- With the FTC recently releasing guidance on how HIPAA covered entities must adhere to the FTC Act in addition to HIPAA regulations, it is essential for healthcare organizations to be aware of the potential consequences for not doing so.
When organizations collect and share individuals’ information – including PHI and PII – the necessary precautions must be taken. A failure to do so could result in an OCR HIPAA settlement, or even reprimand from the FTC.
For example, the FTC ruled in a case earlier this summer that medical testing laboratory LabMD failed to employ proper data security measures to protect the sensitive consumer information it collected.
McGuireWoods partner Nathan Kottkamp told HealthITSecurity.com that it can be confusing in terms of compliance whether the FTC actually has jurisdiction over HIPAA covered entities.
“The question is, are they really going to enforce it or should they be deferring?” Kottkamp asked. “Do they have authority? Probably. Should they have authority if the OCR under HHS expressly has the authority?”
Kottkamp added that the FTC’s position on LabMD specifically is “pretty scary for the industry.” Essentially, the message is that the magnitude of an incident is perhaps as important, if not more important than actual exposure and harm.
“Essentially what [the FTC] did is, they said, ‘You had this massive breach or this vulnerability. We have no way of knowing whether or not anyone was actually harmed in any way or affected in any meaningful way by that situation,’” said Kottkamp.
Under the LabMD standard, at least as of today, Kottkamp observed that the FTC's position would be that that situation is something that would be considered actionable. HIPAA regulations on the other hand would say, ‘Unless you have reason to believe that there was actually actual compromise of the information, you don't treat it as a breach.’
Healthcare data security implications with LabMD case
Kottkamp suggested that should LabMD prevail in its appeal, healthcare entities could potentially be more aggressive in their HIPAA risk analysis process.
With the HIPAA Omnibus Rule, it changed the breach notification process.
“It used to be that you did a risk analysis to evaluate whether or not, among other things, there was a risk of harm as a result of the incident to the affected individuals,” Kottkamp explained. “Congress is very concerned, or at least certain members of congress were concerned, that that created a situation in which it was the fox guarding the henhouse.”
Now there is essentially a presumption that organizations need to provide notification, and unless you can determine that there was a low risk of compromise, he added.
“The biggest impact that I can see from LabMD prevailing on that, is just a more meaningful use of harm back into that standard. It was expressly dropped, but functionally it's probably still there,” Kottkamp stated. “And that would be validation of that concept.”
Are there ‘unreasonable’ data security practices?
HIPAA is an interesting law when it comes to data privacy and security, according to Kottkamp. But at the end of the day, it is a remarkably timeless piece of legislation.
“When you look at the Security Rule, which is the rule that addresses electronic data security issues, HIPAA takes what they call flexibility of approach,” he explained. “There are a bunch of things that you have to ensure that you're addressing, but they're more benchmarks and guideposts as opposed to instructions about how to do things.”
Kottkamp suggested that this was done because the law’s authors recognized fully well that it would be difficult to create a single set of standards that are applicable to both large and small providers. Furthermore, technology is changing so fast that it was important for the Rules to not be immediately out of date.
“They created this set of standards that you have to address certain concepts, but they don't expressly define exactly how it is you go about doing that,” Kottkamp stated.
In terms of healthcare data encryption, Kottkamp noted that it was important to remember that HIPAA does not require it.
“As encryption becomes much, much more easy to install on devices and integrate into software, that's another one where you look at what the industries are doing and you'd say sooner or later we're going to say that you have to have it and it's unreasonable not to,” he stated. “We're not quite there yet.”
HIPAA is a set of standards that are evolving along with the technological development in the industry, Kottkamp said. However, it is very difficult at the moment to definitively define what is reasonable and unreasonable data security practices.
Different healthcare organizations will also have different data security needs, he added. However, certain practices can be easily recognized as “unreasonable.”
For example, if a medium-sized healthcare organization has all employees use the same login password. That might be an easy approach, but it would make the auditing process extremely difficult.
“You have no idea which of the dozen people in the office was the one that went in and stole data, because they're all using the same password,” he said.
Many data security measures though come down to a ‘you know it when you see it’ approach, according to Kottkamp.
“There is a lot of industry guidance, and you certainly can find best practices,” he said. “But the best practices are not the same as those being legal standards either.”