The arcane world of data security regulations just got a little more ambiguous.
In January, the Federal Trade Commission affirmed its authority to bring action against businesses that fail to adequately protect consumer data. The decision has particular implications for health care, as the case involved LabMD, a medical testing laboratory and a covered entity under HIPAA.
FTC last August filed a complaint against LabMD alleging the company exposed the personal information of about 10,000 people in two incidents. LabMD responded with its own missive: a motion to dismiss the complaint on the grounds that the FTC enforcement action clashed with HIPAA’s information security regulations.
On Jan. 16, FTC commissioners rejected LabMD’s arguments. As a result, health care providers and their business associates now need to consider FTC in addition to HHS’ Office for Civil Rights as a data security enforcement organization.
“What the FTC is saying is they feel they have the latitude … to go after anyone who doesn’t live up to the promises they make with respect to protecting their data,” said Mac McMillan, CEO of CynergisTek, an IT security consulting firm that focuses on health care.
“This was a big surprise to a lot of people,” McMillan said, adding, “Most health care organizations have never really viewed FTC as a regulatory body as it relates to privacy and security.”
Here are some other things healthcare organizations might find surprising:
- The “new” regulator isn’t particularly new — FTC has been sniffing around health care and security for a number of years.
- Settlements with FTC could involve 20 years of privacy audits if recent history applies to health care companies.
- None of this may ever happen — pending court cases could check FTC’s data security watchdog role.
FTC’s assertion of authority stems from its interpretation of the FTC Act and its mission of pursuing consumer trust issues. In the LabMD decision, the commissioners ruled that a company’s data security lapses fall within the scope of the FTC Act’s ban on “unfair … acts or practices.”
The commission’s enforcement track, however, puts it on a path similar to OCR.
LabMD cited this overlap in its motion to dismiss. The company argued that HIPAA — which empowers OCR’s enforcement work — takes precedence over the FTC Act in the realm of data security.
The commissioners disagreed, saying, “Nothing in HIPAA … reflects a ‘clear and manifest’ intent of Congress to restrict the Commission’s authority over allegedly ‘unfair’ data security practices such as those at issue in this case.”
FTC’s decision is unlikely to stand as the final word on its data security powers in health care and other fields. Ongoing court cases should help determine whether FTC’s position will prevail. In one example, a federal court will rule on Wyndham Worldwide Corp.’s contention that FTC’s pursuit of data security represents an overreach of its authority. FTC in 2012 sued the hotel chain for alleged data security failures.
While the cases continue, some industry watchers believe FTC and OCR will be able to work cooperatively.
Scott Walters — director of security at INetU, a managed hosting and cloud provider that targets the health care industry — said FTC and HHS “are smart enough not to get into a double jeopardy situation” in which the two agencies would take independent action against the same company.
“I can see it being complementary for a while,” Walters said.
Brad Keller — senior vice president at the Santa Fe Group and program director of the company’s Shared Assessments Program — pointed out that FTC and HHS have some history with coordinated action. As an example he cited a 2010 case in which Rite Aid agreed to pay $1 million to settle potential HIPAA violations, following an “extensive joint investigation” by OCR and FTC.
“If you think about it, this isn’t all that new,” Keller said.
McMillan also noted FTC’s previous interest in data security, citing the commission’s discussions over the past five years with organizations including the Office of the National Coordinator for Health IT.
“They have always been clear: if they receive a complaint or perceive a customer trust issue, they will pursue it,” McMillan said.
Effect on Health Care Industry
Assuming FTC’s authority survives court challenges, health care providers would have another data security enforcement body looking at them — and one that can levy fines and order corrective measures.
As for fines, HIPAA has a higher penalty limit. David Harlow — president of The Harlow Group LLC, a healthcare law and consulting firm — noted that fines under the FTC Act are limited to $16,000 for each violation, compared with HIPAA’s maximum fine of $1.5 million.
McMillan, on the other hand, suggested that FTC has a more powerful weapon: privacy audits. When Google and Facebook settled with the FTC — amid complaints of mishandling users’ personal information — the companies agreed to undergo privacy audits for 20 years as part of the deal,according to Forbes.
McMillan said the cost of conducting periodic audits could prove more expensive in the long run than a HIPAA fine. “You’ve got the cost of an external monitor for 20 years,” McMillan said, noting that the audits are conducted by a third party.
He said, “It’s not just the cost, but being under the microscope for 20 years,” adding, “That is an awfully long time to have the government … reviewing what you are doing.”
But the effect of FTC enforcement should not prove as dire for health care providers who stay on the right side of HIPAA.
“If they pay attention to HIPAA, they are going to be fine,” Walters said. “I don’t think FTC is going to end up trumping HIPAA.”
Walters said the investment in HIPAA, HITECH and the omnibus rule suggests that those requirements will endure as the data security standard in health care.
McMillan said he believes FTC will apply HIPAA’s privacy and security requirements when considering health care companies.
“They are not going to pull some other standards out,” he said.
A gray area still exists, nevertheless. While HIPAA enforcement relies on specific rules, FTC pursues enforcement through case-by-case litigation, Harlow said. The commission doesn’t operate with a list of unfair business practices, he added. So, at least in theory, FTC could find fault with a HIPAA-compliant health care provider.
“There is still room for FTC to maneuver, even if they are fully HIPAA compliant,” Harlow said.