Healthcare News & Insights

Another PHI security regulator for hospitals to worry about

Hospitals now have one more government agency scrutinizing their security operations — the Federal Trade Commission (FTC). 

480756273The FTC may start putting hospitals’ protected health information (PHI) security under the microscope. And the hospitals who fail to meet the FTC’s security standards could face even worse consequences than those for violating HIPAA’s Security Rule regulations.

So how did the FTC get involved with policing health data security?

Another regulator

It all comes back to their priority to take action against businesses in any industry that fail to protect consumer data.

The trouble started when the FTC filed a complaint against LabMD, a HIPAA-protected medical laboratory. LabMD had two security breaches that affected 10,000 patient records. The complaint faulted the facility for not taking proper security measures to fully protect their health data.

LabMD immediately spoke up and asked the complaint be dropped because the FTC’s actions clashed with HIPAA security regulations and were an “abuse of government power.”

The commission disagreed. They noted that there was no HIPAA regulation or Congressional act in place that would limit “the Commission’s authority over ‘unfair’ data security practices…”

The decision means that, for the first time, hospitals will have to be wary of the FTC as a data security enforcer with its own set of rules and standards to follow.

Joint enforcers

For the most part, the FTC has a lot of the same motives and interests for pursuing security risks as the Department of Health and Human Services (HHS). Some security industry professionals believe that the agencies are more likely to collaborate on future actions rather than clash with each other going after the same target.

In fact, there’s already some precedent for the two working together. In 2010, the agencies worked together in a lawsuit against Rite Aid which was settled for $1 million.

However, the methods each agency will use to enforce their regulations have separate rules and stipulations. For example: HIPAA has a much higher limit for its fines than the FTC. HIPAA violators can pay up to $1.5 million, where as the FTC’s fines are limited to $16,000 per violation.

The real threat from the FTC isn’t from its fines — it’s the corrective measures it can order for violators — like privacy audits. In the past, the FTC has ordered that privacy audits be performed on firms for 20 years.

In the long run, this could be an even more costly punishment than HIPAA’s huge fines, and not just because hospitals would have to pay a third party to conduct those audits each year. Twenty years is a long time to be under the government’s microscope without making a mistake.

Also troublesome: The FTC doesn’t use a standardized set of rules to guide enforcement like HIPAA. Instead, the agency works on a case-by-case basis which makes it harder to be fully safe against FTC action.

Staying protected

There’s still a chance that the FTC’s authority will be challenged in court and dialed back some, but that could just be wishful thinking.

But there is some good news. Despite a small possibility of the FTC going after an otherwise HIPAA-compliant facility, hospitals that stay on the right side of HIPAA won’t have much to worry about from the FTC.

Hospitals should continue their efforts to secure their PHI and electronic health records (EHR) wherever possible, and do their best to stay compliant with Security Rule regulations. Administrators should also take advantage of some of the new tools HHS has released to help hospitals conduct thorough security risk assessments at their own pace.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.