Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Monday, May 26, 2008

Google Health Launches

By Dino Tsibouris & Mehmet Munur

Having concluded its testing at the Cleveland Clinic, Google Health launched amid privacy concerns last week. Commentators are concerned that Google is not currently regulated under the Department of Health and Human Services (“DHHS”) and Google’s claim that it is regulated by the Federal Trade Commission does not appear to appease them. Nevertheless, Google Health appears to have a solid approach to both storing health care data online and finding information about health issues with Google Health.

Google Health ships with terms of service, a privacy policy, a health sharing authorization, and a legal notice. The terms of service caution the user that Google Health does not offer medical advice, that the user is responsible for the security of the password, and that Google will treat the information provided by the user in accordance with its privacy policy— along with the usual limitation of liability and exclusion of warranties languages. The privacy policy states that Google will not sell, rent, or share the information without the explicit consent of the user, explains what information Google retains, and clarifies how a user may share health data with a licensed third party health care provider. The health sharing authorization allows Google to pass along sensitive health care information to third parties that the user authorizes. Finally, the legal notice provides limitation of liability for Google’s partners that provide drug related information.

Commentators have at least two privacy concerns with Google Health. First, anyone with a Google username may instantly and easily sign onto Google Health. While Google requires that passwords be at least 8 characters long, it does not require that the passwords contain numbers, upper and lower case characters, and special characters—which would help create strong passwords. Considering that only a minority of users will create strong passwords when not required to do so, access to a user’s health information on Google health is only as good as the password the user creates—assuming that Google’s systems are secure. However, both Microsoft and Google suffer from this same problem.

Second, Google (rightly) claims that it is not bound by Health Insurance Portability and Accountability Act (“HIPAA”). The regulations under 45 CFR part 160.102 state that the Act applies to a) health plans, b) health care providers who transmit any health information in electronic form in connection with a covered transaction, or c) health care clearinghouses. A health plan is an individual or group that provides or pays the cost of medical care. Medical care includes diagnoses, cures, treatments, and transportation related to medical care, but not storage or transfer of information. A health care provider is a provider of medical or health services and any other person or organization that is paid for health care in the normal course of business. While medical services are defined ad nauseum in the regulations, none of those services relate to storage of healthcare information as a service.

A health care clearinghouse is an entity that processes or facilitates the processing of health care information from a nonstandard format (or data) to a standard format (or data), or vice versa. In promulgating the final rules on HIPAA, the DHHS stated that the definition was not meant to apply to telecommunication companies such as internet service providers or telephone companies, so long as they did not process the data in the fashion required. Therefore, processing of information coming from one entity and going to another entity appears to be at the heart of the regulations. Google does not process the data. It only makes it available to both the patient and the health care professional—presumably in the format it is provided. On the other hand, any manipulation of this data from standard to nonstandard format would trigger the regulations under HIPAA. In sum, Google Health currently resides in that gray area between explicitly exempt entities and nonexempt entities.

Nevertheless, Google’s interpretation of the current regulations is in line with DHHS’ Office for Civil Rights (“OCR”), which is in charge of the civil enforcement of the Privacy Rule under HIPAA. Susan McAndrew, senior advisor for the OCR, has stated in unofficial discussions that Google Health and Microsoft HealthVault are exempt from HIPAA rules, but that the Confidentiality, Privacy, and Security Workgroup of the American Health Information Community is in the process of making recommendations to regulate them under HIPAA. In regulating electronic health information exchange networks such as Google and Microsoft, the Workgroup has already identified six factors ranging from prevention of unauthorized access of the health care data to the purposes for which the health care data can be used. However, it will probably be years before such regulations take effect.

Yet, Google does not claim that it is exempt from regulation for its privacy policies. On the contrary, Google agrees that it is subject to section 5 of the Federal Trade Commission (“FTC”) Act. While the OCR responds to thousands of complaints every year, the FTC’s settlements are more public and its punishments are probably more severe. So far this year, the FTC settled with 5 companies for breach of privacy policies, including retailer TJ Maxx, publisher Reed Elsevier, and online advertiser ValueClick. Almost all FTC settlements include biennial security audits by independent third parties for 10 or 20 years following the settlement. Some include civil penalties. In 2006, the FTC settled with ChoicePoint for $10 million in civil penalties and $5 million in consumer redress. Such settlements tend to affect a company’s stock prices in the short run and hurt their brand images. Google is certainly aware of the consequences of a security breach at Google Health.

Google has a healthy competitor to Microsoft’s HealthVault in Google Health. However, both business models appear to be ahead of the legal regulations in this area of health privacy. Moving health records online will certainly benefit patients, healthcare providers, and companies such as Google and Microsoft—so long as all the parties involved understand and fulfill their responsibilities.


Tuesday, May 13, 2008

Ohio Supreme Court Prepares to Adopt Electronic Discovery Rules

By Dino Tsibouris & Mehmet Munur

The Ohio Supreme Court is finalizing Proposed Amendments to the Rules of Civil Procedure that include amendments related to electronic discovery. The comment period for the proposed amendments ended on March 4, 2008. The commission responsible for the rules had until May 1st to review and make changes to the proposed amendments. They have not. Therefore, the proposed amendments should take effect on July 1, 2008—unless the General Assembly adopts a concurrent resolution of disapproval. Though the Ohio Rules are very similar to the Federal Rules, the Ohio Rules differ to accommodate the differences in practical application.

Under proposed Ohio Rule 26, a judge may schedule a pretrial conference related to electronically stored information, while such a pretrial conference is required under the Federal Rules. Also, proposed Rule 26 clarifies the scope of discovery to include electronically stored information and limits it to cases where the information is reasonably accessible and its production not unduly burdensome or expensive. Proposed Rule 37 provides factors that are not provided in the Federal Rules that a judge should consider in determining sanctions as a result of routine, good faith operation of an electronic information system. Some of these factors are 1) whether and when the obligation to preserve the information is triggered, 2) whether the party intervened in a timely fashion to prevent the loss of information, and 3) whether the party took steps to comply with any court pr party agreement requiring the preservation of specific information.

You may find the proposed amendments here.

Labels: , ,


Thursday, May 01, 2008

Senate Votes to Expand Student Loan Access

By Dino Tsibouris

We represent a number of student lenders with respect to their online lending operations. In the past several months we have observed a number of unique events in the marketplace, ranging from the reduction of interest rates in federally-insured student loans that have made the business financially unattractive to banks, to disruptions in the bond markets that have impaired the ability of lenders to obtain funds to make student loans. Many lenders have suspended student lending activity temporarily, stopped making certain types of student loans, or completely left the business and focused on other opportunities.

Students are now faced with increasing tuition costs at the same time that their access to student loans has substantially declined. To address these concerns, the senate yesterday approved The Ensuring Continued Access to Student Loans Act of 2008 (similar to a bill that recently passed the house) to increase the amounts borrowers may obtain in federally-insured student loans. Both the senate and house bills would also allow the Department of Education to buy existing student loans from lenders to free up their capital and allow the lenders to make new loans. President Bush is expected to sign the new legislation. It is important to note that the proposed legislation aims to increase borrowers access to FFELP loans, but does not affect private student loans that are not guaranteed by the government.

Interestingly, Federal Reserve Chairman Bernanke was quoted in the Wall Street Journal today as having sent a letter to senators inviting them to revisit their earlier decision to cut interest rates on federally-insured loans to entice lenders to return to the marketplace. Time will tell.


In Case You Missed It: Judge Dismisses Cheating Husband’s Breach of Privacy Policy Case

By Dino Tsibouris & Mehmet Munur

A federal judge in Texas recently dismissed a case (due to improper venue) in which the plaintiff alleged that the website’s breach of its privacy policy led to his wife finding out about his infidelity, which ultimately led to his divorce.

Plaintiff Leroy Greer called 1-800-FLOWERS (Company) and ordered flowers for his girlfriend. He was directed to 1-800-flowers.com when he inquired about the Company’s privacy policy. After the purchase, the Company sent a “thank you” note to his home, which prompted his wife to contact the Company for proof of purchase, a copy of the note attached to the flowers, and information about the husband’s girlfriend. Greer filed suit for $1.5 million arguing that the Company’s actions breached the privacy policy and caused him damages in connection with the divorce that followed.

In its defense, the Company argued that the forum selection clause of the website terms of use specifically assigned Nassau or Suffolk counties of New York exclusive jurisdiction. In response, Greer argued that because the transaction had taken place over the telephone, the forum selection clause was not applicable. In essence, Greer argued that his use of the website to view the privacy policy did not amount to full-fledged use to trigger the terms of use but that the phone transaction governed.

The court disagreed for two reasons. First, the privacy policy was a part of the terms of use which stated that accessing any part of the website legally bound the user to its terms. In other words, Greer was cherry-picking the parts of his agreement with the Company—wanting to enforce the privacy policy but not the terms of use. Second, the court ruled that Greer did not successfully show that the terms of use only applied to web transactions.

The court then summarily found that that the forum selection clause did not violate the Supreme Court’s four-factor forum selection test. After all, whether the Plaintiff actually read the terms of use was beside the point considering that the privacy policy contained a link to it, specifically mentioned it, and notified the user of its existence. Greer was going to have sue the Company in New York.

While Greer’s lawyer suggested that they would be filing the case in New York in the next couple of weeks, research has not revealed whether he actually has. For details related to Greer’s note to his girlfriend and his wife’s discovery, visit here. Visit here for the MSNBC story.
The case is Greer v. 1-800-Flowers.com, Inc., No. H-07-2543, 2007 U.S. Dist. LEXIS 73961 (S.D. Tex. Oct. 3, 2007).