On January 31, 2014, the Federal Trade Commission (FTC) announced its proposed settlement with GMR Transcription Services, Inc. (GMR) and its two principal owners. This was the third time within a month that the FTC issued a decision or announced a settlement on charges that a Health Insurance Portability and Accountability Act (HIPAA) covered entity or business associate provided inadequate data security. These cases provide reminders of the continuing expansion of data privacy and security enforcement.
The FTC charged GMR and its two principal owners with failing to provide reasonable and appropriate security to protect personal information in audio and transcript files and with making false or misleading representations that they implemented reasonable and appropriate security measures. The FTC’s January 31, 2014 press release and related documents are available at http://www.ftc.gov/news-events/press-releases/2014/01/provider-medical-transcript-services-settles-ftc-charges-it .
GMR acted in the role of a business associate to its covered entity customers. As the conduct referenced in the complaint occurred prior to he September 23, 2013 compliance date for the HIPAA Omnibus Rule that extended most of the HIPAA Rules to business associates, GMR was not subject to enforcement by the Office for Civil Rights (OCR) of the U.S. Department of Health and Human
Services for violations of the Security Rule, so the FTC’s role in the GMR case could be viewed as plugging a gap in HIPAA enforcement.
Two recent cases, however, suggest a more expansive FTC role in regulating healthcare data privacy and security practices. The FTC announced the GMR settlement just 15 days after asserting authority to regulate data security practices of HIPAA covered entities, and a month after the FTC and Accretive Health, Inc. settled FTC charges of inadequate security.
On January 16, 2014, the FTC denied the motion of LabMD, Inc., a provider of medical laboratory tests, to dismiss the FTC’s administrative complaint alleging that LabMD violated the FTC Act by failing to provide reasonable and appropriate security for personal information on its networks. The primary issue in the LabMD decision was whether the FTC has authority to regulate the data security practices of a covered entity that is also subject to the HIPAA Rules. While acknowledging that it does not have authority to enforce the HIPAA Rules, the FTC found that it has broad authority to define and proscribe unfair acts or practices, including those involving data security activities, and that HIPAA does not strip the FTC of this authority over covered entities. The LabMD decision is unlikely to be the last word on the scope of the FTC’s authority, as two cases (including one filed by LabMD) challenging the FTC’s authority to regulate data security are pending in federal courts.
The FTC’s recent healthcare data security prosecutions have been based on the theory that failure to employ reasonable and appropriate measures to protect electronic protected health information (ePHI) or other sensitive personal information against unauthorized access is an unfair or deceptive act or practice in violation of Section 5(a) of the FTC Act. The lack of FTC data security regulations creates uncertainty regarding the standards for a data security violation of Section 5(a). LabMD raised this issue in its motion to dismiss, but the FTC responded that it has authority to develop standards on a case-by-case basis.
The FTC described general data security standards in the proposed GMR consent order and in its statement of basic principles marking the milestone of the GMR settlement as its 50th data security settlement. The elements of the comprehensive information security program required under the proposed GMR consent order are generally similar to the administrative, technical, and physical
safeguards required under the Security Rule, although there is a lack of specific guidance from the FTC. It remains to be seen how and to what extent the FTC and OCR will coordinate their enforcement activities, as well as how the FTC will apply data privacy and security standards for covered entities and business associates.
Covered entities and business associates face increasing levels of scrutiny from an expanding universe of security and privacy enforcers, including not only OCR (see our Alert at http://www.mcdonaldhopkins.com/alerts/healthcare-data-privacy-and-cybersecurity-a-surge-in-healthcare-data-breaches ), but also the FTC and state attorneys general, as well as plaintiffs’ attorneys waiting in the wings to file class action lawsuits. The potential role of state enforcement is illustrated by the California Attorney General’s complaint filed on January 24, 2014 alleging that Kaiser Foundation Health Plan, Inc. waited too long to notify individuals that their personal information had been breached.
Compliance with the HIPAA Rules is a challenge for covered entities and business associates alike. Moreover, HIPAA enforcement and penalties are expected to increase with the HIPAA Omnibus Rule firmly in place and the extension of HIPAA obligations to business associates. The emergence of the FTC and other potential healthcare data security regulators creates additional potential exposure and uncertainty for covered entities and business associates. For example, compliance with the HIPAA Rules or other guidance from OCR might not foreclose a challenge from the FTC or a state attorney general.