Jan 142021
 January 14, 2021  Posted by  Business, Featured News, Healthcare, Online

One of my go-to HIPAA law resources is attorney Jeff Drummond. He and I often disagree on politics, but I will always consider what he says This week, I found myself seriously disagreeing with one of Jeff’s blog posts.

Unless you’ve been living under a rock this week, you already know about the brouhaha when Facebook and Twitter permanently suspended President Trump’s accounts, and then the Google Play and App Store removed Parler from their offerings, and then Amazon AWS cancelled Parler’s hosting contract with them.

Jeff, who had found Parler to be a more welcoming platform for conservatives than Twitter, writes:

AWS has made a subjective value-based judgment that Parler is dangerous and should be shut down, because Parler is used by people that AWS deems to be dangerous. AWS has shut a large customer out of its operations because AWS does not approve of the customer’s customers.

Jeff frames it as not approving of people, but the action was on the basis of behavior — posts — that endanger the safety of others and public safety.  But we’ll get back to it.

Jeff then tries to build a case that Amazon AWS terminating its contract with Parler means that HIPAA covered entities and business associates that use Amazon AWS are also at risk of similar abrupt cancellation by Amazon AWS.

Step by “it’s not a stretch to” step, Jeff tries to build the case that what Amazon AWS did is so concerning that HIPAA covered entities and business associates may be out of compliance with HIPAA if they use Amazon AWS.

I know Jeff is mad at them, but his argument is more of a stretch than me trying to get back into my workout clothes after gaining tons of weight in the past few months.  And that’s a pretty significant stretch, unfortunately.

He writes:

There’s no avoiding the obvious conclusion here: if you use AWS cloud services, you run the risk of AWS shutting you out of operations if AWS decides it does not like the patients or beneficiaries you serve.

Thus, as a HIPAA covered entity, you fail to ensure “availability” of PHI if you use AWS.  HIPAA requires you to have reasonable safeguards to protect availability of PHI; if you are hosted by AWS and get shut out, your PHI is not longer available; it’s not reasonable to not protect against that possibility.

Final result: using AWS may be a violation of HIPAA, because it an unreasonable risk to availability.

Those are pretty astonishing claims, so I looked into Amazon’s actions with respect to Parler. Had they done what Jeff accused them of?

What I found is that Amazon AWS had contacted Parler in the weeks before it took action to point out concerning content on Parler that posed a public safety threat or that promoted violence. Amazon AWS submitted approximately 100 posts to them over a period of weeks to ask Parler what it was doing about them.  Parler allegedly not only did not deal promptly with the approximately 100 examples Amazon AWS provided to Parler, but at one point, Parler’s CEO allegedly admitted that they had a backlog of about 26,000 posts to consider, and that their approach at that point involved using “volunteers” to deal with problematic content complaints.  All of this is described in a brief Amazon AWS filed in opposition to a motion by Parler for a TRO.

After January 6, Amazon AWS sent Parler additional posts that were concerning because they advocated assassination of specific people or other violence.  Again, Amazon AWS asked Parler for its plan to eliminate the problematic content from its platform. When Parler didn’t handle the content threatening violence, Amazon enforced the terms of contract.  Their contract

makes clear that AWS may suspend or terminate an account “immediately” upon notice if AWS determines that an end user’s use of the services “poses a security risk to the Service Offerings or any third party,” or otherwise breaches the Agreement.

Threatening to kill named people or plotting with others to harm them would seem to pose a security risk to a third party, wouldn’t it?

Amazon AWS did not suspend or terminate Parler immediately, but only after repeated inquiries to Parler with examples of problematic content.  And the problems were allegedly increasing, not decreasing. If you are wondering about the content that Amazon AWS called attention to, it included items like these:

    • “Fry’em up. The whole fkn crew. #pelosi #aoc #thesquad #soros #gates#chuckschumer #hrc #obama #adamschiff #blm #antifa we are coming for you andyou will know it.”
    • “Shoot the police that protect these shitbag senators right in the head then make thesenator grovel a bit before capping they ass.”
    • “This bitch [Stacey Abrams] will be good target practice for our beginners.”
    • This cu** [United States Secretary of Transportation Elaine Chao] should be…
      hung for betraying their country.”

(The above are either in the Amazon AWS brief filed in court or provided to PogoWasRight.org by an Amazon AWS spokesperson).

Now Jeff will probably and correctly point out that there are likely many people on Parler who did not issue threats of violence or endanger public safety, and I would likely agree with him.  But I also agree that Amazon AWS has the right to enforce their agreement and they shouldn’t have to host such objectionable and dangerous content.  Would Jeff demand they host child pornography or snuff films too if an AWS customer didn’t deal with those kinds of problematic content?  After all, it’s not a stretch to take his argument to that level, right?

In his post, Jeff claimed that Amazon AWS locked Parler out of their data as if Parler lost their data because of Amazon AWS’s actions. That is not true, either.  On January 9, 2021,  after Parler continued to fail to deal with violent content and in light of an increasing number of violent posts, AWS notified Parler it would suspend its account effective 11:59 p.m. January 10.  Amazon AWS’s statements to Parler allegedly confirmed that AWS would

 “ensure that all of your data is preserved for you to migrate to your own servers, and will work with you as best we can to help your migration.”

That’s a far cry from Jeff’s claim that AWS “locked Parler out of its data.” They preserved the data and offered to help with migration of it.

Jeff clearly doesn’t like what Amazon AWS did to a platform he favored, but to suggest that HIPAA covered entities should reconsider using Amazon AWS because they enforced a contract with Parler makes me wonder if he is really advising his firm’s clients this way.

“It’s not a far stretch,” Jeff writes, “to think that a healthcare system in a red state would be at risk of being shut out of AWS, because its patients are the types of people AWS associates with Parler.”

What would these patients be doing on AWS’s service that would violate the agreement between a covered entity or business associate and Amazon AWS?  I am hard-pressed to think of any scenario where AWS would suspend a  healthcare system’s contract or terminate it because of something patients might do. Are covered entities letting patients post on the hospital’s web site that they want to kill or assassinate people? What objectionable content would Amazon AWS claim violates its agreement?

Jeff continues:

It’s certainly not a stretch to think that AWS could shut down cloud access to a health plan for a gun manufacturer. Oil companies, Catholic charities, beef farmers, anyone not liberal is at risk.

“Oh, come on,” you say, “these are odious people on Parler, all good people would agree they are terrible folks and deserve to be shunned.” Well, wait until it happens to you. Once your vendors start making value judgments (and “picking sides,” which is what they’re doing), all bets are off.

And that’s where Jeff’s failure to distinguish between making judgments about people and judgments about violent content results in his argument failing. There should be no sides when it comes to threats of violence or planning violence. It is one thing to plan a protest, it is another to plan to bring plastic handcuffs or to seek out people to terrorize them or physically harm them.

There’s no avoiding the obvious conclusion here: if you use AWS cloud services, you run the risk of AWS shutting you out of operations if AWS decides it does not like the patients or beneficiaries you serve.

No, you run the risk that you always run — that if you violate the terms of contract, the entity may enforce or terminate the contract.

Thus, as a HIPAA covered entity, you fail to ensure “availability” of PHI if you use AWS.

HIPAA requires you to have reasonable safeguards to protect availability of PHI; if you are hosted by AWS and get shut out, your PHI is not longer available; it’s not reasonable to not protect against that possibility.

By the way, isn’t that what backups are for?  And didn’t AWS offer to help its now-former customer to migrate to their new host?

Final result: using AWS may be a violation of HIPAA, because it an unreasonable risk to availability.

Is Jeff going to lay this all out to HHS to see their opinion? I will be surprised if he does.

It’s okay for Jeff to be angry at Amazon AWS or disappointed with them.  It’s okay to disagree strongly with Amazon AWS’s decision. I am a bit surprised, though, because since he is a lawyer,  I would expect Jeff to defend a business’s right to enforce its terms.

But for him to try to argue that using Amazon AWS may mean an entity is out of compliance with HIPAA is just a stretch waaaaay too far.  Indeed, I think it would be a shame if people actually used less secure and less reliable hosts for data because Jeff has scared them. I think there are concerns that can be raised about using cloud services and AWS, but not the issues he has raised.

Or is Jeff’s post just a coded message to tell people to boycott Amazon AWS for political reasons? If so, just call for a boycott for political reasons. But to claim that this raises a genuine HIPAA compliance concern?  Nope, I don’t buy it.

Jan 142021
 January 14, 2021  Posted by  Court, U.S., Workplace

Chris Dickerson reports:

MARTINSBURG – Two Jefferson County school bus drivers have sued the county school superintendent after they were suspended for attending the rally last week that led to the storming of the U.S. Capitol.

Tina Renner and Pamela McDonald filed their lawsuit January 11 in U.S. District Court against Dr. Bondy Shay Gibson.

According to their complaint, Renner and McDonald are supporters of President Trump who rode on a bus chartered by the Frederick County (Maryland) Conservative Club to attend the January 6 rally in Washington, D.C.

Read more on West Virginia Records.

As much as I may disagree with their political views, just going to D.C. and being at the rally or near the capitol is not a crime, and what this district did sounds like discrimination based on political views. In my view, this is a workplace and privacy issue — and speech issue — about what employees can do in their own time. If their only activities were as described in their lawsuit, then I do hope they prevail.

Jan 142021
 January 14, 2021  Posted by  Business, Featured News, Govt, Non-U.S.

Iris Deng reports:

The communications authority in southern Guangdong province has cracked down on the operation of 209 apps, including seven run by internet giant Tencent Holdings and one from electric car maker Xpeng, over privacy and security concerns amid China’s renewed drive against misuse of consumer data.

The Guangdong Communications Administration in November and December last year ordered 201 of those apps to be rectified for infringing user rights and posing as cybersecurity risks across a range of categories, including video games, retail, and banking and finance, according to a notice on the agency’s website on Monday. It said eight other apps were directed to shut down.

Read more on South China Morning Post.

Jan 142021
 January 14, 2021  Posted by  Business, Online, Surveillance

By Jack Nicas, Mike Isaac and Sheera Frenkel report:

Neeraj Agrawal, a spokesman for a cryptocurrency think tank, has typically used the encrypted messaging app Signal to chat with privacy-minded colleagues and peers. So he was surprised on Monday when the app alerted him to two new users: Mom and Dad.

“Signal still had a subversive shine to it,” said Mr. Agrawal, 32. “Now my parents are on it.”

Read more on The New York Times.

Meanwhile, Taylor Hatmaker reports Telegram blocks ‘dozens’ of hardcore hate channels threatening violence.