When companies experience a data breach involving Protected Health Information (PHI) and/or Personally Identifiable Information (PII), they can typically expect a call from the Office of Civil Rights and possibly an Attorney General or two. However, the Federal Trade Commission (FTC) has decided to join the fray, taking a more active role in data breach investigations. The FTC angle: the company’s failure to employ reasonable and appropriate measures to protect PHI and PII against unauthorized access is an unfair or deceptive act or practice.
On Dec. 31, 2013, Accretive Health, Inc. (Accretive), which provides medical billing and revenue management services to hospitals around the country, agreed to settle FTC charges that its inadequate data security measures exposed PHI and PII to a risk of theft or misuse.
As a result of the services it provides, Accretive was provided a wealth of PII about patients, including names, dates of birth, Social Security numbers, as well as PHI, in particular, medical diagnosis information.
The FTC alleged that Accretive’s failure to adequately safeguard the PII and PHI resulted in a data breach when an Accretive employee’s laptop, containing PII and PHI of 23,000 patients, was stolen from the employee’s car. The FTC alleged that Accretive created unnecessary risks by transporting laptops that contained PII and PHI in a fashion that left them vulnerable to theft.
The FTC also alleged that Accretive failed to employ reasonable procedures designed to ensure that employees removed PII and PHI from their computers when there was no longer a business need to keep it. In certain instances, when the PHI was used in training sessions for employees, Accretive also failed to remove that information from employees’ computers after the training was finished. In addition, the FTC alleged that Accretive failed to adequately restrict employee access to PII and PHI based on an employee’s need for the information.
Pursuant to the terms of its settlement with the FTC, Accretive agreed to establish a comprehensive information security program designed to protect PII and PHI. The program must be evaluated initially and every two years by a certified third party. Moreover, these obligations will continue for 20 years.
The message is clear. Take a few minutes now to review your information security program to make certain that it is adequate. Employees should only have access to PII and PHI that is required for their jobs. When PII and PHI are no longer needed for a business purpose, this information should be properly destroyed. Failure to follow these steps could result in an unpleasant visit from the FTC.