Logan Parker
Privacy Editor
Loyola University Chicago School of Law, LL.M. in Health Law 2017
On October 22, 2016, the Federal Trade Commission (“FTC”) in collaboration and conjunction with the Department of Health and Human Services’ Office for Civil Rights (“OCR”) released new guidance on key privacy and security considerations for organizations handling health data. The guidance explains that health data, once thought of as the purview of only OCR, is now not only subject to the Privacy and Security Rule of the Health Insurance Portability and Accountability Act (“HIPAA”), but also that of the FTC and the FTC Act. The guidance puts business associates on notice that they have the responsibilities and obligations for health data on both fronts and an entity’s failure to comply will subject them to penalties under both legislative acts.
Recent Conflict between FTC Regulations and HIPAA
The joint guidance issued is far overdue. The most recent and prime example of the conflict between the FTC Act and HIPAA comes from the LabMD Opinion and Final Order. The FTC rendered enforcement against LabMD, a now defunct medical testing laboratory, for its lax data security practices that constituted an unfair practice under Section 5 of the FTC Act. The FTC directed LabMD to take remediation efforts to ensure LabMD protect sensitive consumer health data going forward. The ending to this matter is still with the courts.
An interesting conflict arose from the case regarding enforcement jurisdiction because health data was at issue. Health information breaches typically fall within the jurisdiction of OCR and here the FTC expanded its jurisdiction over these types of cases as well. The issue of enforcement jurisdiction and law applicability was ripe for guidance.
Guidance Details
The agencies discussed foundational principles of HIPAA, such as the importance of HIPAA authorization. The guidance explained that HIPAA-regulated entities (providers, health plans and health care clearinghouses — covered entities — and business associates) must obtain a valid HIPAA authorization from the consumer prior to using or disclosing that consumer’s health information for most purposes unrelated to treatment, payment or health care operations. The guidance then discussed the application of the HIPAA authorization to the FTC Act and its prohibition on deceptive or unfair acts or practices.
The HIPAA authorization collected by a covered entity from a patient must be in plain language, conspicuous, not misleading, and must include specific terms and descriptions. “If you are a business associate, there is a crucial first step: the covered entity must give you explicit permission through a HIPAA business associate” agreement. The guidance makes clear that even though an authorization may meet all the requirements of the HIPAA Rule, there is now an additional layer of responsibility to not mislead and provides suggestions about how to best ensure that authorizations meet the requirements of HIPAA and the FTC Act.
Lessons Learned
To healthcare entities or large corporations that may have a healthcare function, the guidance may seem like an overkill of oversight. HIPAA alone requires a dedicated team of individuals to ensure business operations comply with the regulation. OCR is a very formidable enforcement agency. When you overlay the FTC and its regulations on top of the already highly regulated healthcare environment, the task of compliance is daunting.
For entities operating in healthcare, it is essential that your compliance program is effective now more than ever. Additional policies and procedures, specifically on the FTC Act, may need to be drafted an implemented company wide. Resources may need to be added or allocated differently to meet these new compliance needs (i.e. a new full-time equivalent employee). Compliance training on unfair, deceptive, and abusive practices will need to be administered and tracked accordingly. Finally, monitoring and auditing practices will need to be amended to now take into account the FTC Act.