Skip to main content

If HIPAA Wasn’t Enough…

Federal Trade Commission Begins Enforcement . . .
The Federal trade Commission, recently announced that it will now pursue cases involving the failure to maintain the confidentiality of sensitive information about an individual when a promise to the consumer (or patient) has been made by the provider of services (such as a healthcare entity) through the Notice of Privacy Practices (NPP) or other privacy policies posted on a website.

Two recent examples of the FTCs enforcement actions were recently made public. Both present different outcomes than the penalties set from the Department of Health and Human Services’ Office for Civil Rights in its settlements tied to HIPAA enforcement.

The First is Atlanta-based LabMD. As a result of this FTC enforcement action, LabMD announced that it is closing down operations, citing the impact the investigation has had on the company. LabMD suffered a breach of patient information in 2010 when a document was inadvertently leaked from its peer-to-peer network and found on a file sharing network. This prompted the FTC to open its investigation. After two years of investigation, the FTC filed a complaint that alleged LabMD had breached the information of nearly 10,000 consumers. The FTC proposed that the company implement a comprehensive security program and submit to biannual assessments by an independent third party for next 20 years.

The second recent enforcement action involved California-based GMR Transcription, which provides transcription services to healthcare organizations. The complaint alleged that due to inadequate security around how files created by the transcriptionists were handled by GMR’s service provider, they were indexed by a major Internet search engine and made available to anyone using that search engine. The GMR breach involved sensitive information, including driver’s license numbers, tax information, medical histories, notes from children’s medical examinations, medications and psychiatric notes.

In both cases, the FTC found that the companies involved failed to provide reasonable and appropriate security for personal information on their computer networks and that this failure could lead to consumer identity theft and unauthorized disclosure of private medical information. The commission further asserted that this represented an unfair act or practice under the FTC Act. And the commission stressed that HIPAA or other statutes do not constitute a shield to protect entities from the FTC Act.

In short, what this means is that the FTC intends, to fully exercise its responsibilities when it deems it appropriate and/or necessary to protect consumers. And it means that healthcare entities have one more regulatory agency overseeing their activities. Enforcement just got tougher, and, as a result, security incidents could be far more costly.