Amazon & FTC Agree $25 Million Settlement to Resolve Alleged FTC Act and COPPA Violations

Posted by Steve Alder

The Federal Trade Commission (FTC) has agreed to settle a complaint against Amazon that alleged violations of the FTC Act, the Children’s Online Privacy Protection Act (COPPA), and the FTC’s Children’s Online Privacy Protection Rule with respect to its Alexa voice assistant products. According to the complaint, the retail giant misrepresented that it would delete voice transcripts and geolocation information of users upon request, limit employee access to Alexa users’ voice assistant data, and delete the personal information of children as requested by their parents. The FTC also alleged Alazon was retaining the personal information of children for longer than was reasonably necessary to satisfy the purpose for which the information was collected.

According to the FTC complaint, the default settings of the Alexa voice assistant stored voice recordings and transcripts indefinitely, including those of children, even when profiles were no longer used and had been inactive for years. Prior to the middle of 2019, Amazon claimed it would delete written transcriptions of interactions between children and Alexa in response to deletion requests by parents yet failed to do so, and for 13 months until September 2019, Amazon is alleged to have made Alexa recordings available to 30,000 employees, even though around half of those employees did not require access to the recordings for any business purpose. In addition, from January 2018 to early 2022, the geolocation data of Alexa app users in secondary locations was retained and was not deleted per data deletion requests.

Amazon did not agree with the FTC’s claims and maintains it has very strong privacy protections in place; however, chose to settle the complaint with the FTC with no admission of wrongdoing. The settlement, which has yet to be approved by a federal judge, will see Amazon pay a financial penalty of $25 million to resolve the complaint and implement a number of measures to ensure the privacy of children and other Alexa users.

Those measures include a commitment to delete the personal information of children when child profiles have been inactive for 90 days unless a request is received from the child’s parent or legal guardian to retain that information, or if the account becomes active again within that 90-day period. Amazon will ensure that when data deletion requests are received, all geolocation information and voice information will be fully deleted from the Alexa App, that all personal information collected from a child will be deleted in response to a request from the child’s parent, and that after processing the deletion of geolocation information, voice information and children’s personal information from the app will not subsequently be used for the creation or improvement of any data product.

Amazon is also required to clearly and conspicuously notify users about why geolocation information is collected and used, inform them about how they can request their data be deleted, and Amazon must establish, implement, and maintain a privacy program to protect the privacy of Alexa App geolocation information. The order also prohibits Amazon from making misrepresentations about the privacy of geolocation and voice information.

The post Amazon & FTC Agree $25 Million Settlement to Resolve Alleged FTC Act and COPPA Violations appeared first on HIPAA Journal.

Florida Bans Offshore Storage of Electronic Health Records

Posted by Steve Alder

In May 2023, the Florida Legislature passed an update to the Florida Electronic Health Records Exchange Act that prohibits healthcare providers that use certified health record technologies from storing electronic health records outside the United States, its territories, or Canada. The ban also covers patient information stored through a third-party or subcontracted computing facility or cloud computing service, which must similarly maintain the data in the continental United States, its territories, or Canada. When the ban takes effect it will no longer be possible to use overseas vendors that require access to patient information as the update also bans the access, retrieval, and transmission of patient data from locations outside the United States, its territories, or Canada. All healthcare providers covered by the Florida Electronic Health Records Exchange Act must comply with the updated law by July 1, 2023.

“Certified electronic health record technology” is defined as “a qualified electronic health record that is certified pursuant to s. 3001(c)(5) of the Public Health Service Act as meeting standards adopted under s. 3004 of such act, which are applicable to the type of record involved, such as an ambulatory electronic health record for office-based physicians or an inpatient hospital electronic health record for hospitals.”

“Qualified electronic health record” is defined as “an electronic record of health-related information concerning an individual which includes patient demographic and clinical health information, such as medical history and problem lists, and which has the capacity to provide clinical decision support, to support physician order entry, to capture and query information relevant to health care quality, and to exchange electronic health information with, and integrate such information from, other sources.”

Covered healthcare providers include hospitals, ambulatory surgery centers, pharmacies, home health agencies, hospices, laboratories, mental health treatment facilities, substance abuse services, and licensed healthcare providers such as physicians, nurses, dentists, therapists, podiatrists, and massage therapists.

Healthcare providers should conduct an audit to confirm the locations where health records are stored to ensure that they are compliant. If a cloud vendor is used to store patient information, data centers must be located in the specified regions. If contracted third parties are used to provide support services such as managed service providers, IT support companies, scheduling support providers, and other vendors, they, along with any subcontractors they use, should be prohibited from storing or accessing patient information outside of the United States, its territories, or Canada.

If the audit confirms patient data is stored in or is accessed from prohibited locations, steps should be taken immediately to move patient data to a compliant storage location and restrict access from unauthorized locations ahead of the compliance deadline.

The post Florida Bans Offshore Storage of Electronic Health Records appeared first on HIPAA Journal.