being collected by the Apple health data aggregator or other apps that lies outside of protected HIPAA space? Fitness and health data picked up by apps and stored on the phone or on an app developer’s analytic cloud fails the HIPAA applicability test, yet may be as sensitive as anything stored on a hospital server (as I have argued elsewhere). HIPAA may not apply but this is not a completely unregulated area. The FTC is more aggressively policing the health data space and is paying particular attention to deviance from stated privacy policies by app developers. The FTC also enforces a narrow and oft-forgotten part of HIPAA that applies a breach notification rule to non-covered entity PHR vendors, some of whom no doubt will be selling their wares on the app store. Continue reading →
The stakes were high in Sutter — under the California statute medical data breach claims trigger (or should trigger!) nominal damages at $1000 per patient. Here four million records were stolen.
Plaintiffs’ first argued the defendant breached a section prohibiting unconsented-to disclosure. The not unreasonable response from the court was that this provision required an affirmative act of disclosure by the defendant which was not satisfied by a theft.
A second statutory provision argued by the plaintiffs looked like a winner. This section provided, “Every provider of health care … who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein.” Continue reading →
Privacy is never easy to think about. This week it became harder. Two pieces framed my week. First, Eben Moglen’s essay in The Guardian (based on his Columbia talks from late last year) took my breath away; glorious writing and stunning breadth combined to deliver a desperately sad (but not entirely hopeless) message about government and corporate overreaching in data collection and processing.
A wry speech posted by software developer Maciej Ceglowski also helped frame my thoughts. He wrote, “The Internet somehow contrives to remember too much and too little at the same time, and it maps poorly on our concepts of how memory should work.” There’s the problem in a nut. Ceglowski alludes to the divide between how human (offline) memory operates (it’s “fuzzy” and “memories tend to fade with time, and we remember only the more salient events”) and the online default of remembering everything. Government and Google and, for that matter, Big Data Brokers tell us that online rules now apply across the board and ‘that’s just peachy’ because we’ll have better national security, better searches, or more relevant advertising. But, that’s backwards. Continue reading →
A resident of Spain allegedly owed back taxes triggering attachment proceedings. The local newspaper published the details of an upcoming auction of his property in early 1998. At some point the issue was settled. However, the matter was not forgotten—the newspaper was online and a Google search of the gentleman’s name returned this history. He complained to the Spanish data protection agency (AEPD) that he had a right to have older, irrelevant information erased and that Google should remove the links. The AEPD agreed and Google sued for relief. The Spanish High Court referred the interpretation of the Data Directive (95/46) to the European Court of Justice in 2010 and in 2013 the Advocate-General issued an advisory opinion supportive of Google’s position. Somewhat surprisingly the European Court of Justice has now taken the opposite view (Case C‑131/12, Google Spain SL v. AEPD, May 13, 2014). Continue reading →
Last week the President celebrated the enrollment of 7.1 million Americans in health insurance with the words “The debate over repealing this law is over… The Affordable Care Act is here to stay,” here. Indeed, as the number of insured under the Act has grown, Medicaid has gained another 3 million enrollees, here, and other ACA provisions have kicked in so the conventional wisdom has emerged that while a political turn in favor of Republicans would lead to some important “tweaks,” the so-called “popular parts” such as guaranteed issue would survive. This world view seemed confirmed when Senators Burr, Coburn and Hatch introduced the first true Republican alternative to the ACA, here. Tim Jost commended that effort for going beyond the rhetoric of repeal noting, here, “Republicans seem to be coming to terms with the fact that the ACA has permanently changed the health policy landscape.” However, House Budget Committee Chairman Paul Ryan seems to be having none of this suggesting, here, that total reform remains the objective and that “We can have in this country universal access to affordable health insurance for everybody, including people with preexisting conditions without a costly government takeover of one-sixth of our economy.” It’s going to be a long election season.
March 28, IU Robert H. McKinney School of Law, Indianapolis. The Hall Center for Law and Health and the Indiana Health Law Review present a major conference on neuroscience and the law. Speakers include:
Oliver R. Goodenough, Professor of Law, Vermont Law School
Geoffrey K. Aguirre, Associate Professor of Neurology, Perelman School of Medicine, University of Pennsylvania
Brenna C. McDonald, Assistant Professor of Radiology and Neurology, Stark Neurosciences Research Institute, Indiana University School of Medicine
Matthew Mitten, Professor of Law and Director, National Sports Law Institute, Marquette University Law School
Jean M. Eggen, Distinguished Professor of Law, Widener University School of Law
Tracy D. Gunter, Associate Professor of Clinical Psychiatry, Indiana University School of Medicine
Robert M. Pascuzzi, Professor and Chairman, Department of Neurology, Indiana University School of Medicine
Leslie A. Hulvershorn, Assistant Professor of Psychiatry, Indiana University School of Medicine
Amanda C. Pustilnik, Associate Professor of Law, University of Maryland Francis King Carey School of Law
Jennifer A. Drobac, Professor of Law, Indiana University McKinney School of Law
Andrew J. Saykin, Raymond C. Beeler Professor of Radiology and Director, Indiana University Center for Neuroimaging, Department of Radiology, Indiana University School of Medicine
Rebecca S. Dresser, Daniel Noyes Kirby Professor of Law and Professor of Ethics in Medicine, Washington University School of Law
Eric Racine, Director, Neuroethics Research Unit, University of Montreal and McGill University