Huge news in HIPAA compliance came this week as the Federal Trade Commission found that entities covered under HIPAA may also be subject to FTC enforcement. In the LabMD case, a medical testing lab was found to have mishandled patient information through privacy breaches that affected about 10,000 patients. The case is a strong reminder that “compliant” doesn’t necessarily mean “secure,” or vice versa. Health IT Security reports that after the long legal battle, LabMD is going out of business.
FTC Rules HIPAA Not a Barrier to Security Enforcement from FierceHealthIT: "Entities covered under the Health Insurance Portability and Accountability Act also may be subject to security enforcement by the Federal Trade Commission, the latter confirmed with a unanimous ruling against a medical testing laboratory that mishandled patient information. The case dates back to last summer, when the FTC filed a complaint against Atlanta-based LabMD for two separate privacy breaches -- one that occurred in 2008 and one that took place in 2012 -- that impacted a total of roughly 10,000 patients. LabMD, in turn, claimed that FTC was overstepping its statutory authority because the company was a covered entity under HIPAA. FTC, however, disagreed, voting 4-0 on Jan. 16 to reject the company's motion, Bloomberg BNA reported. In the ruling, FTC said that LabMD had misinterpreted "the Commission's expressions of support for legislation relating to data security," and called LabMD's arguments "unpersuasive." "Contrary to LabMD's contention, Congress has never enacted any legislation that, expressly or by implication, forecloses the Commission from challenging data security measures that it has reason to believe are 'unfair … acts or practices,'" FTC said. "LabMD relies on numerous 'targeted statutes' that Congress has enacted in recent years 'specifically delegating' to the Commission or to other agencies 'statutory authority over data-security' in certain narrower fields. But LabMD has not identified a single provision in any of these statutes that expressly withdraws any authority from the Commission. [N]othing in HIPAA or in HHS's rules negates the Commission's authority to enforce the FTC Act."
Who's in Charge of HIPAA Enforcement? from Healthcare IT News: “The recent FTC decision in the LabMD case has HIPAA-watchers scratching their heads, tugging their beards, and generally wondering about reconciling FTC-style litigation-based regulation with OCR-style rule-based regulation of health care data privacy and security. The FTC has confirmed that it considers itself to have overlapping jurisdiction to enforce HIPAA under its general enabling legislation. The FTC does not have specific rules in place in this area, and is not likely to promulgate rules (it has rules in place for PHR breach notification, under the HITECH Act, but that is outside of HIPAA jurisdiction). The FTC regulates unfair acts or practices by filing complaints and dealing with violations of its basic statute on a case-by-case basis. It is not unreasonable for the FTC to assert that it has overlapping jurisdiction with OCR jurisdiction under HIPAA. Fines under the FTC Act are limited to $16,000 per violation (as opposed to the maximum fine of $1.5 million under HIPAA).”
LabMD Winds Down Operations After FTC Motion Rejection from Health IT Security: "After numerous attempts to assert that Federal Trade Commission’s (FTC) didn’t have the necessary authority to take data security enforcement action against it after a breach, LabMD is throwing in the proverbial white towel and will wind down operations. Referencing the high costs of litigation, President and CEO Michael J. Daugherty announced that he has been forced to wind down operations at his Atlanta, GA, medical facility, LabMD. The announcement follows the January 16 FTC 4-0 vote to reject LabMD’s motion to dismiss the FTC’s August complaint against the medical testing facility. Daugherty posted the news in his blog and argued that the FTC’s practices were arbitrary and unfounded.”
HIPAA Hinders Patients’ Wish to Share Online Health Records with Care Partners, report says from Medical Economics: “Elderly or chronically ill patients may want family and friends to have access to their health records, but physicians’ offices run into the legal problem of keeping those records secure. According to a report in the January 22/29 Journal of the American Medical Association (JAMA), privacy and security regulations aren’t keeping up with the convergence of technology and an increased emphasis on care coordination. Patients often want to share clinical information with care partners. In a survey of more than 18,000 patients, 79% want to share information with someone outside of the healthcare team, and almost half want to share information with someone who doesn’t live with them. JAMA identified these people as care partners—not necessarily day-to-day caregivers, but spouses, relatives, and friends who help the patient with healthcare decisions.”
Advice to mHealth Advocates: Don't Look at HIPAA as a Barrier from mHealth News: “Among other provisions, the new HIPAA rules expand the definition of a data breach and demand that healthcare organizations gather more detailed authorizations to release patient information. Patient data breaches will also be more financially painful, with healthcare organizations incurring up to $1.5 million in the most egregious cases. To avoid potential fines, liability or damage to their hard-earned reputations, healthcare providers can take steps to ensure their mobile devices do not become a weak link in the privacy chain. The easiest and most effective steps to protect patient data is to ensure their solutions provide HIPAA-compliant document capture, transmission and storage capabilities without requiring any physical patient data to reside on a mobile device. The most advanced technologies can enable providers to create an “electronic envelope” around patient data that contains all requested documents needed for medical record reviews via scanned images, print captures, screen captures and imported files, ensuring secure access to useful patient information anytime or anywhere it is needed."
If you need more information about HIPAA compliance and how IT can help your health care organization get it right, watch our recent webinar "HIPAA Risk Assessments: What You Need to Know," or contact us for help.
Logan Solutions is the health care technology company with a clinician's perspective. We provide clinical documentation expertise to customers using Dragon Medical with eClinicalWorks and other electronic medical record systems. Contact us to learn how our clinical and technological expertise can help your practice with Dragon Medical software and training, HIPAA compliance tools and EMR consulting.