• 5 Tips to Preven Harm to Your Consumer

  • Data breaches involving sensitive personal information may result in identity theft and financial crimes (e.g., health-care fraud, credit card fraud, phone or utilities fraud, bank fraud, mortgage fraud, employment related fraud, government documents or benefits fraud, and loan fraud). Identity theft involves the misuse of any identifying information, which could include names, social security numbers, account numbers, passwords, or other information linked to an individual. According to the Federal Trade Commission (FTC), identity theft is the most common complaint from consumers in all 50 states. With the continued media reports of data security breaches, concerns about new cases of identity theft are widespread.

    While the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) intensifies its enforcement of the Health Insurance Portability and Accountability Act (HIPAA), covered entities and business associate may find the Federal Trade Commission (FTC) knocking at their door. The FTC’s position is one that Congress granted it broad powers to regulate unfair and deceptive practices under Section 5 of the FTC Act, (http://www.federalreserve.gov/boarddocs/supmanual/cch/ftca.pdf) including concurrent jurisdiction over the privacy and security practice of covered entities and companies who handle Protected Health Information (PHI) and that are regulated under HIPAA.

    The FTC and the OCR have a history together. They have conducted parallel investigations in security practices. Their dual agency efforts of coordinating investigations can be seen in the cases such as CVS Caremark and Rite Aid. Both pharmacies entered into consent decrees with the FTC under the FTC Act and a resolution agreement with HHS under HIPAA for the improper disposal of personal health information (PHI).

    In an investigation of a hospital billing company, Accretive Health, Inc., considered a HIPAA business associate, the FTC independently investigated the company for the alleged failure to adequately provide safeguards of laptops used by a health care transcription. The order stated that the providers lack of diligence of monitoring offshore contractor’s encryption and typist authentication, and its statement that it was “HIPAA compliant,” constituted unfair or deceptive practices. This independent investigation resulted in a 20-year consent order requiring a biennial security assessment by an external auditor.  

    The FTC’s track record of investigations, with or without the OCR in HIPAA related cases, covered entities, or any health care related companies should review and strengthen their HIPAA compliance programs. Here are some tips:  

    • Be clear in all patient communications, such as Notice of Privacy Notices, Website Privacy Notices. Communicate thoroughly about protections you provide over individually identifiable health information, in order that your communications are not misrepresented or that you overpromise. This could be seen as deceptive to a consumer.
    • A must, under HIPAA, would be the security requirements; current risk analysis and risk management, identifying potential risks and vulnerabilities. Other HIPAA standards with recent record enforcement interest have been media disposal, workforce privacy and security training, disaster recovery and technical safeguards for access control.
    • HIPAA security safeguards that are currently deemed, “addressable” require implementation unless it can be documented and proven how the safeguard would be mitigated. Documentation must be present showing how the addressable measure is not a reasonable and appropriate choice for your organization from a consumer perspective.
    • A complete and through due diligence pertaining to all Business Associate (BA) contractor before releasing protected health information. In my consulting practice, I recommend my clients to receive a copy of the BA’s annual risk assessment and a certificate of their liability insurance coverage.
    • Be prepared to respond to a breach. These events are typically stressful and fast-paced events. Amidst the immediate need to analyze and report the breach, identify effective remediation strategies that address the specific risks that effect consumers and mitigate those to lessen the risk and harm to the consumer. Both FTC and OCR have used their enforcement authority where notice and remediation were untimely or lacking and where the breach is a reoccurring one due to the lack of follow through.

    The FTC, as does the OCR, provides consumer guidance in regards patient rights by providing consumer information on their website, http://www.consumer.ftc.gov/articles/0171-medical-identity-theft

    By using its authority under the Safeguards Rule, the FTC has brought a number of enforcement actions to address the failure to provide reasonable and appropriate security to protect consumer information.

    Judith Lindsay, CEO of JAL tackles the elements of the compliance puzzle. Successfully assisting organizations to make sense of it all, by implementing the correct policies and procedures that are reasonable and appropriate for each entity. Judith is available for training, speaking engagements and consultations. To read more about the world as it pertains to the compliance, visit JAL’s new website www.jalconsultantsaz.com or connect on Twitter @judithconsult 

    "Protecting You A Million Different Ways"