News & Insights

As If HIPAA Wasn’t Enough (Now, There’s the FTC)

February 07, 2017

By Karen Duncan, R.N., Attorney at Law, Counsel to Medical Interactive


As If HIPAA Wasn’t Enough (Now, There’s the FTC)

Medical practices and hospitals already know that the Health Insurance Portability and Accountability Act (HIPAA) regulates patient privacy. Many may not know, however, that they are also required to comply with the Federal Trade Commission (FTC) – another government agency that regulates patient or consumer privacy.

Fundamentally, medical practices and hospitals are businesses engaged in commerce, just like Amazon or IBM. The FTC prohibits unfair or deceptive acts in commerce. In some cases, the same act that triggers a HIPAA violation could also trigger an FTC violation.

For example, in 2013, LabMD, a lab in Georgia that provided cancer screening, failed to protect the privacy of its patients' personal data, including medical information. LabMD’s patient information was publically available on a peer-to-peer file-sharing program, and police found LabMD’s patient information in the hands of identity thieves.

Both the FTC and the agency that enforces HIPAA (the U.S. Department of Health and Human Services Office for Civil Rights) asserted dual jurisdiction over the same LabMD data breach. The FTC asserted jurisdiction because the data breach was an unfair trade practice in that it misrepresented privacy and security practices that caused or could cause an injury to consumers.

Though each has different and complex standards, the FTC and HIPAA requirements differ in how each analyzes data security practices. LabMD argued that these duplicative sanctions for the same act were unfair. The matter has been in court and administrative hearing for years. This dueling agency jurisdictional dispute continues today, even though LabMD was forced out of business some time ago due to extraordinary legal defense fees.

Perhaps not surprisingly, LabMD is not the only example of overlapping FTC and HIPAA regulation of the same act. The FTC and HIPAA enforcement agency entered into settlements with drug store chains Rite Aid and CVS Caremark after the companies disposed of protected health information in dumpsters. Don’t let your practice become the next case study for HIPAA+FTC privacy claims.

How to Comply With the FTC

It may sound rudimentary, but in your privacy policy and patient authorizations, say what you do and do what you say. If you represent that you will secure your patient data in a particular way, don’t deviate and use the data in another way. Don’t mislead the patient, and don’t make data security promises you can’t keep.

Tell the patient the whole story. Reveal all the relevant facts up front. Don’t make a reader click to accept an authorization request that implies privacy controls, allowing them to discover the terms of their privacy only after acceptance that the data will be publically available.

Don’t bury important facts or requests for authorization in voluminous multi-page policies or website terms of use. Clearly and conspicuously display the important facts or authorization.

The FTC defines clear and conspicuous display as:

  • Prominent — The message must be big enough to read. This is especially important on mobile devices. Consider how font and color contrast will make the important facts more readable.
  • Presentation — Use non-technical language that is easily understood by the average reader.
  • Placement — Put the important facts where the reader is most likely to see them. Don’t make the reader scroll through multiple pages.
  • Proximity — In addition to prominent visual placement, put those most important facts in a place where they relevantly and logically fit.

For additional FTC guidance on disclosures, click here, or to compare disclosures in HIPAA and the FTC, click here.

How to Respond to a Data Breach

If your medical business discovers that a hacker got into your database, an employee lost an unencrypted laptop with sensitive data, or your billing records are missing, take a deep breath. You have a lot of work to do, but the below highlights the next steps that may be on the horizon.

First, the FTC presents guidelines on how to respond to a data breach:

  • Secure the physical areas related to the breach. Lock and change codes.
  • Take connected equipment off-line.
  • Monitor all access points to your system. Change all credentials.
  • Notify:
    • Law enforcement, FBI or local police (if data was hacked).
    • Legal counsel. Do not destroy evidence.
    • Credit card companies (if account data was hacked or stolen).
    • The patients whose information was stolen or lost. The FTC link below provides a model data breach notification letter, but again, seek legal or public relations counsel in this matter.
  • Assemble an internal response team. Identify and access outside professional aid – including IT expertise.  
  • Investigate with the advice of legal counsel and identified experts.
  • Develop a communication plan that reaches all affected audiences: employees, customers or patients, investors, business partners and business associates, and other stakeholders. Designate a point person within your business for releasing information to the media.

HIPAA has breach notification requirements that may differ from or be in addition to the FTC guidelines. All the more complex data breach requirements of HIPAA are beyond the scope of this article, but can be found here.

Finally, most states have separate laws about how to respond to a data breach. Louisiana law has different definitions of data and breach, and different response requirements when compared to the FTC or to HIPAA. Louisiana businesses must also comply with the relevant state law when responding to data breaches.

Complying with all of these regulations can be enormously complicated and confusing. For personalized consultation with a LAMMICO Risk Management expert, please call 504.841.5211. To review your insurance limits for Medefense and Cyber Liability coverage, contact your LAMMICO Marketing representative at 504.831.3756.

Recommended Reading For You

Medical Interactive Presents New Online Courses

Read More

Regulatory Response to Vaccine Refusal

Read More

2019 LAMMICO Rate Update

Read More

Newsletters:

Annual Reports:

Receive Regular Updates: