FTC pursuing HIPAA violations as a matter of consumer protection

By Linda Tucci, Senior News Writer 09 Sep 2009 | SearchCompliance.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

More on HIPAA and data security New HIPAA data breach notification rules put health industry on notice HIPAA enforcement getting stronger How to build a mature information security program: A crisis helps

"The FTC stepping in signals a shift in how HIPAA is going to be enforced, and it is being driven by an agency that cares very much about identity theft," said Paul Proctor, an analyst at Stamford, Conn.-based Gartner Inc.

Earlier this year CVS Caremark Corp., parent company of the nation's largest pharmacy chain, agreed to settle Federal Trade Commission (FTC) charges that it failed to take "reasonable and appropriate measures to protect sensitive financial and medical information of its customers and employees, in violation of federal laws."

Among the stipulations of the settlement: CVS must undergo an independent audit every two years for the next 20 years to ensure its security program meets the standards of the order. In tandem with the FTC's investigation of CVS, the U.S. Department of Health and Human Services (HHS) pursued its own investigation of the company's pharmacy chain for violations of the Health Insurance Portability and Accountability Act (HIPAA), exacting a $2.25 million fine to resolve the allegations. The final settlement agreement went into effect in June.

The multimillion dollar penalty -- the largest amount for HIPAA violations to date -- carried the headlines. The bigger news for HIPAA-covered entities and their business associates, risk analyst Ian Glazer said, is that the sensitive information contained in medical records is fair game for the FTC.

"What the FTC said is, 'We are going to pursue HIPAA-related situations as a matter of consumer protection," said Glazer, who covers compliance at Midvale, Utah-based Burton Group Inc. "The FTC has a more proven, sharper track record when it comes to these kinds of consumer issues and demonstrated a willingness to go after organizations and seek damages.

"The CVS Caremark case was a shot across the industry bow, saying, 'We're here and we're back and we're kind of pissed off and we're coming after you,' " he said.

Consumer protection acts to bear on HIPAA violations

The double-barreled investigation of CVS followed media reports in 2006 that its pharmacies were dumping trash into open dumpsters that included pill bottles with patient names, addresses and personal physicians' names; medication instruction sheets with personal information; computer order information with consumers' personal information; employment applications with Social Security numbers; payroll information and credit card and insurance card information, some with driver's license numbers.

Given the contents of the CVS trash, the FTC complaints against the chain are hardly surprising: failure to implement reasonable policies and procedures to dispose securely of personal information, inadequate training of employees, failure to assess compliance with its own security policies and practices for handling sensitive information.

Less obvious is the charge that CVS Caremark engaged in "deceptive" trade practices with claims such as, "CVS/Pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information," said the FTC in its charges against CVS. Because CVS allegedly failed to protect this sensitive information, the practices were "unfair" to consumers.

By invoking the Consumer Protection Act to go after CVS's alleged security lapses, the FTC's case unleashes a brigade of new HIPAA enforcers, according to Donna A. Boswell and Sara A. Kraner, attorneys at Washington, D.C.-based Hogan & Hartson LLP, in a July 20 article, "HIPAA and hospitals' privacy enforcement options."

Among the changes to HIPAA under the American Recovery and Reinvestment Act is the authorization of state attorneys general to enforce and seek damages for HIPAA violations.

"To the extent that state attorneys general had any doubt about how this enforcement authority might work under their existing authority, the FTC's consent order in the CVS Caremark case pretty clearly signals how they might proceed," wrote Kraner and Boswell.

Review HIPAA "Notice of Privacy Practices"

CVS, of course, is not alone in making such claims. Many organizations, including hospitals, choose to augment the legalistic and potentially off-putting mandatory privacy content and disclaimers in the Notice of Privacy Practices required under HIPAA with more consumer-friendly language.

The CVS Caremark case was a shot across the industry bow saying, 'We're here and we're back and we're kind of pissed off and we're coming after you. Ian Glazer risk analyst, Burton Group Inc.

Thus, in addition to the many other lessons of the case against CVS, the FTC's course of action should also prompt hospitals and other covered entities to pay particular attention to any marketing verbiage ("elective content") added to the privacy notice that could expose their organizations under the Consumer Protection Act.

Gartner's Proctor said asking corporate counsel to review marketing language for legal exposure might be just the vehicle for shaping up security and HIPAA compliance programs. "I'm liking this," he said. "If you are forced to ask general counsel if 'We have a great security and privacy program' is dangerous language, general counsel in turn might just ask what kind of security and privacy program is in place."

Candy Alexander, chief information security officer at Long Term Care Partners LLC, an insurance and medical benefits administrator for federal employees, said the FTC case against CVS underscores a truism many organizations overlook: that security is not a security "is not a technology solution."

"You can't take care of security by just having antivirus and audit controls," she said. "You have to make sure that people really understand the security processes and that the right processes are in place. It's the proverbial three-logged stool of people, processes and technology.

"And shame on us for having these regulations at all," Alexander said. "Security is a condition of doing business."

Tags: HIPAA and other healthcare compliance requirements,  Regulatory compliance audits,  Risk management and compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT HIPAA and other healthcare compliance requirements IT compliance: FAQs about IT operations, regulations and standards Enterprise document management FAQ: IT operations and compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more HIPAA-covered entities' first step should be a quality assurance plan HITECH moves electronic health records forward; standards to come HITECH FAQ: What is the impact of the HITECH Act on IT operations? Discovery of data breach under HITECH raises big compliance questions Healthcare, cybersecurity policy and privacy on legislative agenda Record locator service a step to health information exchange Regulatory compliance audits Facing uncertainty, IT turns to governance, risk and compliance, ERM Effective compliance document management in five days FAQ: What is the impact of a compliance audit on IT operations? ISO 27001 certification not enough for verifying SaaS, cloud security HIPAA-covered entities' first step should be a quality assurance plan Healthcare, cybersecurity policy and privacy on legislative agenda New HIPAA data breach notification rules put health industry on notice PCI DSS compliance fails to raise the bar on financial fraud HIPAA-covered entities, business associates confront HITECH rules PCI DSS FAQ: The Payment Card Industry Data Security Standard and IT Risk management and compliance Facing uncertainty, IT turns to governance, risk and compliance, ERM FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing GPS devices, geolocation data create privacy, security risks Threat management for information systems relies on categorization Mass. data protection regulation passes big test in public hearing Does using ISO 27000 to comply with PCI DSS make for better security? Are mandatory business continuity management standards good business? PCI DSS compliance requires better management of vendor risk PCI DSS compliance requires new vendor management strategy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Dossia  (SearchCompliance.com) personal health record (PHR)  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary