Regulatory double jeopardy? FTC enforcement of privacy and security in healthcare

How should health care companies strengthen their HIPAA compliance programs to manage the risk of a potential FTC investigation?

While the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) intensifies its enforcement of the Health Insurance Portability and Accountability Act (HIPAA), covered entities and business associates may well find the Federal Trade Commission (FTC) knocking at their door. The FTC takes the position that Congress granted it broad powers to regulate unfair and deceptive practices under Section 5 of the FTC Act, including concurrent jurisdiction over the privacy and security practices of companies regulated under HIPAA.

The FTC has a history of working with OCR in a parallel manner to investigate security practices. The agencies began coordinating efforts in the 2009 and 2010 with the investigations into the health information disposal practices of CVS Caremark and Rite Aid. Both pharmacy chains entered a consent decree with the FTC under the FTC Act and a resolution agreement with HHS under HIPAA.

The FTC has not shied away from independently acting in the health care industry, particularly against business associates of covered entities for conduct occurring before HIPAA regulated those companies directly. In the FTC’s investigation of a hospital billing company considered a HIPAA business associate, the alleged failure to adequately safeguard laptops resulted in a 20-year consent order requiring a biennial security assessment by an external auditor. The FTC recently alleged a health care transcription provider’s lack of diligence in monitoring offshore contractor’s encryption and typist authentication and its statements it was “HIPAA compliant,” constituted unfair or deceptive practices.

The FTC has become emboldened. In the recent LabMD, Inc. order, it set forth its basis for authority in health data security enforcement despite the HIPAA regulatory regime. While the decision was in the context of a motion to dismiss a complaint on lack of jurisdiction grounds, the FTC clearly believes that it need not express any view on HIPAA to determine whether the FTC Act has been violated. What is most troubling is the notion that HIPAA compliance may be insufficient to protect against a Section 5 enforcement proceeding, a position that will be subject to great debate without immediate resolution.

So how should health care companies strengthen their HIPAA compliance programs to manage the risk of a potential FTC investigation? Here are some tips:

• Be clear in patient communications such as privacy notices and, in the case of business associates, marketing generally about protections over individually identifiable health information, so that communications don’t misrepresent the protections provided or overpromise on compliance. No one is perfect, but if you represent that you are in compliance, that communication may be considered deceptive when you are not.
• The FTC unfairness authority requires that the practice cause or be likely to cause substantial injury to consumers that is not reasonably avoidable by consumers themselves and is not offset by countervailing benefits to consumers or competition. Thus, if the practice produces consumer benefits or consumers could avoid harm by taking reasonable steps, identify those benefits and protective measures as part of the risk management process.
• Start with HIPAA security requirements as at least the minimum standards of reasonable and appropriate safeguards. The standards are scalable to the type of organization and type of health information being protected, but certain requirements must be implemented without regard to whether an equivalent alternative exists. Chief among these are a current risk analysis and a risk management plan that identify potential risks and vulnerabilities and the selection of security safeguards to reduce those risks. Other HIPAA standards with recent enforcement interest have been media disposal, workforce privacy and security training, disaster recovery, and technical safeguards for access control.
• Even the addressable HIPAA security standards require implementation unless the company documents a legitimate reason for not implementing the safeguard and adopts an equivalent measure. Thus, documenting why a particular safeguard is not a reasonable and appropriate choice from the consumer perspective provides some protection.
• Complete due diligence on business associate contractors before releasing health information. To the extent a covered entity provides interim instructions to a business associate, HHS may consider it liable for HIPAA violations of the contractor under an agency theory. At the same time, short of agency control, industry standards for performance can be established and some level of oversight should occur to monitor that these are met.
• Breach response is typically a stressful and fast-paced event. Amidst the immediate need to analyze and report the breach, identify effective remediation strategies that address the specific risks affected consumers may face and mitigate the further risk of harm. Both the FTC and OCR have used their enforcement authority where notice and remediation were untimely or lacking and where the breach is a reoccurring one due to the lack of follow through.

Republished with permission. This article first appeared in Inside Counsel on May 15, 2014.