In new joint guidance released from the Federal Trade Commission (FTC) and U.S. Department of Health and Human Services Office for Civil Rights (OCR), HIPAA covered entities and business associates are reminded that they are subject to enforcement of both HIPAA regulations and deceptive business practices under the FTC Act. A covered entity or business associate with consumer permission to use electronic Protected Health Information (ePHI) must ensure the permission is in plain language so there is no misunderstanding.
The FTC, which had initially been carrying out dual HIPAA enforcement actions with the OCR, is now stepping out on its own. In earlier cases, such as the ones mentioned below involving CVS Caremark and the Rite Aid Corporation, the FTC found these covered entities that violated HIPAA to be participating in unfair or deceptive business practices. Earlier this year, the FTC fined a business associate (Henry Schein Practice Solutions) for deceptive business practices regarding inadequate encryption. And most recently, in the case involving Lab MD, the FTC overturned an administrative law judge’s dismissal of a case where the judge felt the FTC did not meet its burden of proof.
Now let’s dive into each of these cases into more detail. Here’s how FTC settlements with HIPAA covered entities and business associates have evolved in recent years.
CVS Caremark (2009) and Rite Aid Corporation (2010)
When it came to dual enforcement actions, CVS and Rite Aid settled with the FTC and HHS. Despite stating that they maintained customers’ privacy, both companies had locations that disposed of pharmacy trash with sensitive patient health and financial information in open dumpsters. CVS Caremark paid HHS a $2.5 million HIPAA fine and Rite Aid Corporation paid a $1 million HIPAA fine. Both companies accepted 20-year consent agreements with the FTC for deceptive business practice. Under the consent order, CVS and Rite Aid had to establish, implement, and maintain a comprehensive information security program, and perform third-party reviewed, biennial assessments of its security practices for 20 years.
Accretive Health, Inc. (2014)
The FTC found that Accretive Health did not use reasonable and appropriate measures to protect health information. An Accretive Health employee’s unsecured laptop was stolen from his car. At the time of the theft, the laptop had files on 23,000 patients and more than 20 million pieces of information. Accretive Health agreed to a 20-year consent order with the FTC to create and maintain an information security program with third-party reviewed, biennial assessments. Notably, says legal firm Wiley, this was not a deceptive business practice claim. While Accretive Health was a business associate, and subject to HIPAA Security Rule requirements, HIPAA was not mentioned at all.
Henry Schein Practice Solutions, Inc. (2016)
Curiously, the FTC has not been limiting itself to consent orders. Earlier this year the FTC reached its first monetary settlement while adding a 20-year consent order agreement (with annual, not biennial, compliance reporting) with Henry Schein Practice Solutions, Inc., a dental practice software provider. According to the FTC, Henry Schein was investigated for deceptive business practice because the company falsely indicated they used industry-standard encryption. Although they used encryption that allowed them to be HIPAA compliant, they were not using NIST-recommended encryption. This agreement is noteworthy because “the settlement raises the prospect that the FTC may consider related claims of HIPAA compliance as deceptive if encryption does not meet NIST standards.”
Currently, industry watchers are most concerned with the FTC trying to expand its powers. A now defunct medical testing lab, LabMD, was solicited by a data security firm because the firm accessed LabMD’s patient information on a network it shared with a business associate. LabMD turned down the business solicitation and the data security firm turned the case over to the FTC. After an investigation, LabMD refused to settle and the case went to trial. An administrative law judge dismissed the case, finding that the FTC did not prove patient information was accessed by anyone outside the network. Earlier this summer, the FTC overruled the judge, thus reinstating the case, by arguing that LadMD’s actions were likely to cause harm.
The FTC has gone from supporting dual OCR HIPAA enforcement actions to seemingly enforcing the Security Rule without mentioning HIPAA. The FTC has added fines to its typical consent order settlements and recently expanded its role by overruling an administrative court judge. This is a peculiar environment for covered entities where the rules appear to be changing.
Agency watchers feel that the FTC may come under scrutiny for unilaterally expanding its powers. Covered entities should ensure they are not only in compliance with HIPAA, but also making accurate statements in their marketing materials and privacy statements so that they do not draw the ire of the FTC.
Download our e-guide, What You Need to Know About Ransomware and HIPAA Compliance, to get more insight into specific HIPAA regulations impacting covered entities and business associates.