The DOL Sets the Stage for an Active 2020

On January 16, 2020, the U.S. Department of Labor (“DOL”) issued its final rule regarding joint employment under the Fair Labor Standards Act (“FLSA”).  The new rule will go into effect on March 16, 2020 and creates a four-factor balancing test for determining joint employer status.  The question of joint employer status can become an issue when a company contracts to use the services of another company’s employees, such as a staffing agency, or when a company is a franchisor whose franchisees have employees. The four factors the DOL will examine are: 

Does the potential joint employer: 

  • Have the ability to hire or fire the employee; 
  • Supervise and control the employee’s work schedule or conditions of employment to a substantial degree; 
  • Determine the employee’s rate and method of payment; and 
  • Maintain the employee’s employment records. 

No single factor is determinative and the weight given to each factor will vary depending on the facts in each situation.  However, the rule does make clear that merely maintaining employment records will not, in the absence of other factors, establish joint employer status.  The final rule also makes it clear that the potential joint employer must actively exercise one or more of the four control factors.  The ability to control these factors, if not actually exercised, is not enough to establish a joint employer relationship. 

The final rule also indicates that the use of a franchise model does not make it more or less likely that a corporate franchisor will be considered a joint employer of its franchisees’ employees. Finally, the fact that a business requires a subcontractor, personnel provider, or franchisee to maintain policies that encourage legal compliance, such as requiring a personnel provider to maintain workplace safety or harassment policies, does not make joint employer status more likely, so long as the primary employer, not the contracting employer, is responsible for enforcing those policies. 

The final rule replaces an aggressive and expansive standard used by the prior administration, so this change is a win for the business community. While Iowa employers should continue to be cautious and use best practices when using contracted personnel, the new rule reduces one area of risk associated with a franchise model or the use of staffing agency personnel. 

In other DOL news, the agency continues issuing opinion letters at a rapid pace.  We are only a month into 2020 and the DOL has already issued letters addressing: (1) the calculation of overtime pay for a non-discretionary lump sum bonus paid at the end of a multi-week training period; (2) if per-project payments satisfy the salary basis test for the administrative, executive and professional exemptions and (3) if a combined general health district must count employees of the County where the district is located for purposes of determining FMLA eligibility.  Stay tuned for more as we get further into 2020!

About Sara G. Sidwell

Sara Sidwell recently joined Shuttleworth & Ingersoll, P.L.C. after spending six years as in-house employment counsel for a large financial services company and a multi-national furniture manufacturer and retailer.  Sara advises and represents clients in all aspects of employment law, including discrimination and harassment, disability management, workforce reductions or restructuring, employment contracts, wage and hour compliance, background checks and FCRA compliance, performance management, noncompetition claims, commission agreements and claims, safety issues, workers’ compensation, and whistleblower claims. As a former in-house attorney for two large, multi-state corporations, Sara has significant counseling experience associated with all aspects of the employment relationship, from hire through termination, as well as conducting complex workplace investigations and providing manager and employee training. Sara handles charges before federal and state administrative agencies as well as all aspects of employment litigation, from the initial investigation through trial.

Five Tips for HIPAA-Compliant Online Engagement in Healthcare

Five Tips for HIPAA-Compliant Online Engagement in Healthcare

The U.S. Department of Health and Human Services, Office of Civil Rights (OCR) recently entered into a settlement agreement with a private dental practice following a violation of the HIPAA Privacy Rule. The settlement stems from a report that the dental practice received a patient complaint on their Yelp page and they publicly responded with some of the patient’s person health information (PHI). OCR’s investigation went on to find that public disclosure of PHI had actually affected multiple patients of the practice. The dental practice will now be paying a $10,000 fine and have to comply with a corrective action plan, which includes developing policies and procedures to ensure that interactions with patients on social media are compliant with the HIPAA Privacy Rule.

This settlement agreement is a good reminder of the importance of developing policies and procedures for interacting with patients on social media and ensuring that staff is properly trained on them, as to avoid unauthorized disclosures of PHI and to protect an organization’s reputation.

Online Reviews, Social Media, and HIPAA

As social media continues to become more prominent in our society, online reviews can have a tremendous effect on consumer habits; healthcare organizations and providers are no exception. Patients are making choices about where they are going to seek their healthcare based on reviews, so it is crucial that providers and organizations are being responsive to the experiences and needs of reviewers. Even more important than online engagement is the need for organization to maintain compliance with the HIPAA Privacy Rule. Developing specific policies and procedures for responding to these reviews can be a helpful tool as organizations strive to provide the best care and experiences for their patients.

Here are five helpful tips for healthcare organizations looking to develop policies and procedures for responding to reviews in a HIPAA-compliant manner.

1. Never acknowledge that the reviewer was a patient.

Although the reviewer may identify themselves as a patient, it may be a HIPAA violation for the organization or provider to acknowledge that the reviewer was actually a patient. Never repeat the reviewer’s name in your response, and never respond with information that would share why they were seeking care, or discuss financial information. Remember it is not a valid excuse to say that you never used the patient’s name – there are 18 identifiers protected by HIPAA, including dates of service, and geographic data. Further, you could be in violation of a disclosure even with indirect identifiers if, when combined with other information, the identity of the individual may be pieced together.

2. Develop a template for responses.

When sites allow for a response, it is important to engage to show people that the organization is responsive and cares about feedback. Using templates in the response can help to ensure HIPAA compliance.

3. Take conversations private, but not to private messages.

Giving people an opportunity to talk about their feelings and experiences is important, but organizations should not engage in these conversations online. Private messages may seem private, but they are still subject to HIPAA and cannot contain PHI. It is best to engage in these conversations over the phone or in person. Email may also be an option for communication if proper authorization has been received.

4. Don’t share pictures of patients on social media.

Don’t share pictures of patients even if you think they are de-identified. People may recognize a photo based on someone’s birthmarks, moles or general familiarity with their form. With proper consent it may be appropriate to share pictures, but it is best to avoid sharing photos altogether if you can.

5. Always be courteous.

Regardless of the review being positive or negative, it is important to take the time to thank the reviewer for taking the time to give their feedback. Being courteous, even to negative reviews, will show potential patients that you value feedback and are striving to improve the organization.

Examples of Responses that are HIPAA-Compliant

Here are some potential templates for responses to both positive and negative reviews.

HIPAA-Compliant Responses to a Positive Review

  • Thank you for your review. We strive to provide high quality care.
  • Thank you for taking time out of your day to share those kind words. Our goal is to provide high quality care, so your feedback is appreciated.

HIPAA-Compliant Responses to a Negative Review

  • Our goal is to provide high quality care, so your feedback is appreciated. Please call us at [phone number] or email us at [email address] so we can learn more.
  • We deeply regret the inconvenience. Please call us at [phone number] or email us at [email address] so we can learn more.

OCR Director Delivers Reminder of the Human Component of Cybersecurity in Healthcare

HIPAA Training, Shuttleworth & Ingersoll, P.L.C.

Roger Severino, director for the Office of Civil Rights (OCR), delivered an address on October 16 in Washington D.C. to provide a broad overview to recap recent HIPAA enforcement efforts conducted by OCR, along with advice for covered entities to think proactively about protecting their patients’ medical records given the constant threat of attack from bad actors and data exposure. Here are a few key takeaways from his presentation involving HIPAA matters.

Training Employees as a Major Component to Safeguard from Attacks

Two of the main areas of concern continue to include phishing attacks and FTP attacks/hacking attacks as a way in for hackers. The tech side has played a bigger role in recent breaches. Ransomware is a real threat. Entities should make sure they have all the necessary safeguards, which includes firewalls and “especially training your employees,” according to Severino.

He explained that phishing attacks occur when employees let their guard down because of social engineering. He cautioned that phishing attacks are getting better. No longer do the emails appear to come from a foreign country or contain obvious misspellings. Simply put, Director Severino stated “If you are part of an entity and don’t have a program for testing your employees with fake phishing emails, consider doing that.” He added, “It is almost becoming standard because we’re getting so many phishing attacks and that is one of the primary ways of protecting yourself from viruses, phishing, and ransomware.” Additionally, make sure your staff understands there can be fake tech support attempts. Finally, he said that another human factor is weak authentication protocols: the movement to two factor authentication allows you to have less frequent password changes when using this method.

In short, do not ignore the HUMAN SIDE as a security threat. Educate and train your employees. Educate them to not share passwords. Educate your Human Resources folks to make sure former employees are stripped of their access, passwords changed, tokens and keys taken the day they are dismissed.

Right to Access Rule Update

During his address, Director Severino commented that the Office of Civil Rights is looking to see if there is a need to address the “right to access” rule. For example, it should not be difficult for records from one provider in one state to be sent to a provider in another state, but oftentimes, entities require the patient fill out a request or authorization to facilitate. In other words, Director Severino believes there is nothing in place to guarantee that the patient’s records would be sent without the patient requesting his/her own records and doing all the work him/herself. OCR is exploring expanding the rule so that this sharing of medical information and be seamless and automatic.

Doctors May Disclose Information to a Family Member

He reminded the audience that OCR has issued guidance to clarify that HIPAA does, in fact, allow providers to disclose information to a family member if the member is involved in the patient’s care, if it is an emergency and the patient is incapacitated, or if there is a threat to health or safety (which include the patient’s own health and safety). OCR is also considering modifying the standards for what counts as a threat to make sure that providers are “fully empowered to address these life and death situations.” He believes entities are using the shield of HIPAA to say they are not allowed to release information and OCR is going to try to take down those shields so that providers understand better that there are times where information can be disclosed to loved ones, and in some cases, law enforcement.

Reconsideration of Notice of Privacy Practices

The Office is evaluating whether it continues to make sense to require incoming patients to sign acknowledgement of the Notice of Privacy Practices, when very few people read the Notices anymore. The HIPAA regulations currently state that the patient’s signature must be requested and if the patient does not sign, then the provider has to document the efforts to get the signature and retain that paperwork documenting the efforts and the refusal. Director Severino acknowledged that this has created “millions of pieces of paper that [OCR] has not used in [their] enforcement actions.” He queried: “Has this signature requirement become an unnecessary barrier to healthcare? Is it worth keeping?” OCR has submitted these questions to covered entities for feedback. The Director encouraged everyone to respond to these inquiries if interested in these issues. This is “your chance to give input on what [OCR is] doing as an agency,” he said.

Patients Control Sending PHI to Third-Party Apps

He pointed out that the OCR has issued an FAQ on health apps as this is a growing area in the industry. “One of the first things you need to realize is that covered entities do not have a monopoly power over their patients’ or their customers’ PHI.” If a patient requests her information to be sent to a health app, so long as the provider does not view the app as a threat to the provider’s system for malware or viruses, the patient request should be honored. If the release is to a third-party that the provider/entity does not have a Business Associate Agreement (BAA) with, it is appropriate to release the information at the patient’s request (again, absent a threat to the provider’s own systems). The entity/provider is not liable for what happens after the PHI goes to the app, provided the app is not acting on behalf of the covered entity. “Buyer beware” when it comes to the patient. Of course, if the app is the entity’s own app, then a BAA is needed and there is responsibility for what happens when the PHI is disclosed. Director Severino, however, noted that “we need to play a role in informing folks on what the lay of the land is” and people need to know that the app they are using may try to sell their information, give it to researchers, market it, etc., as well as the threats that may occur because of where the server for that app is stored. He suggested entities provide the information to the patient’s app when the patient requests it, but give a disclaimer and say that the entity is not responsible if it goes to a third-party app that is not affiliated with the covered entity.

Updates to Enforcement of HIPAA from the OCR

Director Severino also shared what has been done on the enforcement side.

Procedures for Access to PHI When Employees Leave

Pagosa Springs Medical Center (Colorado): Google calendar was used to book clients and make appointments. It was available to all staff who managed the calendar. There were two problems: (1) an employee left the company but retained access to the calendar (had the password/credentials); and (2) Pagosa did not have a BAA with Google for this calendar. Director Severino reminded the audience that many companies (Google, Microsoft, etc.) have “enterprise” versions of their apps that are HIPAA-compliant and for which the Business Associate will sign a BAA. Entities and providers should make sure they have a strong policy/procedure in place for how to deal with terminated employees or employees who have left the company. Settlement with OCR: $111,400.

Open FTP Access to a Server

Cottage Health (California): Server was breached with 62,000 lab and diagnostic results. The entity had an FTP server that was accessible without proper password controls. There was a tech support issue and during the overhauling of the server, it was not configured properly and left “open.” The lesson here is to make sure you have a proper risk analysis/assessment to identify these threats. The risk analysis should be considered when there are changes to the servers, etc. The same checklist that is part of the risk analysis should be done at times like these. Settlement with OCR: $3 Million.

Another Open Server, Left Open After Warnings

Touchstone Medical (Tennessee): 300,000 patient records were available to the world and searchable by Google and indexed on their pages (names, address, SSN, etc.) The FBI informed them AND OCR that the entity had its FTP servers allowing uncontrolled access. Touchstone first denied there was a problem. It did not take the “hint” from the FBI/OCR and continued to leave it open for some time afterwards. Pay attention to the red flags! Settlement with OCR: $3 Million.

Lack of Risk Analysis Leads to Hacker Breach

Medical Informatics Engineering (Indiana): hackers obtained user ID and password. MIE self-reported to OCR. The breach impacted 3.5M people. OCR’s investigation revealed that MIE did not conduct a comprehensive risk analysis prior to the breach. Settlement with OCR: $100,000.

Social Medial Pitfalls

Elite Dental (Texas): The entity violated HIPAA when responding to a negative YELP review. Read more about this settlement between OCR and Elite Dental from Shuttleworth & Ingersoll Associate Attorney Hayleigh Hansen-Boardman.

Setting a Precedent for Enforcement of Right to Access

Bayfront Health St. Petersburg (Florida): This was OCR’s first case involving patient’s right to access and the enforcement involved only one patient. The patient wanted the records of her unborn child (fetal heart rate records) and was denied access for nine months. Under the rules, an entity must respond and provide within 30 days. Bayfront did not comply and so the OCR took action. “This is the first of what we expect to be several enforcement actions on the right of access.” OCR feels they have done a lot of campaigns to educate on the right to access and it is a problem so it is time for “serious enforcement.” Settlement with OCR: $85,000.

OCR Chooses Cases to Send a Message

With enforcement, Director Severino commented that his Office is “not out to bankrupt companies to make a point.” The OCR chooses cases based on their importance and the message.

He also stated during his presentation that the Elite Dental case demonstrates the fact that OCR will “go for big cases and small cases.”

Future Focus of Enforcement Actions

The OCR is “moving away from the laptops” and more doing more regarding the right of access as the OCR sees that as a need. They also see future enforcement actions related to hacking and IT breaches. If there is a theft of a stolen laptop that is encrypted, the OCR presumes that the PHI is safe.

OCR encourages entities to subscribe to their cybersecurity newsletter as it addresses the latest topics and threats.

Is Your Own Staff Your Biggest Cybersecurity Threat?

A recent posting by the Office of Civil Rights 2019 OCR Cyber Security Newsletter suggests that the individuals in your organization should not be overlooked when trying to prevent the exposure of your patient’s protected health information. Too often, health care providers and organizations consider their staff to be “trustworthy,” leading organizations to be lax about their security. Anyone who has access to health information has the ability to expose an organization to security threats.

“Malicious insiders” do exist and can harm your organization by intentionally leaking information. We have all heard of examples in the news: the employee who accessed the medical records of celebrities for financial gain, using patient information to commit fraud and identity theft; accessing information for their own legal issues. Malicious insiders may copy information to a storage device (hard drive, USB), send it to their personal email, steal/remove equipment, and transmit information in encrypted messages. Have you ever heard of steganography? Look it up if you haven’t.

The harm a malicious insider can bring to your organization varies and it usually it not just the loss or disclosure of the data, but other harms such as reputational harm, civil liability, not to mention the federal and state regulatory enforcement responses.

OCR cited data from the 2019 edition of Verizon’s Data Breach Investigations Report that reveals 59% of all security incidents and breaches (malicious and those without malice) were from “trusted insiders.” Financial gain was the primary motivator.

So how can you identify malicious activity quickly and in time to prevent or mitigate the effects of these actions? The following tips and suggestions are taken directly—word for word—from the OCR’s Newsletter[1]:

  • The where, who, what, and how of safeguarding critical data.
    • An organization should understand where its data is located, the format in which it resides, and where its data flows throughout its enterprise. This knowledge is crucial to conducting an accurate and thorough assessment of the risks to the confidentiality, integrity, and availability of an organization’s critical data. Once these risks are understood, policies and procedures can be developed or updated and security measures implemented to reduce these risks to a reasonable and appropriate level. See 45 CFR §§164.308(a)(1)(ii)(A)-(B) (risk analysis and risk management), 164.316 (policies and procedures and documentation requirements).
  • An organization should establish who is permitted to interact with its data and what data those users are permitted to access in determining appropriate access controls. Access controls can take many forms. For example, physical access controls as simple as doors that need keys for opening can limit an unauthorized person’s ability to enter sensitive facilities or locations; network access controls can limit access to networks or specific devices on a network; role based access controls can limit access to certain devices, applications, administrator accounts, or data stores to only a defined group of users. Organizations should leverage their risk analysis when establishing and implementing access controls. See 45 CFR §§164.308(a)(3) (workforce security) and (4) (information access management); 164.310(a) (facility access controls), (a)(2)(iii) (access control and validation), and (c) (workstation security); and 164.312(a) (access control), (d) (person or entity authentication), and (e) (transmission security); 164.316 (policies and procedures and documentation requirements).
  • Another important consideration is how an organization’s users will interact with data. Do the duties of the user’s job require the capability to write, download or modify data or is read-only access sufficient? Do users need to access data from laptops, smart phones, or mobile storage devices (such as thumb drives)? Such devices are more difficult to safeguard and control, especially if they are “personal” devices owned by the user. An organization should consider limiting unnecessary mobile device use and implementing security controls to prevent copying sensitive data to unauthorized external devices. If users are given access to mobile or storage devices, the organization must implement appropriate security controls to safeguard the data when using such devices. See 45 CFR §§164.308(a)(4) (information access management); 164.310(a) (facility access controls), (b) (workstation use), and (d) (device and media controls); 164.312(a) (access control) and (e) (transmission security); and 164.316 (policies and procedures and documentation requirements).
  • Real-time visibility and situational awareness. The migration to cloud computing, increased use of mobile devices, and the adoption of Internet of Things (IoT) technology can greatly reduce an organization’s ability to detect anomalous user behavior or indicators of misuse by either a trusted employee or third party vendor who has access to critical systems and data. To minimize this risk, an organization may employ safeguards that detect suspicious user activities, such as traffic to an unauthorized website or downloading data to an external device (e.g., thumb drive). Maintaining audit controls (e.g., system event logs, application audit logs) and regularly reviewing audit logs, access reports, and security incident tracking reports are important security measures, required by the Security Rule, that can assist in detecting and identifying suspicious activity or unusual patterns of data access. See 45 CFR §§164.308(a)(1)(ii)(D) (information system activity review), and 164.312(b) (audit controls).
  • Security is a Dynamic Process. Good security practices entail continuous awareness, assessment, and action in the face of changing circumstances. The information users can and should be allowed to access may change over time; organizations should recognize this in their policies and procedures and in their implementation of those policies and procedures. For example, if a user is promoted, demoted, or transfers to a different department, a user’s need to access data may change. In such situations, the user’s data access privileges should be re-evaluated and modified to match the new role, if needed. See CFR §164.308(a)(4)(ii)(C) (access establishment and modification). Organizations should be particularly sensitive to the risk of insider threats in cases of involuntary separation. Organizations should have policies and procedures in place to terminate physical and electronic access to data, before any user leaves the organization’s employ. Such actions should include disabling all of the user’s computer and application accounts (including access to remote and administrative accounts if applicable), changing or disabling facility access codes known to the user, and retrieving organization property including keys, mobile devices, electronic media, and other records, etc. See 45 CFR §§164.308(a)(3) (workforce security), (ii)(B) (workforce clearance procedure), (ii)(C) (termination procedures); 164.310(a) (facility access controls); and 164.316 (policies and procedures and documentation requirements).

SeeU.S. Department of Health & Human Services, Summer 2019 OCR Cybersecurity Newsletter.

If you need help implementing appropriate safeguards and strategies that comply with the law, contact Shuttleworth & Ingersoll’s Health Law Group.

[1] With the following caveat: “This document is not a final agency action, does not legally bind persons or entities outside the Federal government, and may be rescinded or modified in the Department’s discretion. Noncompliance with any voluntary standards (e.g., recommended practices) contained in this document will not, in itself, result in any enforcement action.”

Small and Medium Health Care Organizations: HIPAA Security Risk Assessment Tool Webinar

HIPAA Training, Shuttleworth & Ingersoll, P.L.C.

This article was updated on 7/24/2019.

The HHS Office for Civil Rights (OCR) hosted a webinar titled Security Risk Assessment Tool Overview and User Feedback Session on July 17 in an effort to help small- and medium-sized health care providers learn about the Security Risk Assessment Tool (SRA Tool) to evaluate their security measures against the growing number of security risks.

A risk assessment is a necessary part of handling medical records and other protected health information for health care entities and business associates to maintain compliance with the administrative, physical, and technical safeguards associated with the Health Insurance Portability and Accountability Act (HIPAA).

The SRA Tool is software developed the Office of the National Coordinator for Health Information Technology (ONC) and the OCR to assist in the effort to uncover potential security threats facing health care entities and their business associates. The software is available for Windows computers and laptops, along with an app for iPads.

The tool is designed to assist small to medium organizations in conducting an internal security risk assessment to aid in meeting the security risk analysis requirements of the HIPAA Security Rule and the CMS EHR Incentive Program. More specifically, the software safeguards and provides enhanced functionality to document how your organization implements safeguards to mitigate, or plans to mitigate, identified risks.

Webinar slides are available to view on the ONC website. We will update this post when a recording of the webinar is available.

Interests in Iowa Real Estate May Expire in 10 Years Unless Extended

Real Estate Law, Shuttleworth & Ingersoll, P.L.C.

The Iowa Court of Appeals in its West Lakes Properties, L.C. v. Greenspon Property Management, Inc. decision entered on September 27, 2017, held that a right of first refusal was subject to the statute of limitations of Iowa Code Section 614.17A, which states:

614.17A  Claims to real estate after 1992.

  1. After July 1, 1992, an action shall not be maintained in a court, either at law or in equity, in order to recover or establish an interest in or claim to real estate if all the following conditions are satisfied:
    1. The action is based upon a claim arising more than ten years earlier or existing for more than ten years.
    2. The action is against the holder of the record title to the real estate in possession.
    3. The holder of the record title to the real estate in possession and the holder’s immediate or remote grantors are shown by the record to have held chain of title to the real estate for more than ten years.
    1. The claimant within ten years of the date on which the claim arose or first existed must file with the county recorder in the county where the real estate is located a written statement which is duly acknowledged and definitely describes the real estate involved, the nature and extent of the right of interest claimed, and the facts upon which the claim is based. The claimant must file the statement in person or by the claimant’s attorney or agent. If the claimant is a minor or under a legal disability, the statement must be filed by the claimant’s guardian, trustee, or by either parent.
    2. The filing of a claim shall extend for a further period of ten years the time within which such action may be brought by any person entitled to bring the claim. The person may file extensions for successive claims.
  2. Nothing in this section shall be construed to revive any cause of action barred by section 614.17.

91 Acts, ch 183, §37; 2013 Acts, ch 30, §261
Referred to in §614.17, 614.18, 614.19, 614.20

Because the Court held that a right of first refusal is an interest in real estate and therefore must be extended or will expire, the decision potentially subjects other interests in real estate, such as options to purchase, easements, leases and any other agreement that creates an “interest in real estate”, to a ten-year statute of limitations. The decision has not been revised or limited by later decisions, and the Iowa legislature has not passed legislation to address the decision. A curative statute was proposed in the legislature this session but did not pass out of committee.

Section 614.17A allows for the “extension” of a “claim” by filing a written statement within the ten year period of the “date on which the claim arose or existed”, which is the date that the document creating the claim was recorded.

For agreements that have not been timely extended, the agreement would need to be re-executed and recorded.

For agreements that have not yet expired, we have developed a “statement” to use to extend existing agreements. You may want to review your files to determine if there are “interests in real estate” that should be extended or replaced with new agreements.

If you have any questions regarding the above or if you have interests in real estate to extend or replace, do not hesitate to contact us.

U.S. Supreme Court Holds That Copyrights Must Be Registered before Plaintiffs Can File for Infringement

Supreme Court of the United States of America

In a unanimous decision, the Supreme Court held that registration with the U.S. Copyright Office is required to enforce copyrights. Fourth Estate Public Benefit Corp. v., LLC, No. 17-571, 586 U.S. (March 4, 2019). The ruling makes it even more important that copyright holders register their works promptly.

Prior to this decision, circuits were split on the language of 17 U.S.C. § 411(a), which states that “no civil action for infringement of the copyright in any United States work shall be instituted until . . . registration of the copyright claim has been made in accordance with this title.” Many circuit courts, including the 8th Circuit, followed an “application approach” and interpreted this statute to be satisfied by the mere filing of an application to register a work with the Copyright Office. When a copyright holder discovered infringement, the copyright holder could apply and have the required jurisdiction to file for infringement.

The application approach made sense. Copyright registration is pro forma. The application is not substantively examined for the copyrightability of the underlying work. More importantly, copyright protection, under the Berne Convention for the Protection of Literary and Artistic Works (1886), is to be automatic and not conditioned on compliance with any formalities. A protectable copyright arises the moment the author fixes a work in a tangible form. In this spirit, the “application approach” allowed an author to enforce its protectable right without administrative delay.

Now, a copyright holder must apply and receive a final agency decision from the Copyright Office of either granting or denying a registration before enforcing his or her rights. Contrary to the spirit of automatic protection without administrative formalities of the Berne Convention, copyright protection is no longer automatic but conditioned on a seven-month (or more delay) while the Copyright Office reviews the application.

There have always been good reasons for registering copyrights promptly. The Copyright Act encourages registration with the added benefits of statutory damages and attorneys’ fees for infringement of registered copyrights under 17 U.S.C. § 412. Now, a registered copyright is required to bring an action for infringement in federal court. Early registration is especially important if the harm from infringement could be irreparable and there is a need for a temporary restraining order or preliminary injunction to stop the infringement, or the infringing action occurred near the end of the three-year statute of limitations for infringement under the Copyright Act.

We have always strongly advised clients to register their copyrights promptly. Now, the Fourth Estate decision makes this even more important.

Deadline to Submit Feedback to HHS on HIPAA Modifications Upon Us

Tricia L. Hoffman-Simanek, Shuttleworth & Ingersoll, P.L.C.

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has called for public input on improving care coordination and reducing the regulatory burdens of the HIPAA Rules. The deadline for such input is expiring on February 12th. OCR wants input on ways to modify the HIPAA rules to remove regulatory obstacles and decrease regulatory burdens while preserving privacy and security of patient’s protected health information.

There is still time for health care providers, clinics, facilities/entities/organizations to submit any input electronically by using the following link: and searching for the Docket ID number HHS-OCR-0945-AA00.

An excerpt from the HHS press release states:

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), issued a Request for Information (RFI) seeking input from the public on how the Health Insurance Portability and Accountability Act (HIPAA) Rules, especially the HIPAA Privacy Rule, could be modified to further the HHS Secretary’s goal of promoting coordinated, value-based healthcare. This RFI is a part of the Regulatory Sprint to Coordinated Care, an initiative led by Deputy Secretary Eric Hargan.

And continues:

HHS developed the HIPAA Rules to protect individuals’ health information privacy and security interests, while permitting information sharing needed for important purposes. However, in recent years, OCR has heard calls to revisit aspects of the Rules that may limit or discourage information sharing needed for coordinated care or to facilitate the transformation to value-based health care. The RFI requests information on any provisions of the HIPAA Rules that may present obstacles to these goals without meaningfully contributing to the privacy and security of protected health information (PHI) and/or patients’ ability to exercise their rights with respect to their PHI.

In addition to requesting broad input on the HIPAA Rules, the RFI also seeks comments on specific areas of the HIPAA Privacy Rule, including:

  • Encouraging information-sharing for treatment and care coordination
  • Facilitating parental involvement in care
  • Addressing the opioid crisis and serious mental illness
  • Accounting for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act
  • Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices

The request for information (RFI) may be downloaded from the Federal Register at:

Tax Cuts and Jobs Act Update

Tax Cuts and Jobs Act

With the passing of the Tax Cuts and Jobs Act on December 22, 2017, there are several significant changes to the way individuals will compute their individual income tax beginning in 2018. Although the actual impact the Act will have on each individual income tax return may be different, the following provides a general summary of the most significant changes made by the Act.

Continue reading

Tech Companies Responsible for HIPAA Compliance? You Bet.

Tech Companies Responsible for HIPAA Compliance? You Bet.

It is an exciting time for technology businesses considering or already providing services in the health care space. While technology is driving the growth of big data in health care, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) is taking steps to ensure the security and privacy of patient medical records, also known as protected health information (PHI).

Continue reading