Washington Debrief: FTC May Review, Penalize for HIPAA Data Violations

January 27, 2014
| Reprints
Washington Debrief: FTC May Review, Penalize for HIPAA Data Violations
Jeff Smith, Director of Public Policy at CHIME

Hospitals, Physicians May be subject to Broader Penalties for Data Breaches

Key Takeaway: A unanimous Federal Trade Commission (FTC) ruling extends its authority over data security to include HIPAA covered entities. Historically, the role of the FTC has been to protect consumers and police unfair business practices.

Why it Matters: This ruling makes very real the possibility that hospitals and physicians who experience data breaches are subject to HIPAA enforcement actions, as well as penalties issued by the FTC.

Next Steps: CIOs should reexamine their formal data security compliance program(s) to ensure that, should the FTC investigate a breach, CIOs can demonstrate that they have taken a reasonable approach to securing consumer data.

Next Steps: Rare is the moment that the Washington Debrief turns its gaze to what goes on inside the court room (especially when Obamacare is not on the docket). But last week, the Federal Trade Commission (FTC) issued a ruling that has direct implications on two court cases – and likely will have implications for healthcare CIOs everywhere.

In a ruling issued last week (re LabMD, Inc., FTC, No. 9357, 1/16/14), FTC officials said their enforcement authority under the FTC Act doesn’t conflict with HIPAA, and that, covered entities “may well be obligated to ensure their data security practices comply with both HIPAA and the FTC Act.” The FTC also said that “so long as the requirements of those statues do not conflict with one another, a party cannot plausibly assert that, because it complies with one of these laws, it is free to violate the other.” Lawyers familiar with the case said the decision was not unexpected, though it is problematic because there is no formal FTC guidance from which companies, health care or otherwise, can determine whether their data security efforts comply with the FTC Act.

Administration

National Rollout of FDA Data Sharing Network Put on Hold

Key Takeaway: FDA officials have put the rollout of a national data infrastructure for healthcare research on hold; meanwhile the Institute of Medicine is investigating how to broadly share clinical trial data for research.

Why it Matters: Several initiatives, from FDA to ONC to the Patient Centered Outcomes Research Institute, are working to develop a nationwide, digital infrastructure for healthcare research. This delay may give policymakers an opportunity to look more holistically at health surveillance and safety efforts, giving them a chance to align disparate programs. Officials from the FDA announced last week that plans to develop the agency’s Sentinel program – which collects post-market surveillance data on drugs, biologics and medical devices – into a nationwide network are on hold. Officials say they need to better understand how to bridge information gaps between the Sentinel program and data projects led by other organizations like the Patient-Centered Outcomes Research Institute (PICORI).

Meanwhile, the Institute of Medicine (IOM) has issued a discussion framework to share clinical trial data. "Sharing these data more broadly -- while respecting research participants and their privacy -- could facilitate new analyses, provide a deeper understanding of therapies and ultimately provide a sounder basis for clinical care,” the report states.

A national network to aid health researchers and clinicians, alike, hold great promise, but it is unclear if policymakers understand the socio-technical difficulty of such efforts.

Legislation & Politics

State Medical Boards Get Senate Nod for Removing Telehealth Barriers

Key Takeaway: A bipartisan group of 14 senators sent a letter to the Federation of State Medical Boards (FSMB) lauding their efforts to address licensing barriers for physicians that practice telemedicine.

Page
of 2Next
Topics