#uwjlta

Hide Your Info: Exploring the Lackluster Protection of HIPAA

/ Washington Journal of Law, Technology & Arts / Leave a comment
Photo by Tara Winstead on Pexels.com

By: Zach Finn

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, and has since become a touchstone for the protection of confidentiality and security of personal health information in the United States.

Or, so we thought. The rise in technology has advanced the way information is stored and shared. Biomedical databases store high volumes of information, ranging from personal external identifiers such as medical reports, to even individual genetic sequencing, exemplified by 23andMe’s and Ancestry‘s storage of genetic information. Large data and biobanks (a collection of biological samples, like blood and health information) create access to a plethora of quality human data, which prove to be valuable in medical research, clinical trials, and understanding genomics. But at what cost?

HIPAA requires medical and genetic information to be anonymized before being distributed and shared to third parties outside the relationship of medical providers and patients. Technology has created a loophole in HIPAA, through re-identification processes, which allows individuals to match medical information back to specific individuals using open source data. Re-identification, as of now, disarms HIPAA, rendering de-identified (anonymized) medical information basically unprotected from parties who obtain personal biodata through re-identification.

HIPAA nationalizes standards for protecting the privacy and confidentiality of individuals’ personal health information (PHI). It requires covered entities to provide individuals with notice when sharing a person’s genetic information. HIPAA is violated when a covered entity discloses personal and identifiable health information without the consent of the patient. These covered entities include healthcare providers, health plans, and healthcare clearinghouses. Technology provides entities with the ability to de-identify and anonymize large data sets in order to share health information and be in compliance with HIPAA. Anonymization removes personal identifiers like names, addresses, date of birth, and other critical identifiers. HIPAA sets out requirements of what needs to be de-identified, and once anonymized, personal health information is shareable and HIPAA compliant.

Re-identification is the process to which materials and data stored in biobanks can be linked to the name of the individuals from which they were derived. This is done by taking public information and re-matching it the anonymized data. It sounds difficult, but a study concluded that 99.98% of Americans would be correctly re-identified in any dataset using 15 demographic attributes such as age, gender and marital status. For example, in the 1990s, one could purchase the Cambridge, MA voter registration list for $20, and link it to a public version of the state’s hospital discharge database to reveal persons associated with many clinical diagnoses.

HIPAA has yet to play catch up with the innovation of technology. The requirements for compliance in anonymization lack the sophistication and protective measures needed to combat the expanding use of re-identification practices. HIPAA’s privacy rule does not restrict the use or disclosure of de-identified health information, since it no longer is considered protected health information. This means that any re-identification of this earlier protected information is not subject to HIPAA. This ultimately demonstrates HIPAA’s weak protective measures, and the alarming concern of how easily accessible our genetic and medical information is to third parties.

Re-identification of HIPAA compliant anonymized information is not a violation of the statute. We must consider reforming HIPAA to acknowledge technology’s capabilities to bypass its security measures. One way an individual can ensure privacy of his or her genetic and medical information is by not consenting to sharing or storing this data. Covered entities must give notice and obtain consent before de-identifying and sharing biobanks. However, this comes with the price of stifling research, trials, and genomics. Hopefully we can figure out a balance between confidentiality and sharing private information, but it starts with drafting laws that actually protect our personal and most private information!

Battle of the Bike Trainers: Following the Patent War Within the Cycling Community 

/ Washington Journal of Law, Technology & Arts / Leave a comment
Photo by Max Vakhtbovych on Pexels.com

By: Zach Finn

The move to integrate physical activity with rapidly changing technology is not a new endeavor. In the last ten years, gadgets such as smartwatches and smart mirrors, and companies  like Peloton have advanced the ways we exercise and  track our personal fitness. With this emerging field combining technology and exercise, a new market space has opened, causing companies to quickly create innovative equipment or fall behind to more inventive competitors. With the downfall of Peloton starting in March of 2021, the cycling industry has seen an uproar of technological innovation ranging from E-bikes to online virtual reality racing and exercising. With all the excitement and novelty that this brings, comes a battle for market dominance in this developing smart biking space. This has produced an exhilarating and dramatic patent war.

Wahoo Fitness (“Wahoo”) is a fitness technology company based in Atlanta, Georgia. In April 2022, the hardware developer acquired RGT Cycling, a virtual cycling platform, thus acquiring new software to help develop an indoor cycling and gaming program through a subscription service known as Wahoo X. Using Wahoo’s KICKR and KICKR CORE trainers, hardware that one attaches to the rear of a cycling bike making it stationary while connecting it to virtual software, Wahoo transformed its company to produce smart bike trainers that deliver a “realistic, accurate, and quiet indoor cycling experience.” Wahoo acquired patents for their hardware.

Zwift, a software company, owns and operates a multiplayer online cycling and running physical training program, enabling users to interact, train, and compete in a virtual world. In an effort to capitalize on the booming indoor cycling frenzy, Zwift partnered with JetBlack, a hardware developer, to develop its own bike trainer. This trainer, known as the Zwift Hub, became available in the United Kingdom and the United States on Oct. 3rd, 2022, and on that same day, Wahoo filed suit against both Zwift and JetBlack for patent infringement.

35 U.S. Code § 271, “Infringement of a Patent”, states that “whoever without authority makes, uses, offers to sell, or sells any patented invention, within the United States or imports into the United States any patented invention during the term of the patent therefor, infringes the patent.” The U.S. Patent system is founded on protection which incentivizes businesses and people to continue to innovate and develop new products and ideas, with less threat from copycats. Wahoo alleges that Zwift has rebranded the JetBlack Volt Trainer, which they believe, in layman’s terms, is a rip-off of their KICKR CORE trainer. Wahoo has filed three patent infringement claims.

United States Patent No. 10.046.222, entitled “System and Method for Controlling a Bicycle Trainer” was issued by the United States Patent and Trademark Office on August 14, 2018. United States Patent No. 10.933.290, entitled “Bicycle Trainer” was issued on March 2, 2021. United States Patent No. 11.090.542, entitled “System and Method for Controlling a Bicycle Trainer”, was issued on August 17, 2021. Wahoo owns all rights and interests for each patent, including the sole and exclusive right to prosecute and enforce the patent against infringers. They have the right to collect damages against those who have infringed upon the patents. The KICKR and KICKR CORE practice the invention claimed by all three patents. Pursuant to 35 U.S.C § 287, Wahoo gives notice of the patent by listing them on its website.

Should the court find that Zwift has infringed upon Wahoo’s patent, Wahoo is seeking injunctive relief. This means Wahoo is pushing the courts to forbid Zwift from releasing the Hub in the United States retail space. Wahoo is also seeking compensatory damages for any harm the company endured from the release. Winter v NRDL (2008) is the leading case for requirements for preliminary injunctive relief. To obtain a preliminary injunction as Wahoo is currently seeking, the company will need to show 1) the likelihood of success of a permanent injunction based on the merits of the claim, 2) irreparable harm caused by Zwift, 3) a balance of equities (what would be fair), and 4) what is in the interest of the public. We should expect to see how the court rules on a temporary injunction very soon, and a permanent injunction down the line. It seems plausible for Wahoo to get a preliminary injunction against Zwift, if they establish the requisite likelihood of success on the merits, demonstrate an irreparable harm like monetary loss caused by Zwift, articulate the dangers of patent infringement, and portray how an injunction is to the betterment of public interest.

To thicken the patent war drama even more, in June 2015, Wahoo was sued for patent infringement over the very same stationary trainer that the company is suing Zwift and JetBlack for using. Powerbahn, another hardware company, sued Wahoo for patent infringement, seeking at least $1 million in lost royalties. Powerbahn licensed its patented hardware to a company called Nautilus Inc. In Powerbahn’s filed claim, Nautilus Inc.’s executive took the technology when he left the company to join another. The company he joined then licensed the patent to none other than Wahoo. The case was dismissed in April 2021, but it illustrates the theatrical and dramatic timeline of the trainer patent.

In summary, it is an exciting time at the intersection of the technological, cycling, and legal communities. As this new development in the patent war over biker trainers ensues, one must wonder the means and reasons for patent litigation today. In my opinion, as an avid cyclist enthusiast and law student, I question the motives behind Wahoo’s patent infringement claims against Zwift. If the JetBlack Volt Trainer, the hardware Wahoo believes Zwift developed and used for their Hub, was released in 2020, why did Wahoo wait until Zwift partnered with JetBlack, acquired the hardware, produced, and released it to the public? My thought is that Wahoo wanted to strategically undercut one of its biggest rivals, hoping that this patent infringement will lead to an injunction, which would severely destabilize Zwift’s success in the technological exercise market space. If this is the case, those who have interest in antitrust might also want to follow this development. Until then, we can only sit back and watch as this patent war unfolds like a soap opera, as Zwift had until October 24, 2022, to respond to Wahoo’s complaint.