Security ruling could spell double trouble for hospital CIOs

As if data breaches weren't already painful enough for hospital CIOs with the new HIPAA rules, now it appears that government regulation may not end with the Office for Civil Rights.

The Federal Trade Commission, last month, disagreed with Atlanta-based medical testing laboratory LabMD that the company was not subject to FTC security enforcement since it already was considered a covered entity under the Health Insurance Portability and Accountability Act. That means you could be dinged by both OCR and the FTC for a data breach.

Just how concerned should you be about this double threat? FierceHealthIT spoke exclusively with Jeff Smith, director of federal relations for the College of Healthcare Information Management Executives, and health attorney David Harlow to get a sense of what providers are up against. 

"I think the FTC is going to become a more active player where enforcement is concerned," Smith told FierceHealthIT via email. "The FTC is already active in monitoring mobile application marketing practices in healthcare [and] medical identity theft, and the case in question underscores their intentions to flex their muscle where information and data security compliance is concerned."

Still, Smith said he believes that the FTC will play "second fiddle" to OCR and HIPAA.  "I anticipate the FTC will be more visible where HIPAA violations appear to be more egregious," he said.

What's more, punitive costs to covered entities from FTC, according to Harlow--a FierceHealthIT Editorial Advisory Board member and author of the HealthBlawg--likely wouldn't come close to what OCR can levy; fines under the FTC, he said in an email to FierceHealthIT, are limited to $16,000, while a maximum fine under HIPAA can run as high as $1.5 million.

Harlow said that a more interesting question to answer might be, "What would the FTC do in any particular case that OCR" wouldn't?

"The same question arose when state attorneys general were given permission under HITECH to enforce HIPAA," he said. "State AGs and the OCR often came up with parallel enforcement plans, so the value of the added enforcement agency appears limited. Of course, this may change over time if OCR enforcement scales back or the office is defunded."

Harlow added that covered entities and business associates that have all their ducks in a row needn't worry about the regulation. "FTC would be hard-pressed to find an entity in compliance with HIPAA and relevant state laws, [but] in violation of the FTC Act's prohibition of 'unfair … acts or practices,'" he said.

Smith, however, said CHIME will be watching for--and fighting against--that situation. 

Despite smaller penalties and a potential "second-fiddle" status, providers would be wise to not take the FTC's role in security enforcement lightly. As Harlow mentioned, the FTC's role could always increase.

Besides, the stink associated with dual regulatory fines for a privacy violation likely would be a tough one to shake. - Dan @FierceHealthIT