Case KG Doc 142 Filed 09/23/15 Page 1 of 23 IN THE UNITED STATES BANKRUPTCY COURT FOR THE DISTRICT OF DELAWARE : : : : : : : : Chapter 11

Transcription

1 Case KG Doc 142 Filed 09/23/15 Page 1 of 23 IN THE UNITED STATES BANKRUPTCY COURT FOR THE DISTRICT OF DELAWARE In re: Haggen Holdings LLC, et al., 1 Debtors. : : : : : : : : Chapter 11 Case No (KG) Jointly Administered REPORT OF CONSUMER PRIVACY OMBUDSMAN Alan Chapell, Esq., CIPP Chapell & Associates, LLC 692 Greenwich Street, Suite 5 New York, NY Telephone: (917) achapell@chapellassociates.com Date: September 23, The Debtors in these chapter 11 cases, along with the last four digits of each Debtors federal tax identification number, are: Haggen Holdings, LLC (7558), Haggen Operations Holdings, LLC (6341), Haggen Opco South, LLC (7257), Haggen Opco North, LLC (5028), Haggen Acquisition, LLC (7687), and Haggen, Inc. (4583). The mailing address for each of the Debtors is 2211 Rimland Drive, Bellingham, WA

2 Case KG Doc 142 Filed 09/23/15 Page 2 of 23 TABLE OF CONTENTS Introduction... 1! Summary of Findings and Recommendation... 2! Data Points Collected by Debtor... 2! Debtors Privacy Representations... 3! Privacy Ombudsman s Recommendations... 3! Applicable Consumer Privacy and Data Protection Laws... 4! U.S. Laws... 5! Applicable State Laws... 11! Non-U.S. Laws... 12! The Debtors Website Privacy Policies and Practices... 12! Application of Law and Privacy Standards... 12! Additional Factors to Be Considered... 13! Recommendations... 14!

3 Case KG Doc 142 Filed 09/23/15 Page 3 of 23 TABLE OF EXHIBITS EXHIBIT A Haggen Notice of Privacy Practices (effective March 27, 2014).

4 Case KG Doc 142 Filed 09/23/15 Page 4 of 23 Alan Chapell, the Consumer Privacy Ombudsman, duly appointed pursuant to section 332 of the Bankruptcy Code, 2 respectfully submits this Report to the Court and states: Introduction 1. The United States Trustee filed the Notice of Appointment of Consumer Privacy Ombudsman on September 17, The Ombudsman has prepared this Report in accordance with Section 363(b)(1)(B) of the Bankruptcy Code to assist the Court in its consideration of the facts, circumstances, and conditions of the sale by Debtors of its customers Personally Identifiable Information ( PII ). 3. The purpose of this Report is to provide the Court with the information specified in section 332(b) of the Bankruptcy Code and to assist the Court in understanding the applicable nonbankruptcy law referenced in section 363(b)(1)(B)(ii) of the Bankruptcy Code In preparing this Report, the Ombudsman has, among other things: a. Reviewed Debtors Notice of Privacy Practices ( NPP ), attached as Exhibit A; b. Discussed, via and telephone with Debtors Counsel, Debtors privacy practices; and c. Researched applicable United States federal and state privacy laws U.S.C. 332 (2006). 3 Pursuant to the Bankruptcy Code, the Consumer Privacy Ombudsman may provide this Court with information relating to (1) the Debtors privacy policy; (2) the potential losses or gains of privacy to consumers if a sale or lease is approved by the Court; (3) the potential costs or benefits to consumers if a sale or lease is approved by the Court; and (4) the potential alternatives that would mitigate potential privacy losses or potential costs to consumers. 11 USC 332 (2006). 1

5 Case KG Doc 142 Filed 09/23/15 Page 5 of 23 Summary of Findings and Recommendation 5. It is the Consumer Privacy Ombudsman s understanding that Debtors Haggen Opco South, LLC, Haggen Opco North, LLC and Haggen, Inc. ( Debtors ) seek to transfer certain pharmaceutical prescription information (outlined below) to Albertson s LLC and Safeway Inc. (collectively, the Purchasers ). Data Points Collected by Debtor 6. It is the Consumer Privacy Ombudsman s understanding that Debtors collected the following information: a. Information that is either personally identifiable on its own, or is rendered personally identifiable when combined, including: name, mailing address, address, phone, birth date, payment and billing information; b. Information pertaining to an individual s medical prescription(s), including the name of the drug, dosage and physician; 7. Debtors collected personally identifiable information ( PII ) as defined by Section 101(41A) of the Bankruptcy Code The PII collected by Debtors also falls under the definition of protected health information ( PHI ) as stipulated by the Health Insurance Portability and Accountability Act 4 [P]ersonally identifiable information means (A) if provided by an individual to the debtor in connection with obtaining a product or a service from the debtor primarily for personal, family, or household purposes (i) the first name (or initial) and last name of such individual, whether given at birth or time of adoption, or resulting from a lawful change of name; (ii) the geographical address of a physical place of residence of such individual 11 U.S.C. 101(41A) (2006). 2

6 Case KG Doc 142 Filed 09/23/15 Page 6 of 23 of 1996 ("HIPAA"), and the regulations published pursuant hereto, as amended from time to time. 5 The Privacy Ombudsman will use the term PHI throughout this Report to refer to all personally identifiable customer prescription data that Debtors seek to transfer pursuant to this proceeding. Debtors Privacy Representations 9. Debtors collected, maintained and used the PHI collected pursuant to a written notice of privacy practices that limits or restricts the transfer of such assets. Privacy Ombudsman s Recommendations 10. The Privacy Ombudsman s recommendation hinges on whether Purchasers meet the definition of a Qualified Buyer. A Qualified Buyer means an entity that: (i) concentrates in the same business and market as Debtors; (ii) expressly agrees to be Debtors successor-in-interest as to the customer information; (iii) agrees to be responsible for any violation of that policy following the date of purchase; and (iv) shall not disclose, sell, or transfer customers PHI to any third party in a manner inconsistent with Debtors Privacy Policy. 11. Based on the foregoing, the Ombudsman respectfully submits the following recommendations to the Court: 12. If Purchasers agree in writing to meet the definition of Qualified Buyer, the Court should approve the transfer of consumer information, including Patient PHI from Debtors to 5 Pub. L As defined by HIPAA, PHI includes any individually identifiable health information. Identifiable refers not only to data that is explicitly linked to a particular individual (that's identified information). It also includes health information with data items that reasonably could be expected to allow individual identification. 45 C.F.R. Part 164, Subpart E Privacy of Individually Identifiable Health Information. 3

7 Case KG Doc 142 Filed 09/23/15 Page 7 of 23 that Purchaser, provided that; a. Purchaser agrees to be bound and meet the standards established by Debtors Privacy Policies (e.g., the NPP); b. Debtors and Purchasers agree to provide notice of the sale transaction on the Purchasers and Debtors respective Websites. c. Debtors agree to post a notice at each pharmacy involved in a sale transaction in accordance with applicable state law advising the individuals of the transfer of their prescriptions and their right to request the transfer of their prescriptions and PHI to a pharmacy of their choice; and d. Debtors further agree to include on their telephone answering systems a message to notify customers that the pharmacy is closing and their prescriptions are being transferred as of a certain date, advising them of the name, address and phone number of the receiving pharmacy, and advising them of their right to request the transfer of their prescriptions and PHI to a pharmacy of their choice. Applicable Consumer Privacy and Data Protection Laws 13. In the United States, the privacy of consumers personally identifiable information is primarily regulated by the Federal Trade Commission ( FTC ) under the FTC Act, the Children s Online Privacy Protection Act of 1998 ( COPPA ), and the Gramm- Leach-Bliley Act ( GLBA ). The privacy of consumers personally identifiable health information is regulated by the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ), the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act") and various regulations promulgated under those laws. 4

8 Case KG Doc 142 Filed 09/23/15 Page 8 of 23 U.S. Laws 14. The Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) - HIPAA is the federal law that establishes standards for the privacy and security of health information, as well as standards for electronic data interchange of health information. 6 HIPAA was enacted to address a number of issues in the healthcare field, including the promulgation of rules to ensure the privacy and security of patient medical information. 15. The U.S. Department of Health and Human Services ( HHS ) issued the Privacy Rule to implement the requirements outlined in HIPAA. The information regulated by the Privacy Rule is individuals health information - called protected health information ( PHI ), and organizations subject to the Privacy Rule are referred to as Covered Entities. The Privacy Rule also sets standards to help individuals to understand and control how their health information is used. 16. Covered Entities are defined as health plans, health care providers, and health care clearinghouses. Debtors are health care providers and are accordingly a Covered Entity under HIPAA. 17. Under HIPAA, PHI includes any individually identifiable health information. 7 The term individually identifiable refers to data that is explicitly linked to a particular individual (including health information) with data that reasonably could be expected to allow individual identification. 6 Health Insurance Portability and Accountability Act of 1996, Pub. L. No C.F.R. Part 164, Subpart E Privacy of Individually Identifiable Health Information. HIPAA regulations define health information as "any information, whether oral or recorded in any form or medium created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse, and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual." 5

9 Case KG Doc 142 Filed 09/23/15 Page 9 of The HIPAA Privacy Rule requires that Covered Entities provide patients with a notice explaining the privacy practices of the Covered Entity. 8 Notice is made available by the Covered Entity and is intended to provide an explanation to patients regarding how the Covered Entity uses and discloses PHI in its possession. Debtors published Notice of Privacy Practices ( NPP ) is attached as Exhibit A. As disclosed in the notice, Covered Entities may use PHI, and in some cases disclose PHI, for three basic functions: (i) treatment, (ii) payment, (iii) and healthcare operations. 19. For example, a doctor may access a patient s hospital records in the course of providing medical care to the patient ( Treatment ); the doctor can send records to a health insurer to document a claim for payment ( Payment ); and the doctor can make patient records available to a quality assurance reviewer ( Healthcare Operations ), all based on the terms of the Notice of privacy practices provided by the doctor, but without a specific authorization from the patient Healthcare operations is perhaps the broadest of the three functions. Its definition includes specific examples of activities such as; conducting quality assessment and improvement, conducting peer review, engaging in underwriting and premium rating, and conducting credentialing and re-credentialing of health care providers. Interspersed among these specific examples are vague catchall phrases, such as related functions, and generalized categories such as business management and general administrative activities. 21. While HIPAA does not directly provide for the transfer of PHI pursuant to a bankruptcy proceeding, the HITECH Act (discussed below) does address such transfers C.F.R C.F.R

10 Case KG Doc 142 Filed 09/23/15 Page 10 of The HITECH Act - Title XIII of the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act") 10 applies to Covered Entities, including pharmacies. Under the HITECH Act, a Covered Entity may not receive direct or indirect remuneration in exchange for the disclosure of PHI unless the Covered Entity had obtained an authorization consistent with The HITECH Act s Omnibus Rule permits the disclosure of PHI without a prior written authorization under certain circumstances. For example, when a Covered Entity seeks to transfer PHI pursuant to a sale, transfer, merger or consolidation with another Covered Entity, written consent of a consumer is not required. 11 The proposed sale of Debtors customer PHI is therefore permitted under applicable medical privacy law. 24. However, the analysis does not end there as the proposed sale raises an issue about whether the resulting transfer of PHI would violate Debtors Notice of Privacy Practices and by extension, violate Section 5 of the FTC Act. 25. The FTC Act - Section 5 of the FTC Act declares unfair or deceptive practices in commerce as unlawful. 12 To determine whether section 5 s prohibition against deception has been violated, the FTC will first identify what express claims, and implied claims, have been made by a company. 13 An express claim refers to a factual assertion made in an C.F.R C.F.R USC 45 (2006). 13 FTC Policy Statement on Deception, appended to Cliffdale Associates, Inc., 103 FTC 110, 174 (1984), available at (last viewed July 18, 2009). 7

11 Case KG Doc 142 Filed 09/23/15 Page 11 of 23 advertisement or promotion or other publicly available statement such as a corporate policy. An implied claim refers to the net impression conveyed by all elements of a company s policies or statements including an evaluation of such factors as the entire document, the juxtaposition of various phrases in the document, the nature of the claim, and the nature of the transactions. Section 5 is violated when an express or implied claim is likely to affect a consumer s choice of or conduct regarding a product and is likely to mislead reasonable consumers under the circumstances. 14 In addition, an act or practice may be considered unfair if it causes, or is likely to cause, substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers The FTC has explicitly applied section 5 s prohibitions against deceptive acts and practices to corporate privacy statements made on the Internet and elsewhere in more than a dozen consent orders. 16 Debtors Notice of Privacy Practices promises that Debtors will not 14 Id. 15 See generally FTC Policy Statement on Unfairness, appended to International Harvester Co., 104 FTC 949, 1070 (1984) available at (last viewed July 18, 2009). 16 See, e.g., United States v. ChoicePoint, Inc., Stipulated Final Judgment and Order (N.D. Ga. 2006) available at (last viewed July 18, 2009); In the Matter of Vision I Properties d/b/a CartManager International, Agreement Containing Consent Order (FTC 2004) available at (last viewed July 18, 2009); In the Matter of Petco Animal Supplies, Inc., Decision and Order (FTC 2005) available at (last viewed July 18, 2009); In the Matter of Gateway Learning Corp., Decision and Order (FTC 2004) available at (last viewed July 18, 2009); In the Matter of Tower Records, Decision and Order (FTC 2004) available at (last viewed July 18, 2009); In the Matter of Guess?, Inc. and Guess.com, Inc., Decision and Order (FTC 2003) available at (last viewed July 18, 2009); In the Matter of Educational Research Center of America, Inc and Student Marketing Group, Inc., Decision and Order (FTC 2002) available at (last viewed July 18, 2009); In the Matter of the National Research Center for College and University Admissions, Inc., Decision and Order, (FTC 2003) available at (last viewed July 18, 2009); In the Matter of Microsoft Corporation, Decision and Order (FTC 2002); In the Matter of Eli Lilly and Company, Decision and Order (FTC 2002) available at (last viewed July 18, 2009); FTC v. 8

12 Case KG Doc 142 Filed 09/23/15 Page 12 of 23 sell the PHI of its customers without written authorization. Thus, while the proposed sale of information here is likely to be in accordance with HIPAA, it may violate Section 5 of the FTC Act. 27. Although it does not address consumer privacy in the context of the bankruptcy of a healthcare provider, The FTC s order against Toysmart may be helpful here, as it brought about the Privacy Policy Enforcement in Bankruptcy Act 17 ( PPEBA ) that now requires the appointment of the privacy ombudsman. 28. Toysmart - A casualty of the bursting of the Dot-Com bubble, Toysmart.com ( Toysmart ) had been engaged in the advertising, promotion, and sale of toys on the Internet. 18 In the course of doing business, Toysmart collected information from its customers, including, among other things, its customers names, addresses, billing information, and shopping preferences. Toysmart s website included a privacy policy which assured customers that Toysmart never shared [its customers PII] with a third party When Toysmart sought to sell the PII of its customers as part of its Plan of Liquidation, in direct contravention of its privacy policy, the FTC charged Toysmart with engaging in a deceptive trade practice, in violation of Section 5 of the FTC Act, 20 and with violating COPPA, because its customer data included the PII of children under the age of 13. Reverseauction.com, Inc., Decision and Order (FTC 2000) available at (last viewed July 18, 2009); In the Matter of Liberty Financial Co., Decision and Order (FTC 1999) available at (last viewed July 18, 2009); In the Matter of Geocities, Decision and Order (FTC 1999) available at (last viewed July 18, 2009) U.S.C. 332, 363(b) (2005). 18 See First Amended Complaint, Civil Action No at 6 (D. Mass. 2000) available at (last viewed July 18, 2009). 19 Id. at U.S.C. 45 et seq. 9

13 Case KG Doc 142 Filed 09/23/15 Page 13 of Although the FTC entered into a Stipulation and Settlement that would enable Toysmart to sell its customers PII under certain conditions, forty-six (46) States Attorneys General (and two of the FTC s own commissioners) objected, arguing that never (in Toysmart s privacy policy) should mean never and that Toysmart should not be permitted to sell its customers PII under any circumstances Ultimately, Toysmart withdrew the sale, and one of its equity owners, Disney, paid $50,000 for the data and had the data destroyed. Despite this unhappy conclusion for Toysmart, the terms of the Stipulation and Settlement into which it had entered with the FTC established the criteria to determine the propriety of the transfer of customer PII assets in a bankruptcy proceeding, where the privacy policy does not address that situation. 32. The Stipulation and Settlement provided that Toysmart s customers PII would be sold only to a Qualified Buyer, an entity that (a) concentrates in the same business and market as Toysmart; (b) expressly agrees to be Toysmart s successor-in-interest as to the customer information; (c) agrees to be responsible for any violation of that policy following the date of purchase; (d) will use the PII only to fulfill customer orders and to personalize customers experience on the website; and (e) shall not disclose, sell, or transfer customers PII to any third party without giving the customers notice and an opportunity to opt-in to the transfer Applicability of the Privacy Policy Enforcement in Bankruptcy Act ( PPEBA ) - Some have argued that the intent of Congress was for existing privacy law such as HIPAA, 21 The States objections rested primarily upon their own mini-ftc Acts, which prohibited deceptive acts or practices. 22 See Stipulation and [Proposed] Order Establishing Conditions on Sale of Customer Information, Civil Action No (Bkr. D. Mass. 2000) available at (last viewed July 18,

14 Case KG Doc 142 Filed 09/23/15 Page 14 of 23 rather than Section 332 of The Bankruptcy Code to address privacy issues pertaining to protected health information. 23 And it is certainly true that the initial impetus for Section 332 was to address privacy in sectors that were relatively unregulated. 34. However, the Privacy Ombudsman notes that HIPPA was enacted to set a minimum standard for privacy practices in the healthcare sector. Debtors Notice of Privacy Practices exceed those standards by further promising Debtors customers that Debtors would not sell its customer PHI without written authorization. 24 But for that promise, the contemplated transfer from one Covered Entity to another Covered Entity would be straightforward. However, an analysis of Debtors Notice of Privacy Practices raises issues under Section 5 of the FTC Act. Accordingly, the Privacy Ombudsman believes that the Court should utilize the guidelines created as a result of the Toysmart Stipulation and Settlement to evaluate Debtor s proposed sale of customer PHI. Applicable State Laws 35. The preemption provisions in HIPAA significantly impact many individual state medical privacy laws, including many of the laws of Arizona, California and Oregon. Both the HIPAA and HITECH preemption provisions generally provide that a Federal law standard will preempt a contrary state law relating to privacy of health information unless the state law is more stringent than the HIPAA, as the case may be. More stringent means that the state law is more restrictive as to a use or disclosure, or more expansive as to the 23 See RECURRENT AND DEVELOPING ISSUES ENCOUNTERED IN SALES PURSUANT TO SECTION 363 OF THE BANKRUPTCY CODE State Bar of Texas ADVANCED BUSINESS BANKRUPTCY CONFERENCE May 1-2, ( last visited on May 17, 2010.) 24 Section IV.B of Debtors Notice of Privacy Practices promises that Debtors will not make any disclosure of Protected Health Information that is a sale of Protected Health Information without your written authorization. (See Exhibit A). 11

15 Case KG Doc 142 Filed 09/23/15 Page 15 of 23 rights of individuals to access or amend their own information. 36. Neither Arizona, California, nor Oregon s medical privacy law specifically address the transfer of patient information pursuant to a bankruptcy proceeding. Accordingly, the laws of those states do not apply to the proposed transfer of Debtors customer PHI. Non-U.S. Laws 37. All PHI subject to transfer here was obtained in, and stored within the U.S. Accordingly, the applicable nonbankruptcy law 25 does not include the data protection laws of non-u.s. countries. The Debtors Website Privacy Policies and Practices 38. Debtors Notice of Privacy Practices ( NPP ) promised Debtors customers that Debtors will not make any disclosure of Protected Health Information that is a sale of Protected Health Information without your written authorization. 26 In other words, a reasonable person reading Debtors NPP would conclude that his PHI would not be sold without written consent. Application of Law and Privacy Standards 39. It is certainly true that the initial impetus for Section 332 was to address privacy in sectors that were relatively unregulated. 40. However, the Privacy Ombudsman notes that HIPPA was enacted to set a minimum standard for privacy practices in the healthcare sector. Debtors Notice of USC 363(b)(1)(B)(ii) (2006) 26 See Exhibit A, Section IV.B. 12

16 Case KG Doc 142 Filed 09/23/15 Page 16 of 23 Privacy Practices exceed those standards by further promising Debtors customers that Debtor would not sell its customer PHI without written authorization. 27 But for that promise, the contemplated transfer from one Covered Entity to another Covered Entity would be straightforward. However, an analysis of Debtors Notice of Privacy Practices raises issues under Section 5 of the FTC Act. Accordingly, the Privacy Ombudsman believes that the Court should utilize the guidelines created as a result of the Toysmart Stipulation and Settlement to evaluate Debtor s proposed sale of customer PHI. Additional Factors to Be Considered 41. In addition to the guidelines created as a result of the Toysmart Stipulation and Settlement, Bankruptcy Code Section 332 suggests at least four factors as to which the Ombudsman may inform the Court: (a) Debtors privacy policy; (b) potential losses or gains of privacy to consumers if a sale is approved; (c) the potential costs or benefits to consumers if such sale is approved; and (d) potential alternatives that would mitigate potential privacy losses or potential costs to consumers Debtors Privacy Policies - As discussed above, all of the PHI at issue here was collected pursuant to Debtors Notice of Privacy Practices which did restrict the transfer of information collected. 43. Potential Losses or Gains of Privacy if the Sale is Approved The Privacy Ombudsman does not want to understate the potential risk whenever PHI is transferred from one entity to another. However, such risk here is mitigated by the fact that Purchasers have 27 Section IV.B of Debtors Notice of Privacy Practices promises that Debtors will not make any disclosure of Protected Health Information that is a sale of Protected Health Information without your written authorization. (See Exhibit A) U.S.C

17 Case KG Doc 142 Filed 09/23/15 Page 17 of 23 stipulated to be a Qualified Buyer as defined under the Toysmart Stipulation and Settlement and would thus be subject to certain restrictions. 44. Potential Costs or Benefits to Consumers The Privacy Ombudsman strongly believes that providing ongoing medical treatment and maintaining access to prescription records are significant benefits. The responsible transfer of PHI from Debtors to Purchasers here will meet customer expectations, and provide the best possible chance of continued pharmacy service for Debtors customers. 45. Mitigating Potential Losses Debtors customers should be provided with multiple notices of the change in ownership and choice regarding how their PHI is utilized and where their prescriptions are filled going forward. The specific proposed requirements with respect to Debtors proposed transfer are set forth below. Recommendations 46. Based on the foregoing, the Ombudsman respectfully submits the following recommendations to the Court. 47. If Purchasers agree in writing to meet the definition of Qualified Buyer, the Court should approve the transfer of consumer information, including Patient PHI from Debtors to that Purchaser, provided that; a. Purchaser agrees to be bound and meet the standards established by Debtors Privacy Policies (e.g., the NPP); b. Debtors and Purchasers agree to provide notice of the sale transaction on the Purchasers and Debtors respective Websites. 14

18 Case KG Doc 142 Filed 09/23/15 Page 18 of 23 c. Debtors agree to post a notice at each pharmacy involved in a sale transaction in accordance with applicable state law advising the individuals of the transfer of their prescriptions and their right to request the transfer of their prescriptions and PHI to a pharmacy of their choice; and d. Debtors further agree to include on their telephone answering systems a message to notify customers that the pharmacy is closing and their prescriptions are being transferred as of a certain date, advising them of the name, address and phone number of the receiving pharmacy, and advising them of their right to request the transfer of their prescriptions and PHI to a pharmacy of their choice. Dated: September 23, s Alan Chapell ALAN CHAPELL 15

19 Case KG Doc 142 Filed 09/23/15 Page 19 of 23!! EXHIBIT!A!

20 Case KG Doc 142 Filed 09/23/15 Page 20 of 23

21 Case KG Doc 142 Filed 09/23/15 Page 21 of 23

22 Case KG Doc 142 Filed 09/23/15 Page 22 of 23

23 Case KG Doc 142 Filed 09/23/15 Page 23 of 23