Posted in Health Privacy

Guide for Accessing and Using Medical Records Breaks No New Ground and Instead Doubles Down on Old Processes

Written by Anna Spencer and Milton Gregory

On April 4, 2018, the US Department of Health and Human Services’ (“HHS”) Office of the National Coordinator for Health Information Technology (“ONC”) released a new web-based resource – the ONC Guide to Getting and Using your Health Records – that promotes individual access to medical records by educating patients on their rights of access and amendment under HIPAA and provides detailed instructions on how patients should request their records. As ONC acknowledges, access to health information can empower patients and enable them to take control of their own health, well-being, and safety.  Although the guidance does not have the force of law, it offers valuable insight into how the Trump administration seeks to further patient rights under HIPAA.

The web-based guide is meant to help individuals, patients, and caregivers better understand how to access, review, and use their electronic (and paper) health information by providing instructions as well as tips, links and quizzes to test the individual user’s knowledge. Among other steps, individuals are told to collect the full names, physical addresses, phone numbers, and fax number or secure email (through any patient portal) for all of the doctors whom an individual wants to send and receive his or her medical record. The resource goes on to state that individuals may be required to complete forms when they request their records. The resource describes a potential form that contains at least twenty three data points.  Clearly, collecting this much information and completing a form for every health care provider will prove too burdensome to many patients.

The resource also suggests that individuals that follow through with accessing their health information utilize mobile apps to manage the data. It encourages individuals to select secure apps and provides a link to an FTC webpage with instructions on how to protect personal information, but it does not explain the privacy and security issues inherent in mobile health apps.  Individuals should understand that mobile health apps typically are not afforded the protections provided by HIPAA, unless the app is offered by a HIPAA covered entity or business associate.

The 21st Century Cures Act (“Cures Act”) amended federal law to permit business associates, (i.e., vendors of covered health care providers that process Protected Health Information (“PHI”) on behalf of health care providers) to provide access to PHI that they maintain in certain records.  However, ONC’s new resource does not include any guidance on what a business associate’s role is in the expansion of patients’ rights under the Cures Act.  Some business associates, such as health care clearinghouses, have PHI from multiple health care providers and health plans.  As such, they could serve as convenient supplemental sources of health records for individuals in addition to health care providers.

Covered entities and business associates should monitor the implementation of these provisions by the Office for Civil Rights. Covered entities will potentially need to revise their Business Associate Agreements to avoid interfering with business associate obligations and business associates will want to ensure that they comply with regulatory requirements.

 

Posted in Telecoms

Lawful intercept on VoIP services – Skype in Belgium

Article by Catherine Gysels, DLA Piper Brussels

According to Belgian criminal law, providers of telecommunication services are obliged to cooperate if an investigating judge orders a wiretap measure. In November 2017, Skype was found guilty of failing to give essential information and provide a wiretap on Skype calls as the company was considered as a provider. However, a discussion remains over Skype’s status as a telecom operator as another Belgian court sought guidance to resolve a lawsuit between the company and the national telecom regulator.

Facts

In 2012, a judicial investigation regarding a criminal organization was conducted in Belgium. Authorities established that a certain suspect within the investigation did not communicate by means of a normal telephone line, but only via a so-called Skype account. The magistrate then ordered a registration and tapping measure and demanded Skype to cooperate. In particular, the official warrant claimed that future conversations could be monitored by the investigators. Skype was contacted several times by the police, but reported that Skype users’ data is held by and owned by Skype located in Luxembourg. Skype would also not have any data of conversations between Skype users, which are video and chat messages, as well as exchanged files. Skype only supplied partial information, including email addresses of those concerned and account information, but not the content of communications.

As a result of the (implicit) refusal to cooperate, the police immediately lodged an official report, after which a prosecution investigation was started by the public prosecutor’s office. The Criminal Court would ultimately state Skype committed the crime of refusal to grant technical assistance to an investigation and order Skype to pay an effective fine of € 30,000. Before the court of appeal, Skype stated again that the Belgian judge would have no jurisdiction. In addition, the company claimed that Skype was not an operator of a telecommunication network or provider of a telecommunication service, and at least that there is no question of refusal of cooperation in the judicial investigation.

Territorial link with Belgium

In the first place, Skype pointed out that the offense did not have any territorial link with the Belgian territory, so that the Belgian judge would not have jurisdiction. Skype is, after all, a company incorporated under Luxembourg law and has no separate branch in Belgium. Now that Skype did not own or manage any infrastructure in Belgium, the crime could not have been committed in Belgium as the place where Skype could co-operate would, by definition, be Luxembourg.

The Court refers to the provisions of Article 3 of the Criminal Code, which stipulates that the offense committed in the territory of the Kingdom by Belgians or by foreign nationals must be punished in accordance with the provisions of Belgian law. A crime must be regarded as ‘territorial’ as soon as at least one of its constitutive elements is located in Belgium. As the requested information and the technical cooperation with the researchers was asked and had to be given on Belgian territory, the crime of refusing to disclose the requested information or providing the requested cooperation is committed at the place where this requested information or technical cooperation must be received by the competent investigators, or in Belgian territory. In other words, the Court motivated that the crime did not take place at the place where the legal person is located, but where the requested communication or information or cooperation has to be received. The obligation to cooperate can therefore be located in Belgium, even when those obliged to cooperate are abroad.

A provider of telecommunications/electronic communication services

Secondly, it had to be determined whether or not Skype is a provider of a telecommunications service. In the Belgian Yahoo case-law, these concepts were already defined very broadly by the Court of Cassation. Not only is the Belgian operator within the meaning of the Act of 13 June 2005 concerning electronic communication considered as a provider of a telecommunications services, but also anyone who provides electronic communications services, such as the transmission of communication data. The obligation to cooperate is therefore not limited, but for everyone who offers a service that consists entirely or mainly in the transmission of signals via electronic communication networks.

The Court of Appeal concluded that Skype complies with the concept ‘provider of a telecommunications service’, Skype was providing technical aids to users in Belgium and elsewhere in the world in the form of free software that allowed these users of electronic networks to exchange information with other persons. In order to be considered as a ‘provider of a telecommunications service’ in Belgium, it is therefore sufficient that the offered software is entirely or mainly intended and is used for communication between users via the internet. Moreover, the court expressly pointed to the twofold intervention of Skype in the electronic communication by its users: the users first have to download the Skype software on their device, with each user having to connect at the start of each communication with the Skype server, after which Skype performs a verification and authentication of the login data of the users.

Territorial obligation to comply with the request

After it was determined that Skype complies with the concept of a ‘provider of a telecommunications service’, the Court of Appeal would also express the view that the obligation to cooperate territorially applies to the company.

Again, the judgment took over the Yahoo reasoning, on the basis that that Skype participates in economic life in Belgium, whether or not it has a social or administrative seat on Belgian territory. In order for a provider of a telecommunications service in Belgium to be subject to a coercive measure, it is also required that there is ‘sufficient territorial connecting factor’ with the Belgian territory. Such a ‘sufficient territorial connecting factor’ may be that the foreign service provider is present in Belgium through his active participation in economic life in Belgium, even if he does not have a registered seat on Belgian territory. It is not the location of the office or establishment of the service provider that is decisive, but the place where that service provider offers his services.

In this context, the Court of Appeal reasoned that paying services were offered to Belgian users, as well as advertising targeted to Belgian users via the software. The proof that Skype had provided a Dutch version of its website so that Dutch-speaking Belgian users could automatically make use of the services in Dutch, can only be explained by the clear will to actively and commercially target potential users in Belgium. As a conclusion, the court states that Skype was also economically accessible and present for the Belgian consumer, so the company is also legally accessible and present in Belgium.

Legal obligations of a provider of electronic communications services

According to the judgment, Skype is liable under the national telecommunications law, which obliges telecommunications providers to work with legal investigations when required.

The relevant data available to Skype were transferred according to the company. Skype stated that without significant changes to its software and infrastructure it will not have access to the signals that its users send via the internet, and not to the communication data itself. The Court of Appeal understood that Skype could, therefore, actually get access to those signals if they would make (substantial) adjustments. It was precisely by not organizing itself so that Skype could meet its legal obligations that it was held to have committed the offense.

However, nowhere, either in Belgian legislation nor internationally, is the duty is laid down with regard to providers of electronic communication services to make systems interceptable or to limit encryption. This is also in contrast to the (European) data protection right and the freedom of encryption.

Moreover, the position in which Skype found itself in respect of Luxembourg law was not taken into account in any way. The court denies that Skype would violate Luxembourg law, since the obligation to cooperate would relate to communications in Belgium, providing information to the Belgian researchers and technical assistance with an interception measure on Belgian territory. However, the judgment disregards the fact that Skype, as a Luxembourg company, would commit a crime under Luxembourg law if it complied with the Belgian obligation to cooperate, which is in any case a situation of force majeure. In view of this international context, the entire problem could therefore have been avoided by the intervention of the Luxembourg judicial authorities through a request for legal assistance.

It is therefore questionable whether the reasoning of the Court of Appeal will stand in the proceedings before the Court of Cassation.

Telecom operators in EU law

In the meantime, another Belgian court of appeal sought guidance from the EU’s Court of Justice to clarify the criteria used to label companies as telecom operators, as laid down in the Directive of 7 March 2002 on a common regulatory framework for electronic communications networks and services (the Framework Directive).

Skype had been fined €223,454 by the Belgian Institute for Postal Services and Telecommunications, or BIPT, for failing to comply with Belgium’s telecoms law. In this dispute, BIPT focused on Skype as a provider of electronic communications in relation to the “SkypeOut” service, which allows calls over the internet to anyone with a fixed line or mobile phone.

SkypeOut requires the user to buy call credit, while calls are charged at local rates. The person being called is however not required to be a Skype subscriber. According to the BIPT, Skype should have registered the SkypeOut service as required by the telecoms law because it is a service provided against payment, which consists completely or mainly of signal transmissions and is carried over electronic communication networks. The regulator stated that not doing so “constitutes a serious offence which could damage the interests of users and competitors”.

Skype however argued that it is not providing a telecommunications service. A conversation with SkypeOut works on the one hand via the official telecom operators and on the other hand via internet providers. These two parties take care of the transmission of the signal and are therefore subject to regulation. In other words, Skype delivers the interface and prepares the VoIP data packets for sending, but only telecom companies and internet providers transport those packages. To motivate its argument, Skype refers to the legal definition of an electronic communication service. It states that such a service is entirely or mainly concerned with sending signals. Skype does work with such companies, but does not have digital pipelines to forward these signals.

EU judges will now have to decide on the criteria to classify companies as telecom operators / electronic communications service providers, which may impact Skype’s and other providers statuses as electronic communications providers in both EU and Belgian laws.

Posted in Telecoms

New Electronic Communications Code – now in force!

The new Electronic Communications Code came into force on 28 December 2017.

The intention behind the new Code is to introduce a range of measures to make it easier for telecoms operators to roll-out infrastructure.  The Code therefore gives telecommunications operators statutory rights to enable the installation, maintenance and use of telecoms equipment in order to operate their networks or provide an infrastructure network.  Such rights are known as “code rights” under the new Code.

As under the previous Code, operators can acquire Code rights by either entering into an agreement with a landowner or by serving notice on a reluctant landowner and then applying to the court for an order imposing an agreement.  The court will make such an order where it considers that: (1) the prejudice caused to the landowner can be adequately compensated by money; and (2) where the public benefit outweighs the prejudice to the landowner (taking into account “the public interest in access to a choice of high quality electronic communications services”).  However, the court cannot make such an order where the landowner intends to redevelop and would not be able to do so if the order were granted.

We set out below the key changes from the previous Code and key points to note.

  • No contracting out: Any terms in agreements that are contrary to the provisions of the Code are not enforceable;
  • Upgrading and sharing: Operators may upgrade equipment and/or share their sites with other licenced operators without landowners’ consent, if the changes to the equipment have no more than a minimal adverse impact on its appearance and no additional burden is imposed on the landowner;
  • Assignment: Operators may assign their rights without landowners’ consent save that a landowner may require the outgoing operator to guarantee the incoming operator’s obligations;
  • Consideration: The consideration granted to a landowner where a court imposes an agreement is based on the market value of the land on a “no scheme” basis (i.e. ignoring the value of having the telecoms equipment on the site and the Code rights that attach to it).  The current view in the market is that this will lead to lower rents/fees for landowners;
  • Statutory continuation rights: Telecoms leases will be outside of the scope of the Landlord and Tenant Act 1954, but operators continue to have separate statutory continuation rights under the Code.
  • Termination: Agreements between landowners and operators can provide for early termination of an agreement but landowners also need to consider an operator has statutory continuation rights under the Code.  Regaining possession of a site is unlikely to be as simple as serving a contractual break notice.  Instead, landowners will have to follow two separate processes set out in the new Code in order to (i) remove the Code rights and (ii) remove the apparatus itself.  This is likely to take around two years, as the landowner’s notice to remove the operator must give at least 18 months’ notice and can only be served if one of a specified number of grounds for termination applies;
  • Who is bound by agreement: It appears to be the case that an agreement entered into by a tenant will not bind the freeholder (although the freehold owner could find itself the subject of a court-ordered agreement if the operator does not want to leave the site on termination of that agreement);
  • Who can benefit from Code rights: Code rights can now be conferred not only on an operator but also on a person who provides infrastructure services for operators. Under the new Code an operator may apply to the Court for the grant of “interim code rights” for a specific period of time or until the happening of a specified event; and
  • Existing agreements: Agreements entered into when the previous Code was in force now need to be read in conjunction with the transitional provisions in the new Code as these have modified the operation of the some of the provisions of the old Code.

Ben Rogers (Legal Director), Rob Shaw (Senior Associate) and Jane Summerfield (Professional Support Lawyer) – DLA Piper UK LLP

Posted in Telecoms Uncategorized

Roaming and MVNOs – too clever by half

Just a quick note to draw attention to a decision by BIPT, the regulator in Belgium here

Lycamobile has been fined €30,000 for violation of the “roam like at home” requirements of the roaming regulation (contained in the 2012 regulation as amended in 2015). It appears that they were offering add-on bundles (at attractive prices) that did not did allow roaming alongside more expensive plans which did allow roaming (and which in practice would only ever be used when roaming).

The roaming regulation prohibits “roaming providers” from charging any surcharge ontop of the “domestic retail price” for roaming, and goes on to prohibit “any general charge to enable the… service to be used abroad”. The regime also includes wholesale price caps that the visited operator’s network can charge to the roaming provider for roaming services.

This puts MVNOs like Lycamobile in a difficult position because – as an MVNO – they never receive any inbound roaming revenue but yet the regulation now requires them to offer roaming to end users without any additional charge though they will incur an additional incremental fee. Thus each extra Mb or minute when roaming will be loss-making for them. Lycamobile must have designed their offer thinking they had found a way around this problem – but unfortunately for them the BIPT has determined that this violated the roaming regulation’s requirements.

In my opinion* it would always be open to an MVNO to block roaming for its end-users entirely – there is no requirement that roaming be offered, only that *if* it is offered there can be no surcharge. The issue here is that Lycamobile appeared to be allowing roaming but charging for it at a different rate from the rate applicable for domestic bundles.

Finally – and as an aside – i think the roaming regulation is clear that MVNOs *are* entitled to the benefit of the wholesale price caps – though if they are effectively reselling roaming bought from their domestic host MNO (called “wholesale roaming resale access”) then the host is entitled to charge a “fair and reasonable” increment on top of the regulated rate to reflect their extra costs in supplying roaming to the MVNO from the visited operator (see Article 3 of the 2012 Roaming regulation). We have seen some MNOs attempt to charge their MVNOs much more than this, arguing that the roaming regulation does not apply. This would appear to be wrong.

*Of course this is not legal advice and specific advice should be sought to confirm in any particular situation.

LexBlog