Policy & Law

HIPAA Enforcement: Who’s in Charge?

David Harlow
David Harlow
0 Min Read

The recent Headscratch flickr cc san_drino

The recent FTC decision in the LabMD case (pdf) (full docket here) has HIPAA-watchers scratching their heads, tugging their beards, and generally wondering about reconciling FTC-style litigation-based regulation with OCR-style rule-based regulation of health care data privacy and security.

Here’s my take: For a covered entity or business associate that has all its ducks in a row – HIPAA Privacy, Security and (for Covered Entities) Breach Notification policies and procedures, a completed risk analysis, training and testing of workforce documented – FTC regulation should not be problematic. I think that the FTC would be hard-pressed to find an entity that is in compliance with HHS HIPAA rules and relevant state law to be in violation of the FTC Act’s prohibition of “unfair … acts or practices.”

The FTC does not have specific rules in place in this area, and is not likely to promulgate rules (it has rules in place for PHR breach notification, under the HITECH Act, but that is outside of HIPAA jurisdiction). The FTC regulates unfair acts or practices by filing complaints and dealing with violations of its basic statute on a case-by-case basis. It is not unreasonable for the FTC to assert that it has overlapping jurisdiction with OCR jurisdiction under HIPAA. Fines under the FTC Act are limited to $16,000 per violation (as opposed to the maximum fine of $1.5 million under HIPAA).

More Read

How Correctional Facilities Are ‘Walking the Line’ Toward Healthcare Cost Improvement
The Link Between Patient Satisfaction and Long-Lasting Relationships
Spike in E-Cigarette Popularity Spells New Health Threat for 2018
Bariatric Surgery Linked to Reduced Risk of Cardiovascular Death
Nursing Student Skills: All You Need to Know

The FTC asserting jurisdiction should be of concern for entities subject to HIPAA that are not in compliance with HIPAA – like LabMD in this case.

Ultimately, however, the question arises: What would the FTC do in any particular case that OCR would not already do? If both are actively enforcing HIPAA, then I would conclude: not much.

The same question arose when state attorneys general were given permission under HITECH to enforce HIPAA violations.  State AGs and the OCR often came up with parallel enforcement plans, so the value of the added enforcement agency appears to be limited. Of course, this may change over time if OCR enforcement scales back, the office is defunded, etc. In such a scenario, the federales may conclude that double-teaming the bad guys wasn’t such a bad idea after all.

Bottom line: Comply with the rules, rather than worrying about who has the authority to nail you when you don’t.

Photo: flickr cc san_drino

TAGGED:
Share This Article

Stay Connected

Latest News

Do You Grind Your Teeth at Night? Here’s How Night Guards and TMJ Treatments Can Help
Do You Grind Your Teeth at Night? Here’s How Night Guards and TMJ Treatments Can Help
Dental health
The Secret To A Confident Smile: Top Tips For Better Teeth
The Secret To A Confident Smile: Top Tips For Better Teeth
Dental health
Clinical Expertise
Building Smarter Care Teams: Aligning Roles, Structure, and Clinical Expertise
Health care
Grounded Healing: A Natural Ally for Sustainable Healthcare Systems
Grounded Healing: A Natural Ally for Sustainable Healthcare Systems
Health

You Might also Like