Author: Discerning Data Editorial Board

Connecticut Supreme Court Establishes Private Right to Sue Over Medical Record Breaches

Share

The Connecticut Supreme Court has joined several other states by holding that health care providers owe patients a common law duty to maintain the confidentiality of their medical records. In a unanimous reversal of the lower court’s ruling, the court determined that the unauthorized disclosure of confidential information obtained in the course of a physician-patient relationship gives rise to a cause of action in tort against the health care provider, unless the disclosure is otherwise allowed by law.

Emily Byrne sued the Avery Center for Obstetrics and Gynecology, P.C. (“Avery”) for negligence and negligent infliction of emotional distress in connection with Avery’s release of her medical records in response to a subpoena issued by her ex-boyfriend, Andro Mendoza, in the course of a paternity action.  The subpoena instructed Avery to send the custodian of its records to appear, together with Byrne’s medical records, at the New Haven Regional Children’s Probate Court.  Avery did not alert Bryne about the subpoena, file a motion to quash it, or appear in court – it mailed Byrne’s medical records.  Bryne alleges that she suffered harassment and extortion threats from Mendoza because Avery gave him access to her medical records without her knowledge or consent.

Continue reading “Connecticut Supreme Court Establishes Private Right to Sue Over Medical Record Breaches”

VTech Settlement Resolves COPPA Allegations in FTC’s First Connected Toy Case

Share

The Federal Trade Commission announced a settlement with VTech Electronics Limited and its U.S. subsidiary in the FTC’s first case involving Internet-connected toys.

VTech had been charged with violating the FTC Act and the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children without providing direct notice and obtaining their parent’s consent, as well as failing to properly secure the data it collected.  The settlement includes a payment of $650,000 in civil penalties, injunctive relief, and the establishment of a comprehensive security program.

Background

VTech, a Hong Kong corporation, and VTech Electronics North America, advertise, market and distribute electronic learning products (ELPs).  The companies offer online games available through the ELPs and operate the Learning Lodge Navigator online service, a platform similar to an app store that allows customers to download child-directed apps, games, e-books and other online content.  As of November 2015, approximately 2.25 million parents had created accounts with Learning Lodge for nearly 3 million children, according to the FTC.

Continue reading “VTech Settlement Resolves COPPA Allegations in FTC’s First Connected Toy Case”

Article 29 Working Party Releases Guideline WP260 on Transparency under the GDPR

Share

The Article 29 Working Party (WP29) released two guideline documents, WP259 and WP260, on the General Data Protection Regulation (GDPR) concepts of consent and transparency.  Comments on both documents will be accepted by the Working Party through January 23, 2018 after which the WP 29 working party will issue final guidance. WP29 is an independent European advisory body on data protection and privacy.

This blog post focuses on WP260, the guideline on transparency. Our companion post on WP259, the guideline on consent can be read here.

Transparency has long been a fundamental feature of EU privacy law and is an overarching obligation under the GDPR. The draft guideline notes that a central consideration of the principle of transparency is that the data subject should be able to determine in advance what the scope and consequences of the processing entails. Transparency applies in three central areas:

  • The provision of information to data subjects related to the fair processing of their personal data.
  • How data controllers communicate with data subjects in relation to their rights under the GDPR.
  • How data controllers facilitate the exercise by data subjects of their rights.

Continue reading “Article 29 Working Party Releases Guideline WP260 on Transparency under the GDPR”

Article 29 Working Party Releases Guideline WP259 on Consent under the GDPR

Share

The Article 29 Working Party (WP29) released two guideline documents, WP259 and WP260, on the General Data Protection Regulation (GDPR) concepts of consent and transparency in November.  Comments on both documents will be accepted by the Working Party through January 23, 2018 after which the WP29 will issue final guidance.   WP29 is an independent European advisory body on data protection and privacy.

This blog post focuses on WP259, which is the guideline on consent. We have also written a companion blog on WP260, the guideline on transparency.

Guideline on Consent

The guideline provides a thorough analysis of the notion of consent, which is one of the six lawful bases to process personal data under the GDPR. Article 4(11) stipulates that consent of the data subject must be:

  • Freely given.
  • Specific.
  • Informed.
  • Unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Continue reading “Article 29 Working Party Releases Guideline WP259 on Consent under the GDPR”

Georgetown Law Center Releases Report on Biometric Face Scans at Airport Departure Gates

Share

The Georgetown Law Center for Privacy & Technology released a report that takes a harsh look at the Department of Homeland Security (DHS)’s “Biometric Exit” program.  The “Not Ready for Takeoff: Face Scans at Airport Departure Gates” report  highlights the myriad number of privacy and fairness issues associated with the use of biometric data for screening and other purposes.   The Biometric Air Exit program uses biometric data to verify travelers’ identities as they leave the U.S. and has been deployed at Boston’s Logan International Airport and eight other airports.  The program is operated by DHS and uses photographs of passengers taken at the gate while boarding to verify travelers’ identities as they leave the country.  Prior to departure of an outbound international flight, DHS prepopulates the Traveler Verification Service (TVS) with biometric templates from the travelers expected on the flight.  TVS either confirms the travelers face or rejects the face as a “non-match.”  Non-matched travelers credentials will then be checked manually.

Continue reading “Georgetown Law Center Releases Report on Biometric Face Scans at Airport Departure Gates”

CMS Confirms Policy on Texting Patient Information among Healthcare Providers

Share

The Centers for Medicare & Medicaid Services (CMS) recently issued a State Survey & Certification Memorandum effective immediately in order to clarify its position on texting patient information among health care providers.

Although CMS acknowledges that the use of texting to communicate with other members of a patient’s health care team has become a common and invaluable practice, it acknowledges that such practice risks noncompliance with the Medicare Conditions of Participation (CoPs) or Conditions for Coverage (CfCs).  In order to text and comply with the CoPs or CfCs, CMS requires providers to use, maintain, and routinely assess secure, encrypted systems or platforms and minimize the risks to patient privacy and confidentiality per the Health Insurance Portability and Accountability Act and other requirements under the CoPs or CfCs.

Continue reading “CMS Confirms Policy on Texting Patient Information among Healthcare Providers”

©2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Attorney Advertising.
Privacy Policy