Medical practices and hospitals already know that the Health Insurance Portability and Accountability Act (HIPAA) regulates patient privacy. Many may not know, however, that they are also required to comply with the Federal Trade Commission (FTC) – another government agency that regulates patient or consumer privacy.
Fundamentally, medical practices and hospitals are businesses engaged in commerce, just like Amazon or IBM. The FTC prohibits unfair or deceptive acts in commerce. In some cases, the same act that triggers a HIPAA violation could also trigger an FTC violation.
For example, in 2013, LabMD, a lab in Georgia that provided cancer screening, failed to protect the privacy of its patients' personal data, including medical information. LabMD’s patient information was publically available on a peer-to-peer file-sharing program, and police found LabMD’s patient information in the hands of identity thieves.
Both the FTC and the agency that enforces HIPAA (the U.S. Department of Health and Human Services Office for Civil Rights) asserted dual jurisdiction over the same LabMD data breach. The FTC asserted jurisdiction because the data breach was an unfair trade practice in that it misrepresented privacy and security practices that caused or could cause an injury to consumers.
Though each has different and complex standards, the FTC and HIPAA requirements differ in how each analyzes data security practices. LabMD argued that these duplicative sanctions for the same act were unfair. The matter has been in court and administrative hearing for years. This dueling agency jurisdictional dispute continues today, even though LabMD was forced out of business some time ago due to extraordinary legal defense fees.
Perhaps not surprisingly, LabMD is not the only example of overlapping FTC and HIPAA regulation of the same act. The FTC and HIPAA enforcement agency entered into settlements with drug store chains Rite Aid and CVS Caremark after the companies disposed of protected health information in dumpsters. Don’t let your practice become the next case study for HIPAA+FTC privacy claims.
How to Comply With the FTC
Tell the patient the whole story. Reveal all the relevant facts up front. Don’t make a reader click to accept an authorization request that implies privacy controls, allowing them to discover the terms of their privacy only after acceptance that the data will be publically available.
The FTC defines clear and conspicuous display as:
- Prominent — The message must be big enough to read. This is especially important on mobile devices. Consider how font and color contrast will make the important facts more readable.
- Presentation — Use non-technical language that is easily understood by the average reader.
- Placement — Put the important facts where the reader is most likely to see them. Don’t make the reader scroll through multiple pages.
- Proximity — In addition to prominent visual placement, put those most important facts in a place where they relevantly and logically fit.
How to Respond to a Data Breach
If your medical business discovers that a hacker got into your database, an employee lost an unencrypted laptop with sensitive data, or your billing records are missing, take a deep breath. You have a lot of work to do, but the below highlights the next steps that may be on the horizon.
First, the FTC presents guidelines on how to respond to a data breach:
- Secure the physical areas related to the breach. Lock and change codes.
- Take connected equipment off-line.
- Monitor all access points to your system. Change all credentials.
- Law enforcement, FBI or local police (if data was hacked).
- Legal counsel. Do not destroy evidence.
- Credit card companies (if account data was hacked or stolen).
- The patients whose information was stolen or lost. The FTC link below provides a model data breach notification letter, but again, seek legal or public relations counsel in this matter.
- Assemble an internal response team. Identify and access outside professional aid – including IT expertise.
- Investigate with the advice of legal counsel and identified experts.
- Develop a communication plan that reaches all affected audiences: employees, customers or patients, investors, business partners and business associates, and other stakeholders. Designate a point person within your business for releasing information to the media.
HIPAA has breach notification requirements that may differ from or be in addition to the FTC guidelines. All the more complex data breach requirements of HIPAA are beyond the scope of this article, but can be found here.
Finally, most states have separate laws about how to respond to a data breach. Louisiana law has different definitions of data and breach, and different response requirements when compared to the FTC or to HIPAA. Louisiana businesses must also comply with the relevant state law when responding to data breaches.
Complying with all of these regulations can be enormously complicated and confusing. For personalized consultation with a LAMMICO Risk Management expert, please call 504.841.5211. To review your insurance limits for Medefense and Cyber Liability coverage, contact your LAMMICO Marketing representative at 504.831.3756.