Author: Ted North

Airline COVID-19 Health Standards Remain Grounded While Holiday Travel Season Looms

The start of the holiday season—the busiest travel period in the United States—is just weeks away. Though the number of Americans taking to the skies this Thanksgiving is sure to be less than the 26 million travelers who passed through Transportation Security Administration checkpoints last year, passenger volume is nonetheless expected to surge.

However, potential travelers will have to weigh the risks of a COVID-19 resurgence against the range of travel options in an industry that remains largely outside the scope of any federally mandated COVID-19 safety regulations. The reticence to issue firm federal regulations to keep both passengers and workers safe has been a familiar narrative during this health crisis, and the airline industry has arguably been one of the most scrutinized segments of travel.

This unprecedented public health crisis begs the question: who is responsible for regulating passenger safety on airplanes as it pertains to COVID-19?

This is not a novel question. On March 14, 2020, in the early stages of the COVID-19 outbreak in the U.S., the Director of the Centers for Disease Control and Prevention (CDC) Dr. Robert Redfield issued a No Sail Order for all cruise ships operating within the United States, effectively shutting down cruise lines until further notice. In the No Sail Order, the Director rooted his decision in scientific information about the transmission of COVID-19 and on the powers granted to him as the CDC Director in 42 CFR § 71.32(b). Dr. Redfield justified issuing this federal mandate as he determined that the scope of this pandemic “cannot be controlled sufficiently by the cruise ship industry or individual state or local health authorities.”

However, the federal government has enacted no other substantive regulatory measures on other sectors of the travel industry during the course of the COVID-19 crisis. Instead, the CDC has opted for issuing non-binding COVID-19 safety guidelines for different industries, leaving sectors, such as the airline industry, to individually self-regulate.

The result of this recommended guidelines approach is a wide array of safety policies that differ between airlines with no legal mechanism for enforcement, meaning that the repercussions for consumer noncompliance extend only as far as what is within the company’s power to implement (e.g. denying service, customer banning, etc.). Furthermore, this range of options forces the consumer to compare health and safety measures between available choices or settle for the only option available to them.

Opponents to national standards often cite a disdain for government regulations as a driving factor for inaction. The Department of Transportation (DOT) recently denied a petition requesting the implementation of a nationwide mask policy for airports and air travel under their rule making powers found in 5 U.S.C. § 553(b)(3)(B). In DOT’s response, General Counsel Steven Bradbury stated his reasons for the denial being that guidelines recommending masks already exist, most air carriers have enacted mask policies, and DOT “embraces the notion that there should be no more regulations than necessary.”

Similarly, the New York Times reported that the CDC drafted a mandate last month that would require masks on all commercial and private transportation. The mandate was rooted in the CDC’s quarantine powers found in 42 USC § 264, 268, and was backed by the Secretary of Health and Human Services (HHS) Alex Azar II. However, the White House reportedly blocked the mandate, instead deferring to state and local authorities to issue their own guidance; Vice President Pence “declined to even discuss [the mandate]” with the White House Coronavirus Task Force.

This vacuum of federal safety regulation has led to a patchwork of self-regulation between industries and state officials attempting to establish legal standards to allow for enforcement of these standards. Some states, such as Virginia, have taken it upon themselves to codify CDC guidelines to provide legal standards for businesses and individuals alike whereas other states continue to pass the responsibility of public safety off to industries and individuals.

For interstate industries such as airlines, differing state and company standards are not sufficient to effectively manage the risks COVID-19 presents. Yet, a path toward the creation of national safety standards and a means of enforcement does exist. The CDC, DOT, HHS, and the president are provided various statutory powers while Congress has the ability to pass legislation—similar to some legislation passed at the state level—to create a national set of safety standards for certain industries.

As we approach the 2020 holiday travel season amidst the backdrop of a global pandemic, it is abundantly clear that the airline industry and the American people would be better served by a set of national safety regulations for air travel. The implementation of national safety regulations will provide the airline industry with means of legal enforcement for noncompliance, restore confidence in air travel, and provide airlines the best guidance from health experts to ensure consumer safety.

The Growing Role of Big Data in Pandemics

In early April 2020, the New York Times published
an article
showing the tracked movement of Americans in the midst of the COVID-19
pandemic by analyzing cellphone location data across the entire country. Similarly,
Tectonix, a data analytics firm who used locations of anonymized mobile
devices, tweeted
an analysis
of the movement and spread of 5.6 thousand individuals identified
on a Ft. Lauderdale beach on a specific day. While this near-real time analysis
highlights the usefulness and practicality of Big Data in the fight against the
pandemic, it also raises consumer privacy concerns in a largely unregulated
sector.

As previously
discussed
, the U.S. relies on a patchwork of regulations to govern the
collection and use of Big Data and to protect consumer privacy; this patchwork creates
large gaps in regulation for Big Data usage. On April 9, 2020, the U.S. Senate
Committee on Commerce, Science, & Transportation held a paper
hearing
entitled, “Enlisting Big Data in the Fight Against Coronavirus,” in
order to address these concerns. The primary goal of the Committee’s hearing
was to find the best way to maximize potential benefits of Big Data while
minimizing the privacy risks to consumers.

Leading privacy
experts submitted
written testimony to the Committee recognizing the
crucial impact of Big Data in the fight against the current pandemic, and the
need for legislation that can protect consumer privacy while not diminishing
its effectiveness. From identifying where social distancing is failing and
understanding future transmission hotspots, to identifying environmental and
geographic factors affecting the rate of disease transmission, Big Data
provides actionable
insight
that other sectors are unable to provide. Still, enabling such
unregulated use of Big Data during this outbreak may be risky; history
has shown
that practices enacted during emergencies are hard to undo.

The Future of Privacy Forum,
a leader in privacy standards and principled data practices in support of
emerging technologies, recommends
four components
to a “comprehensive federal privacy legislation that [is] flexible
enough to support data-driven public health initiatives under the right
safeguards and within limits consistent with privacy and civil liberties.”
These components are: legal protections for sensitive data that includes not
just health information but also geo-location data; mandatory privacy risk
assessments for corporations involved in high-risk data processing; mandatory
independent ethical review boards overseeing research that utilizes sensitive
data—especially in sectors that are currently unregulated in their Big Data
usage; and strict purpose limitation policies, which would require scientific
research utilizing personal data to be “compatible” with the initial purpose
for which the personal data was processed—pursuant to the European model.

Additionally, a consistent theme across proposals for
increased regulation is the necessity
for transparency
. The mounting number of non-HIPAA-covered entities that
are regularly collecting, using, and sharing sensitive consumer information,
makes it increasingly more difficult for individuals to know who has access to
their information and how that information is being used. However, increased
transparency, in coordination with other privacy regulations, may encourage
individuals to participate in data-related studies and ease concerns about how private
information may be used.

The COVID-19 pandemic continues to test countless aspects of
our societal norms, economy, and legal system. Big Data pulls together many of
these issues by calling into question how much, and under what circumstances, individual
privacy should be exchanged for public health and safety. The Senate’s paper
hearing on April 9 confirmed the importance of Big Data in responding to the
current pandemic and also signaled potential legislative action to protect consumer
privacy in the modern digital world. While Big Data is playing a critical role
in fighting the pandemic, this crisis has nonetheless exposed legislative gaps
in protecting consumer privacy.

Google, Fitbit, and the Sale of Our Private Health Data

On November 1, 2019, Google’s Senior Vice President of
Devices and Services Rick Osterloh announced in a blog
post
that Google had entered into an agreement to acquire Fitbit, Inc. This
move signaled Google’s efforts to become a leading company in the $25
billion
wearables market after failing to make a splash with its own line
of Wear OS products. However, many current Fitbit customers and privacy watchdogs
are concerned over the implications
the sale
will have on the privacy of the health data that Fitbit collects.
The current lack of legal protection over health data collected by wearable
technology and the inherent value of consumer data to Google’s business model
presents a problematic combination that could see an erosion of consumer
privacy.

The primary legal structure governing the use of personal
health information (“PHI”) is the Health Insurance Portability &
Accountability Act of 1996, commonly referred to as HIPAA. The purpose
of HIPPA
is to mandate industry-wide standards for health care information
and require the protection and confidential handling of PHI. Over the past two
decades, the framework HIPAA established has become central to the
protection
of PHI and has held healthcare providers accountable in
instances where PHI has been exposed.

Yet the rise in wearable technology and its functionality in
recent years has exposed a gap in HIPAA protection. As the law is written,
HIPAA does
not apply
to health data collected by wearable health technology. This is
because HIPAA only governs organizations considered to be “covered entities,”
which the law states
as either a health plan, a health care clearinghouse, a health care provider,
or health care. Fitbit, as an organization that only collects health data for
its customers’ own use (e.g. tracking step count for the user to view) and not
to provide health care services, does not qualify as a covered entity. As a
non-covered entity, Fitbit is not required to abide by the HIPAA-mandated regulations
for the protection of PHI even though the nature of the information it collects
(e.g. name, address, phone identification number, height, weight, heart rate,
etc.) qualifies
as PHI
as defined by HIPAA. Thus, users are left to rely upon Fitbit’s self-published
privacy policy
and the notion that the company will not breach or change
that policy for the protection of their sensitive information.

Fitbit currently collects data from its 28
million active users
, and even showed off the power of its data last year
by showcasing
trends
it gleaned from 150 billion hours of heart data, the largest set of
heart-rate data ever collected. This type of large-scale data collection and
use falls perfectly in line with Google’s own business practices in recent
years. According to a 2018
report
, Google is one of the largest collectors of personal data—even
collecting more than Facebook. Google uses its hardware, websites, and
applications to actively and passively collect as much data on its users as
possible. The Associated
Press found
that even when users disabled the “location history” feature in
several Google websites and applications, Google was still collecting and storing
users’ locations.

This data has become one of Google’s most valuable assets.
Data is the driving force behind Google’s ability to effectively deliver ads,
which accounted for 83.75%
of its 2019 Q3 revenue. Google’s ad revenue has also increased year-over-year
from $21 billion in 2008 to $116 billion in 2018. A company whose primary
source of revenue is the use of data for targeted ads will gain unfettered
access to one of the largest health data sets in the world. This is why,
although Fitbit and Google both stated that Fitbit data would not be used in
Google ads, many critics are
skeptical
of Google’s intentions.

Google is poised to control vast amounts of our personal
data and can
use it
from targeted ads (e.g. ads for running shorts based upon increased
running activity) to conducting beneficial or agenda-driven medical research. However
the data is used, Google is gaining increased access to our most sensitive and
personal information, not protected by HIPAA, while remaining a company whose
main goal
is not public health. This lack of legal protection over PHI data
collected by wearable technology—and the immense value of data to Google’s
business model—present clear privacy concerns for consumers that will only continue
until action is taken to expand HIPAA in order to effectively protect all PHI.

Domino’s Pizza May Deliver the Supreme Court a Chance to Modernize the ADA

The Supreme Court of the United States could soon provide
greater clarity to the Americans with Disabilities Act’s (ADA) jurisdiction
over websites and mobile apps.

Domino’s Pizza is reportedly preparing a petition for certiorari to appeal a Ninth Circuit decision, Robles v. Domino’s (913 F.3d 898), which held that blind plaintiff, Guillermo Robles, could proceed with a lawsuit against Domino’s after alleging the pizza purveyor’s website and mobile app were inaccessible to him using screen-reading software. On appeal, the Ninth Circuit reversed the decision of the district court and held that the ADA applies to the website and mobile application as services of a place of public accommodation. If the Supreme Court accepts Domino’s “cert petition” for Robles, the Court would have the opportunity to rule on the issue of whether websites and mobile apps must comply with ADA standards.

The ADA was passed in 1990 under
President George H.W. Bush as the “world’s first comprehensive declaration of
equality for people with disabilities.” Since
then
, the ADA has been further refined and empowered by a mix of
legislation and landmark Supreme Court cases.
The ADA, at its core, is a law
that “prohibits discrimination against individuals with disabilities in all
areas of public life, including jobs, schools, transportation, and all public
and private places that are open to the general public.”

Although the ADA’s jurisdiction over those places listed
above is clear, its claim over the internet has been tenable at best. The ADA still
does not address
digital or online compliance specifically, even as our
lives become increasingly digitized. The current state of the law regarding
online compliance to ADA standards is made up of a patchwork of federal appellate
court decisions, which often have different
or contradicting
standards. This legal uncertainty was highlighted in
2018
, in which over 2,250 website accessibility lawsuits were filed in the
U.S., increasing from 814 the year before. Still, the Supreme
Court has yet
to take up one of these cases to provide clarity in the law
and relief to lower courts. A ruling by the Court on a website accessibility
case could replace the appellate patchwork of case law with a single federal
standard.

In Robles, the district court granted Domino’s summary judgment motion and dismissed the case holding that “imposing […] standards on Domino’s without specifying a particular level of success criteria and without the Department of Justice (DOJ) offering meaningful guidance on this topic … fl[ew] in the face of due process.”

The case was then appealed to the Ninth Circuit, which
reversed the district court’s dismissal, holding
that the ADA applied to websites and mobile apps for operators of places of
public accommodation. This holding reaffirmed the standard “that, to be covered
by the ADA, a website or mobile app must have a
nexus
to a physical place of public accommodation.” The court expounded
upon this noting that the ADA applies to services “of a place of public accommodation,” not “in a place of public accommodation.” The distinction by the court broadens
the applicability
of the ADA from beyond the physical space to websites and
mobile apps.

The Ninth Circuit stated
there was such a nexus, as the “alleged inaccessibility of Domino’s website and
app impedes access to the goods and services of its physical pizza franchises –
which are places of public accommodation.” Additionally, the Ninth Circuit held
that due process did not require DOJ to issue specific guidelines as Domino’s had
been on notice “since
1996
of DOJ’s position that its website and app must provide effective
communication.”

After the decision by the Ninth Circuit, Domino’s requested
a sixty-day extension to file a petition of certiorari with the Supreme Court,
which was subsequently granted
by Justice Kagan
; the petition must now be filed by June 14, 2019. In the
request, Domino’s
states
, “[t]he Ninth Circuit’s decision in this case presents important and
complex issues concerning the scope of the ADA, the resolution of which will
have a significant impact on all businesses and institutions seeking to
maintain an online presence.”

The stage is set for an overdue landmark determination of
the extent of ADA’s jurisdiction over websites and mobile applications if a
“cert petition” is filed and granted. A decision
by the Supreme Court
, in this case, could have immediate and far-reaching
implications for both businesses and individuals covered under the ADA. Thus, lawyers,
industry leaders, and ADA-covered individuals are closely watching
this case
as it develops.

Blockchain’s Promise for the Future of Healthcare

In the winter of 2017, the world was captivated by the rise
and fall
of Bitcoin. Every night during its historic rise, local
news ran rags-to-riches
stories
of basement investors who had cashed out at the right time.
Every day, bloggers, tech journalists, and finance journalists tried to diagnose
the market
and divine what portents this fluctuation may hold for
the future. Even before Bitcoin hit its fever pitch in December of 2017, the
national conversation focused on the technology powering it – Blockchain. Intrigued
by the success of Bitcoin, industry leaders sought to understand Blockchain’s structure,
potential, and capabilities. Although the Bitcoin craze eventually came to an
end, the conversation over Blockchain continues and it is now positioned to
make inroads into the healthcare industry.

Blockchain, in its modern form, was
created
in the fallout of the 2008 financial crises. It is “[a] digital
record or ledger [mini database] that is structured as a series of blocks that
are strung together in a chain. Each block—a digital expression of a
transaction or an event—is validated by multiple computers on the internet.”
Blockchain is also highly secure by distributing “blockchains” to millions
of computers
, creating a decentralized
database
.

This combined ability to both secure and share files
simultaneously makes Blockchain an attractive new frontier for the healthcare industry.
Large
healthcare providers
such as Cigna, Aetna, and Sentara Health have
signed onto Blockchain pilot programs; even Apple
signaled
interest in Blockchain applications. In
2018
, 45% of the healthcare industry experimented with Blockchain
applications and 11% of the industry deployed Blockchain applications for use
in business. By 2025, it is projected that 55%
“of healthcare applications will have adopted Blockchain for commercial
deployment.”

This growing trend of Blockchain’s presence in healthcare is
due to the enormous benefits the system presents. Cognizant’s
2017 report
, “Healthcare: Blockchain’s Curative Potential for
Healthcare Efficiency and Quality,” identifies top benefits that healthcare
organizations could gain through its implementation, such as strengthened data
security and improved interoperability. As Cognizant’s
report states
, “Blockchain technology enhances privacy through
modern public key encryption techniques, reinforces data integrity with its
properties of immutability, and improves security with its decentralized data
model” allowing for improved patient care through data interoperability between
different care providers. Deloitte’s 2018 global Blockchain
survey
also identifies areas where Blockchain will provide
significant value, such as disintermediation, transparency and auditability,
and industry collaboration.

These advantages present
solutions
to long-standing problems that have plagued the industry’s
ability to modernize, specifically the ability to digitize
patient records
into Electronic Health Records. Blockchain’s decentralized
data also provides a single authoritative source for patient records resulting
in lower cost for patients, better collaboration between professionals, and
increased efficiency for providers. Full realization of these benefits has the
potential to revolutionize and modernize the healthcare industry and drastically
increase the quality of care that patients receive.

Yet Blockchain’s real world implementation highlighted some operational hurdles. The Mayor’s office of Austin, Texas undertook a project called the “MyPass Initiative” to utilize Blockchain technology to improve the city’s homeless services by replacing paper records with “electronic encrypted records that would be more reliable and secure.” The initiative aims to “consolidate the identity and vital records of each homeless person in a safe and confidential way while providing a means for service providers to access that information.” Yet the program faces difficulties such as social buy-in and a reliable way to connect a person with an identity, which can hamper full implementation and in turn preclude the complete realization of the initiative’s benefits. These challenges are not insurmountable and overcoming them will pave the way for larger implementation of Blockchain technology in fields such as healthcare.

Blockchain’s utilization in healthcare is nowhere near complete, but its capabilities and potential operational effectiveness are becoming clear to industry leaders. Its promise to improve patient care through better interoperability, heightened data security, and lower cost is a benefit that the healthcare industry has long been looking to provide to patients. With growing industry engagement with Blockchain technologies and continued innovative pilot programs, such as Austin’s MyPass Initiative, we move ever closer to realizing Blockchain’s promise for the future of healthcare.

Electronic Health Records: The Dark Side of Digitizing Health Data in the Online Era

The Electronic Health Record (EHR) is permeating the healthcare industry. Easily accessible “minute clinics” and mobile apps providing diagnostic services are all fortuitous results of the increasing digitization of our medical history. While there are many clear benefits to having an EHR—providing accurate and better healthcare, better clinical decision making, and lower healthcare costs—there are numerous privacy risks associated with EHR utilization.

The EHR was a little-known concept when President George W. Bush broached the idea of computerizing health records in his 2004 State of the Union Address. Since then, the healthcare industry has seen a national push to become 100% EHR-dependent; a mission bolstered by President Obama promoting the use of EHRs in both the American Recovery and Reinvestment Act as part of the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 and the Affordable Care Act (ACA) of 2010.

Private industries and the general public are increasingly buying into the idea of EHRs as well; according to the Agency for Healthcare Research and Quality, there has been an upward trend in the percentage of patients who find the implementation of EHRs important. There has also been a year-over-year increase in the percentage of healthcare providers who have adopted EHRs, reaching 67% in 2017.

However, this progress toward 100% EHR utilization has also caused increased privacy concerns as EHRs contain a patient’s most sensitive data. These medical records are valuable on the black market as they include a wide range of personal information such as medical history, social security numbers, and insurance details. The permanency of this information provides criminals enough data to completely steal an individual’s identity as well as the ability to commit a wide array of other crimes.

In the summer of 2016, a rogue online actor known as “thedarkoverlord,” stole 655,000 health records from three healthcare providers in the United States. The hacker quickly put the stolen records up for sale on the dark web for an asking price of $700,000. The anonymous hacker told Vice’s Motherboard publication that “[t]he data could be used for anything from getting lines of credit to opening bank accounts to carrying out loan fraud and much more.” This data breach represented a mere 2.4% of all stolen electronic health records in 2016.

More often than not, the burden to resolve the theft of medical records—such as in the case of “thedarkoverlord”—rests with the patient. According to Ponenom Institute’s Fifth Annual Study on Medical Identity Theft, “[s]ixty-five percent of medical identity theft victims […] had to pay an average of $13,500 to resolve the crime.” The heavy financial burden and continued attacks directly affect the public’s concern for its privacy. In 2015, 68% of patients were not confident that their healthcare providers could protect their medical records from loss or theft.

To prevent and combat security concerns, lawmakers have enacted regulations “to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.” These competing interests have become more difficult to balance with the increasing reliance on EHRs and thus the increasing opportunity to steal data.

The Health Insurance Portability and Accountability Act (HIPAA) has been the cornerstone legislation on health-data privacy and holds organizations responsible for breaches of data it protects, yet major data breaches still occur through company oversight. In an attempt to incentivize private entities to keep cybersecurity frameworks up to date, Ohio recently passed a law that creates a safe harbor against tort claims for companies who are victims of a data breach. In order to take advantage of this law, companies must comply with the strict state-mandated security framework criteria. Ohio’s innovative approach to cybersecurity enforcement aims to encourage all businesses to implement cybersecurity programs tailored to protect sensitive information while still allowing for technologies to improve.

When President Bush called for implementing EHRs in 2004, he—nor anyone—could have predicted the scale of the current data breaches. A healthcare system reliant upon EHRs is new territory for the health industry and will continue to draw in those who wish to steal its data. However, with continued reliance upon the protections of our regulations such as HIPPA and innovative methods to incentivize a high level of cybersecurity in the private sector, we can feel secure in our progress towards the future that EHRs can provide.