NY AG Cuomo Announces Code of Conduct for Private Student Loan Programs

By: Dino Tsibouris and Mehmet Munur

New York Attorney General Andrew M. Cuomo reached a settlement with University Financial Services (UFS), a private student loan consolidation service and announced a Direct Marketing Code of Conduct that would apply to student loans marketed directly to students. This represents a new regulatory approach. The proposed code of conduct:

(1) Prohibits lenders from using misleading tactics such as using insignia to appear to be a part of the federal government;

(2) Prohibits lenders from paying students to steer their peers to lenders;

(3) Requires submitting uniform disclosures to students at three different stages of the loan application process;

(4) Requires lenders to advise students to exhaust federal loan options before using private loans;

(5) Prohibits lenders from using gift cards or similar items to entice students;

(6) Prohibits lenders from selling or disclosing personal information about the borrower unless the lender clearly and conspicuously discloses its intent to do so in a privacy policy;

(7) Requires lenders to disclose whether they intend to resell the student loans; and

(8) Prohibits lenders from levying early payment penalties

The settlement requires UFS to end arrangements with 63 colleges to market UFS’s consolidation loan services. UFS also agreed to publish advertisements advising students to be cautious when shopping for loans. AG Cuomo criticized some private lenders for co-branding their products with university mascots to appear as a university’s financial aid services.

AG Cuomo’s announcement mirrors some of the concerns that the NY legislature and the United States Congress raised. NY recently passed the Student Lending Accountability, Transparency and Enforcement Act while Senator Dodd (D-CT) introduced the Private Student Loan Transparency and Improvement Act of 2007 in June.

Lenders who offer loans directly to students should see this as the first of what may be a series of similar regulatory efforts aimed at student lenders outside the FFELP program or marketed through schools.

Read More...

Microsoft Health Vault

By: Dino Tsibouris & Mehmet Munur

Microsoft recently launched Health Vault promises benefits in healthcare information storage and sharing online but raises concerns on privacy of this information. Health Vault is Microsoft’s “new personal health platform that lets you gather, store, and share health information online.” Service users need a Windows Live ID (previously . NET Passport) to use the service. Once users create both a sufficiently safe username and a strong password, they can enter data from health and wellness devices, or upload documents to their vault. Users can then share this information with other Windows Live ID users, such as doctors and health care professionals.

Google also has a similar website entitled Google Health that is similar to Microsoft’s consumer oriented approach to health information. While Google’s service will probably not be introduced until 2008, both companies’ focus on this field is a result of current trends. In 2007, 52 percent of adults in the US searched the web for health information compared to 29 percent in 2001. More and more, patients are confronting their health care providers with information gathered from websites such as WebMD. Both Google and Microsoft hope to leverage their expertise in web search functionality with personal health information storage and sharing.

Consolidating healthcare information online can offer many benefits to a patient as well as the doctors. Online storage reduces the risk of data loss and enables access to data regardless of where the patient resides. However, giving patients full control of their health records may mean that patients can selectively disclose healthcare information.

On the other hand, both Google and Microsoft are entering this industry to generate advertisement or software sale revenues, which creates privacy concerns. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 governs the security of personal health information. While Microsoft is aware that HIPAA may apply to it, it is not yet aware of extent of that HIPAA applies to Health Vault.

Microsoft’s Health Vault privacy statement addresses some privacy concerns while it does not specifically address HIPAA regulations. First, the privacy statement asserts that third parties, such as companies Microsoft hires to answer customer service questions, have access to personal information such as IP addresses and email addresses. However, Microsoft also states that these third party companies are required to maintain confidentiality. Second, Microsoft states that this information “may be stored and processed in the United States or any other country in which Microsoft or its affiliates, subsidiaries, or agents maintain facilities.” Third, the statement asserts that “aggregated information from the Service for marketing” may be disclosed. While, this aggregated information is not associated with any individual account, it may be used for marketing after an “opt-in consent” from the user. Finally, the privacy policy specifically addresses cookie use, web-beacon use, and encryption using HTTPS. While these assurances are definitely in the right direction, Microsoft will certainly want to assure compliance with HIPAA’s privacy and security rules.

Considering that Google’s use of cookies has been under the spotlight before, we are looking forward to review Google’s approach to both the privacy and security of personal health information.

Read More...