The Department of Health and Human Services Office for Civil Rights (OCR) recently issued a reminder to business associate entities regarding the potential for direct liability for certain violations of the Health Insurance Portability and Accountability Act (HIPAA). In a Fact Sheet issued on May 24, 2019, the OCR provided the following list of HIPAA violations for which business associates are directly liable:
- Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
- Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
- Failure to comply with the requirements of the Security Rule.
- Failure to provide breach notification to a covered entity or another business associate.
- Impermissible uses and disclosures of PHI.
- Failure to disclose a copy of electronic PHI (ePHI) to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
- Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
- Failure, in certain circumstances, to provide an accounting of disclosures.
- Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
- Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.
This recent unsolicited reminder from the OCR regarding direct liability for business associates is a chilling reminder of the potential consequences of an entity’s failure to implement a HIPAA compliance program. If you need assistance developing and implementing a HIPAA compliance program, either as a covered entity or as a business associate, please contact us.
The United States Patent and Trademark Office (USPTO) recently announced a new rule requiring all foreign-domiciled trademark applicants, registrants, and parties to Trademark Trial and Appeal Board proceedings to be represented by an attorney who is licensed in the United States. The requirement applies to parties whose permanent legal residence or principal place of business is outside the United States. The new rule also requires all U.S.-licensed attorneys to confirm they are an active member in good standing of their bar and to provide their bar membership information. Under Secretary of Commerce for Intellectual Property and Director of the USPTO, Andrei Iancu believes that “This rule is a significant step in combatting fraudulent submissions.” The new rule goes into effect on August 3, 2019.
In a recent opinion, the Delaware Court of Chancery held that a party to a merger agreement properly terminated the merger agreement when its counterparty failed to extend the merger deadline by providing the required notice. In Vintage Rodeo Parent, LLC v. Rent-a-Center, Inc., two parties to the merger agreement negotiated a provision providing that the merger must be completed within an initial six-month deadline or either party could terminate the merger agreement at will and receive a termination fee. The merger agreement granted each party the unilateral right to extend the merger deadline upon written notice of extension to its counterparty prior to the deadline.
In recent opinions, courts have demonstrated a willingness to significantly narrow the applicability of the North Carolina Unfair and Deceptive Trade Practices Act, N.C. Gen. Stat. 75-1.1, et seq.(NCUDTPA), in the context of business disputes by broadly interpreting the applicability of the securities exemption. Like its name suggests, the securities exemption excludes securities transactions from the scope of the NCUDTPA. A recent federal court decision in Robichaud v. Engage2Excel, Inc.,et al., Case No. 5:18-CV-00086-GCM, 2019 WL 2076561 (W.D.N.C. May 10, 2019), indicates that the scope of the securities exemption is broad. The case involved allegations that, following a merger, the defendants withheld the plaintiff’s portion of the merger proceeds because plaintiff, who owned a competing business in the same industry, refused to agree to non-competition, non-solicitation, and non-disparagement provisions. The defendants moved to dismiss the NCUDTPA claim, arguing that the claim should be dismissed pursuant to the securities exemption, because the case arose from a complex securities transaction. In response, the plaintiff argued that the securities transaction was not the focus of the NCUDTPA claim, pointing out that the offensive conduct was the unfair competition in the form of refusing to pay plaintiff his portion of the merger proceeds unless he agreed not to compete with defendants. After finding that the unfair and deceptive conduct was inextricably intertwined with a securities transaction, the Court dismissed plaintiff’s NCUDTPA claim.
In a post-trial memorandum opinion, the Court of Chancery held that a fully executed warrant agreement between an early employee and her employer did not reflect a meeting of the minds and therefore there was no valid contract. Significant to the Court’s decision was the limited contemporaneous evidence that existed related to the negotiations surrounding the contract. The Court held that the only contemporaneous evidence of any real value was the drafts of the warrant agreement. Those drafts, and the evidence presented at trial revealed that towards the end stage of negotiations the company sent a draft version of the warrant agreement to plaintiff, plaintiff made edits to the draft including removing or diluting certain restrictive covenants contained therein, plaintiff then signed the edited version and sent it to the company for execution without addressing the fact that she had made the edits, and the company believing the version of the warrant agreement that was returned was the same as the version it had sent to plaintiff, failed to notice plaintiff’s edits and signed the agreement. The Court held that, despite the agreement being fully executed, there was credible and convincing evidence that the parties were not operating on the same page and that the company’s representatives believed they were signing the version of the agreement that they had sent to plaintiff, not a version that was edited by plaintiff. As a result, the Court held that there was no meeting of the minds and that the proffered warrant agreement was invalid.
The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a joint statement to emphasize their risk-focused approach to examinations of banks’ Bank Secrecy Act/anti-money laundering (BSA/AML) compliance programs. Although the joint statement does not alter long-standing BSA/AML compliance standards, it highlights the need for financial institutions of all sizes to determine their internal and external risk profile and implement a risk-based BSA/AML compliance program that reflects the realities of the risks faced by particular financial institution. In light of the recent focus on BSA/AML compliance, banks and financial institutions should review their BSA/AML compliance programs on a regular basis, update their enterprise-wide risk profile, and review/enhance their BSA/AML compliance program to ensure that it adequately addresses the relevant risks.
On July 17, 2019, the United States District Court for the Central District of California order striking putative class action allegations from the complaint for failure to comply with L.R. 23-3. In Fabricant v. Goldwater Bank, N.A., Case No. 2:19-cv-00164-DFS-JC, the plaintiff brought a claim for violation of the Telephone Consumer Protection Act (TCPA) on behalf of himself and other similarly situated individuals, alleging that he was contacted on numerous occasions by the defendant without consent and in violation of the TCPA. After the case had been pending for more than 120 days, Goldwater Bank, N.A. moved to strike the putative class allegations from the Complaint based on plaintiff’s failure to comply with L.R. 23-3, which requires that class action plaintiffs move for class certification within 90 days of serving a class action complaint. Plaintiff argued that the L.R. 23-3 was invalidated by the Ninth Circuit’s recent decision in ABS Entertainment v. CBS Corp., 908 F.3d 405, 427 (9th Cir. 2018). The Court rejected Plaintiff’s argument that L.R. 23-3 was invalidated, explaining