AXEL.org

Blog

Why Free Will Cost You a Fortune

Everyone loves a good deal. Whether it’s an amazing discount or a sale, we experience an endorphin rush when we get a good deal. Things only get better when we hear those magic words we love…“free.”

Nothing gets people more excited than when something is offered for free. If you’ve ever seen a store offering something for free then you know what to expect… a lineup around the corner.

This philosophy gets amplified when we talk about anything offered on the Internet. It is commonly accepted that any services offered through the Internet should be free.

And many websites are happy to oblige. Facebook is free, YouTube is free, Twitter is free…you get the idea.

The thing that no one seems to be asking anymore is “what’s the catch?”

In the real world we usually have an idea about why something is being offered for “free”; maybe they want to get you into the store to buy something else or they want to get you hooked onto the product, but there is always a reason.

Unfortunately we aren’t so inclined to look for a catch when it comes to “free” services online. It’s understandable that people expect online services to be free but it’s important to know why it’s being offered for free.

There is always an ulterior motive for something to be offered for “free” and there is always something that is being compromised in exchange for the “free” service. The level of compromise involved will depend on the service being offered.

Some compromises will be harmless, such as when a service is offered with limited features. However, often, the compromises made are more than the user bargained for when they signed up in the first place.

Ultimately the more we understand about why a service is being offered for “free” online, and the compromises that come with it, the better we can make a decision on whether to proceed with becoming a user.

Awareness is the best defense to ensure that we don’t end up in a situation where something we thought was going to cost nothing (“free”) ends up costing us an arm and a leg (and some other important body parts).

Let’s cover some of the reasons a product or service is being offered online for “free”, along with their level of harm:

  • Trial Versions/Upgrade Incentives: No different than when a product is offered for “free” in a real life setting, the company wants you to continue using the service (at a cost, naturally) once the trial period is over or upgrade to a paid tier. This is relatively harmless unless the company asks for your credit card to start the “free” trial and will charge you automatically. Then you need to have a good memory or set your calendars to not get charged.
  • Advertising: Similar to watching TV, a website may offer you a “free” service in order to ratchet up the hits and collect ad revenue. Unlike TV, ads on the internet are ridiculously annoying (TV ads are just mildly annoying). Between popups and flashing banners, some websites are just not worth visiting. This category falls into the “harmless but frustrating” section.
  • Micropayments: Typically with a service that relies on micropayments, the base tier is “free” but has very limited features and in order to expand the features you have to make some sort of minimal payment (think .99¢) that seems insignificant…at first. However there are many features that need to be unlocked and each one of them will require its own micropayment. In a way micropayments are like a faucet that has a drip. At first you might not think it’s so bad since you only see a drop of water falling at a time, but then you get your monthly water bill and see that it’s triple the usual amount. This is definitely one of those categories that can get out of hand very quickly and cost more than you expect if you aren’t too careful.
  • Data Mining: Now we’re getting into some bad territory. Data mining is when the service you’re using is harvesting information about you to use for other purposes. Have you ever booked a flight to a city and then seen a bunch of ads for hotels in that same city?…it’s not a coincidence. Sometimes data mining is used only for advertising (relatively harmless) but other times the company wants to collect a profile on you based on the websites you’ve visited, who you interact with, and even your spending habits. Needless to say, depending on the level of privacy you crave, this can be pretty harmful.
  • Malice: I did say the motives may not be sinister in nature, but sometimes they are. As a wise man once said “some people just want to watch the world burn”. I would be doing you a disservice if I didn’t mention that some “free” online products/services come with lovely add-ons such as viruses, worms, spyware, and malware or they might be used to extract personal information from you, such as your online banking login information. Needless to say, this is the most harmful form of “free” you get online and a good reason of why you need to be very careful about who you trust.

As you can see, not everything that is being offered for “free” is actually without any cost to you. It’s important to take a step back and ask yourself why the provider is offering it for “free”. What’s in it for them?

Do appropriate research and make sure that you aren’t putting yourself in a situation that can be harmful to you or cause you to expose more about yourself than you want.

So, yes, we all love to get something for free…just make sure it doesn’t end up costing you a ton in the end!

The Future of Digital Storage

As we rush out to the store to grab the latest and greatest smartphones and bask in the glory that is our never ending thirst for all things media, a thought occurs . . . ”where are we going to store all of this stuff?”

I mean, sure, we proudly flex the muscle of our portable devices, capable of producing 12 megapixel images or shooting full motion video and effortlessly streaming it to our 4k-capable retina display . . . but where is all this data going to be kept?

A cursory glance at the storage market tells us that any portable devices with any real storage capacity come at a premium.  Ok, we get that, so we begin to seek other avenues to store our wealth of media that will still give us instant access.

Naturally cloud storage is the first and most viable option. So we immediately enter our email address, create a quick password, and hop onto the internet to store our digital world.  Initially it’s great!  We can get our stuff from anywhere, and many of the services give us a couple of GBs of space in the cloud for free . . . but at what cost?

The cost equation for the storage of your digital world comes down to “ease of access” versus “control of content”.  Anyone who has read the terms and conditions of the typical cloud companies can tell you that you’re virtually giving up all license and all control of your content once you enter it into a public server.

The cost of your “free 5 GB account” is that your content is no longer in your direct control. Sadly, the only real alternative seems to be spending a significant amount of up-front cash on devices that have more built-in storage, or going to the store and buying one of those cloud boxes that you put on your desk at home and try to configure for remote access.  It’s clunky and costly, but it’s safer.  So how do you decide?

The plot thickens when you realize that every smartphone that is introduced is capable of generating even larger files, videos, images, and media content, yet the storage spaces on these devices continue to remain the same.

So what can be done to enable us to take advantage of all the powerful features of our smart devices without giving up ownership and control of our digital content?

Technology will continue its furious pace towards integration of content and expansion of storage components.  How will that future look and who will win that race? Smart money says that the folks developing smartphone, laptop, and tablet technology will continue to lead.  Why? The answer is simple really.  These devices are not meant to be kept forever.

Look at the typical release cycle for new smartphones and tablets.  Just when you get comfortable with your new device, a bigger-better-faster-smarter alternative hits the market.

And how long do you typically keep your tech devices?  1 year?  2 years? Longer?  Are you the type that has to be on the train to the latest-and-greatest device available? Or are you still carrying around your series one Motorola flip phone?  Don’t worry, there is no wrong answer. But, the fact remains that technology will continue to steamroll ahead whether we’re ready for the “next big thing” or not.

So where does that leave us with our original question about storage and ownership of our content? Will storage manufacturers be able to keep up with the ever-growing needs of the social media networks?

What will the online cloud providers do when they see a market where people still want privacy and control over their digital lives?  Will companies like Amazon and Google own your content in an endless sea of server farms? Or will your network evolve into one that you and you alone control?

As it stands today, we’ve got far more questions than we have answers.  Once thing is certain in all of this commotion . . . technology won’t stop, so keep your eyes on the horizon and together we’ll see how the innovators answer these growing concerns.

Who’s Covered by HIPAA?

Our previous HIPAA entry exposed you to some of the basics of HIPAA.   One of the things we did was to identify who was covered by the HIPAA rules.  Entities or individuals that are Covered Entities (remember: Health Care Plans, Health Care Clearinghouses, or Health Care Providers) are certainly subject to HIPAA.

But, effective February 17, 2010 under the HITECH Act, Business Associates (BA) became subject to HIPAA privacy and security rules as well.  What this means is that a company that is not in the healthcare industry, per se, but deals with medical records as part of their job duties, COULD be subject to HIPAA rules.

A BA is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a Covered Entity; attorneys, accountants, consultants, and others are some possible examples.  But there is not a list in HIPAA which defines who is a BA by trade.  Thus, the following test is used:

  • a party who is performing a function for a Covered Entity;
  • that has access to PHI;
  • but is not an employee of the Covered Entity.

Now that you have had a chance to determine if you are or are not a BA, what are your HIPAA requirements?  Well, you must comply with HIPAA of course.  But generally you must secure the PHI, and use it only for the same purpose it was given to the Covered Entity.

Where it sometimes gets tricky is, you must make the PHI “accessible” to the individual to whom the PHI belongs; most often the patient.  So you cannot just lock it up and throw away the key.  You must also perform risk assessments of your security and mitigate determined risks.  Finally, you have notice obligations should there be a breach.

Next we will talk about what a breach is, your reporting requirements, and the related fines and penalties for a breach.

What is HIPAA?

Since our previous HIPAA entry exposed you to some of the shock value of the recent HIPAA violations, I assume you are checking back because you’re interested in how HIPAA may apply to your company.  With this article, I wanted to provide a little foundation for HIPAA.

HIPAA is the acronym for The Health Insurance Portability and Accountability Act which was legislation passed in 1996.  For you legislative purists, HIPAA was initially known as the Kennedy–Kassebaum Bill.   But, yes, HIPAA has been around since 1996!  I bet that, if polled, most medical or insurance privacy officers would tell you that HIPAA was enacted in the last few years.

Not only is HIPAA not new, it was also not written solely to provide punishment to medical practices that get lazy with their record keeping.   It’s made up of five sections, of which only one, Title II, addresses items such as patient’s access, security, and privacy.  Perhaps another day I will talk about the coding, automation, coverage, and standardization requirements of HIPAA, but not today.

The Department of Health and Human Services (HHS) enforces HIPAA, and its Office for Civil Rights (OCR) performs all the audits.   Interestingly, in 2009 then-President Obama signed the American Recovery and Reinvestment Act of 2009.  Contained therein, was the HITECH Act, which enabled the OCR to be funded by the very fines it levies and collects.  Thus, there is little doubt that HIPAA investigations, enforcement, and fines are here to stay.

Understanding that HIPAA and its enforcement is here to stay, the next question is:  “does it apply to us?”  Most certainly, HIPAA does not apply to anyone who holds a medical record in their hand.  But it does apply to Covered Entities such as:  Health Care Plans and Clearinghouses (some may just call them the insurance side) and Health Care Providers (doctors, nurses, hospitals, those trained and licensed to provide medical care, etc.).  And finally HIPAA applies to Business Associates (BA) (a party who is performing a function for a covered entity that has access to PHI, but is not their employee).  So, if you are one of those folks, the HIPAA rules apply to you.

Who is, or may be, a BA will be the subject of the next HIPAA blog.

Keeping Up in Court

It’s the day before the big hearing.  The Motion was perfect; Opposition just ok – no surprises, and your Reply crushed it.  This is the second time you will be arguing your Summary Judgment Motion.  A Rule 56(f) Opposition carried the day six months ago; but it’s more than ripe this time around.

You sit down to download all three pleadings to your iPad; with exhibits they total about a foot-thick of paper.  But, in PDF format, the files are too big for the storage left on the device.  To make matters worse, you wanted to download a few other things for the hearing as well – their Opposition from the last hearing (since it makes a few arguments that help you this time around), the latest round of discovery responses (a perfect Interrogatory answer from their CIO exists), and a bunch of photos of your client’s product and their infringing product that your expert just testified to at his deposition last week.

The next two hours are spent deciding if you really need all the exhibits to the pleadings, what else you really need, and considering what you could take off your iPad.  WASTED TIME and ADDED STRESS.   As if you need either of those on the day before the hearing.  Finally, you decide to leave the Opposition exhibits and the new expert photos off the download, and remove a few unrelated things from the iPad and off you go.

Let’s take the worst-case scenario, and play it out.  During argument opposing counsel brings up a document from her exhibits – that you did not think was important enough to address in your outline – and it’s not on your iPad.  She also talks for a while about your expert’s deposition and two of his photos – which you don’t have either.

As prepared and articulate as you may be, you simply cannot address the nuances of her arguments on those three pieces of evidence since they are not right in front of you.  Motion DENIED.

I understand that in this hypothetical you could have hand-carried the documents to court.  But the point is, even when we carry twelve inches of material to court and/or download all the related pleadings, every now-and-then a question is asked or argument made related to a document we just did not have.  Sure, sometimes the judge will give us more time to address the evidence, but would it not be better to just have access to your entire case file – no matter how big?

This scenario happened to me a few times in my 18 years of litigation.  Sure, there was more than one time where I simply forgot to grab part of the file on the way to court.  But far more often, opposing counsel would bring up something completely unrelated to the issue, or from a prior hearing or long-ago completed discovery.  Every now and then, a judge would ask for something very specific or something silly like a date of service on Interrogatory packet #3.  In these instances the ability to access all your documents can be the difference between winning or losing your case. It’s important for any attorney to do their research on finding the best file management tools to ensure they have the important information on hand at all times.

HIPAA Violations – An Open Discussion

An open Discussion on HIPAA.

First, its HIPAA, not “HIPPA” which you see a lot as you navigate an internet search about HIPAA.  If you Google HIPPA, you will find plenty of articles, discussing HIPAA, but spelling it as HIPPA.  You can even find professionally appearing and academic articles spelling it incorrectly.  Second, HIPAA is more than just a privacy law, it deals with document access, insurance coverage, pre-existing conditions, and many other things.  Finally, HIPAA compliance is not impossible or some secret for experts only… it is attainable.  But, first things first, why should you worry about HIPAA?

Look we are all busy, none of us want to read a bunch of legislation written by attorneys which makes almost no sense to non-attorneys; I get it.   When it comes to legal issues, I always find it important to know the real reasons why I should take notice of something.  Large monetary fines and possible prison time seem to get my focus.  The Federal Government issued almost $11.4 million in HIPAA fines before March 1, 2017; paying attention yet?   How about knowing that you can face Federal jail time for wrongful disclosures?  Now that you realize HIPAA is serious, let’s look at the governments’ enforcement activity in 2017.

Just to get your ears perked up, here are some examples of the fines issued by the Federal Government before the end of February 2017:

January 9, 2017 – The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and Presence Health agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000.00.

Presence Health discovered that paper-based operating room schedules, which contained the PHI (Protected Health Information) of 836 individuals, were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois.  Making matters worse, Presence Health failed to timely notify each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and the OCR.  This case is a great first case to take notice of, as it addresses both the loss of the medical information and the failure to report the breach.

January 18, 2017 – The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.2 million.

MAPFRE filed a breach report with the OCR indicating that a USB data storage device containing ePHI (electronic Protected Health Information) for 2,209 patients was stolen from its IT department, where the device was left without safeguards. MAPFRE also failed to conduct proper risk analysis, implement risk management plans, and failed to deploy encryption or an equivalent alternative measure on its laptops and removable storages.  This investigation revealed many breaches, across many levels of HIPAA.  Yet, one of its teaching points is about laptop and USB drive security.  Many offices use laptops and USB drives on a daily basis to access and transfer information.  If they contain PHI, they must secure them.

February 1, 2017 – The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued a civil money penalty of $3.2 million to Children’s Medical Center of Dallas (Children’s), who paid the fine in full.

Children’s filed a breach report with the OCR indicating the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport.  The device contained the ePHI of approximately 3,800 individuals.  Later, Children’s filed a separate HIPAA Breach Notification Report with the OCR, reporting the theft of an unencrypted laptop from its premises which contained the ePHI of 2,462 individuals.  Again, we see issues with remote devices being compromised.  In a review of OCR violation history, remote device compromises appear to be a majority violator.  Probably a good time to determine if your office had PHI on any remote or removable devices.

February 16, 2017 – Memorial Healthcare System (MHS) paid the U.S. Department of Health and Human Services (HHS) $5.5 million to settle potential violations.

MHS reported to the HHS Office for Civil Rights (OCR) that the protected health information (PHI) of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. The login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI.  This final case shows that your password protocols must be established and followed.  Of course, the hardest part of protecting your company is protecting it from its employees.  However, there is no excuse for allowing former employees to retain access rights to your data.

These four fines are just the tip of the iceberg when dealing with HIPAA, but together they do shed some light on the many different types of violations your company can face.  Many states now can assert similar level fines upon a party in breach.  Some states even allow private causes of action for damages caused by a breach.  And then, there can be criminal consequences as well.  Now that I have your attention, be sure to check back soon for more on HIPAA.