Providers beware! HIPAA is not the only law that requires adequate security safeguards for patient information. In today’s mobile environment, companies obtain and exchange patient identifiable information, including health related information constantly. Historically, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) required healthcare providers to implement administrative, physical and technical safeguards to protect the security of patients’ identifiable information related to their healthcare needs. HIPAA has been the floor of the safeguards that must be implemented to protect patient information. When a healthcare provider fails to comply with HIPAA, the Office of Civil Rights may impose fines and penalties which recently increased to $1.5Million.
Now in 2014, the government enforcement authority for security protections expanded. On January 16, 2014, the Federal Trade Commission (“FTC”) found that it had the authority to penalize a company when it failed to implement acceptable security safeguards (In the Matter of LabMD, Inc., Docket No. 9357.). Specifically, the FTC filed an action against LabMD, Inc. (“LabMD”) regarding its insufficient data security practices. LabMD conducted lab tests and electronically transmitted the results to patients and providers. The FTC claimed that there was a software program that engaged in peer-to-peer sharing of files on a billing manager’s computer and that LabMD failed to implement safeguards that would have been readily available to prevent data breaches. The FTC claimed that the LabMD security safeguards did not adequately protect the patient information and put the patients’ information at risk for identity theft and disclosure of sensitive information. Because the lack of security safeguards jeopardized the privacy and security of patient health information, the FTC contended that this was an unfair act or practice under the FTC Act.
LabMD claimed that the FTC lacked authority to enforce security requirements because the FTC Act does not specifically refer to data security practices. Likewise, LabMD claims that Congress did not authorize the FTC to enforce data security matters. However, the FTC found that it had broad powers under its authority to take action on “unfair” practices and this included data security measures. Specifically, the FTC found that it had authority to address practices that “caused or was likely to cause substantial injury to consumers that was not reasonably avoidable by consumers and was not outweighed by countervailing benefits to consumers or competition”. The Commission also commented that Congress has repeatedly directed the FTC to address data security protections for the public.
In addition, to the claims that the FTC lacked authority, LabMD claimed that HIPAA preempted the FTC laws. However, because the laws did not conflict, FTC found that it could pursue enforcement actions against companies for failure to implement adequate security measures in pursuit of protecting consumers. Moreover, the FTC also found that even though it did not promulgate any security rules, its claims are addressing LabMD’s negligence in its acts and omissions. Therefore, the FTC found that it did not have to set forth specific security safeguard requirements to claim that LabMD’s security safeguards were inadequate.
Ultimately, the FTC denied LabMD’s Motion to Dismiss its Complaint and found that the FTC maintained authority to hold businesses accountable for inadequate security practices that may cause or is likely to cause substantial injury to consumers that cannot be avoided by the consumer and is not outweighed by the benefits of competition. In light of this holding, healthcare providers must ensure that its security safeguards are adequate. HIPAA requires for healthcare providers to address some of the recommended security safeguards and in other instances healthcare providers are required to implement some form of a safeguard. For example, encryption is not required by HIPAA, but it is a safeguard that should be considered and addressed by the provider. If the risks of encryption protection (i.e. costs and slowing of the computer system) outweigh the benefits of maintaining encryption on data at rest and in transmission, the healthcare provider is not required to implement encryption protections under HIPAA. However, in light of the FTC’s findings, it is possible that the FTC may claim that because encryption is readily available for healthcare providers, failure to implement encryption may be an inadequate safeguard that would subject the healthcare provider to an enforcement activity by the FTC. Because the HIPAA Rules and the FTC rules do not prescriptively define every technical safeguard that should be implemented, healthcare providers should engage in continuous reviews of the technology to avoid any applications that pose a risk to the unauthorized use or disclosure of protected health information. Finally, when healthcare providers are evaluating security safeguards, the new standard may be interpreted to require providers to determine whether there is a reasonable, readily accessible security safeguards that could be implemented to avoid substantial injury to patients, even if the safeguard is not specifically required by the regulations.