HealthBlawg

David Harlow's Health Care Law Blog

    • Twitter
    • Facebook
    • LinkedIn
    • RSS
    • Email
  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

HIPAA Enforcement: Who's in Charge?

January 29, 2014

The recent FTC decision in the LabMD case (pdf) (full docket here) has HIPAA-watchers scratching their heads, tugging their beards, and generally wondering about reconciling FTC-style litigation-based regulation with OCR-style rule-based regulation of health care data privacy and security. The FTC has confirmed that it considers itself to have overlapping jurisdiction to enforce HIPAA under its general enabling legislation. 

Here's my take: For a covered entity or business associate that has all its ducks in a row – HIPAA Privacy, Security and (for Covered Entities) Breach Notification policies and procedures, a completed risk analysis, training and testing of workforce documented – FTC regulation should not be problematic. I think that the FTC would be hard-pressed to find an entity that is in compliance with HHS HIPAA rules and relevant state law to be in violation of the FTC Act’s prohibition of “unfair … acts or practices.”


The FTC does not have specific rules in place in this area, and is not likely to promulgate rules (it has rules in place for PHR breach notification, under the HITECH Act, but that is outside of HIPAA jurisdiction). The FTC regulates unfair acts or practices by filing complaints and dealing with violations of its basic statute on a case-by-case basis. It is not unreasonable for the FTC to assert that it has overlapping jurisdiction with OCR jurisdiction under HIPAA. Fines under the FTC Act are limited to $16,000 per violation (as opposed to the maximum fine of $1.5 million under HIPAA).

The FTC asserting jurisdiction should be of concern for entities subject to HIPAA that are not in compliance with HIPAA – like LabMD in this case.

Ultimately, however, the question arises: What would the FTC do in any particular case that OCR would not already do? If both are actively enforcing HIPAA, then I would conclude: not much.

The same question arose when state attorneys general were given permission under HITECH to enforce HIPAA violations.  State AGs and the OCR often came up with parallel enforcement plans, so the value of the added enforcement agency appears to be limited. Of course, this may change over time if OCR enforcement scales back, the office is defunded, etc. In such a scenario, the federales may conclude that double-teaming the bad guys wasn't such a bad idea after all.

Bottom line: Comply with the rules, rather than worrying about who has the authority to nail you when you don't.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Photo: flickr cc san_drino

Filed Under: FTC, Health care policy, Health Law, HIPAA, ONC, Privacy, Security

you might also like:

  1. HIPAA Final Rule on Privacy, Security, Breach Notification and Enforcement Issued, Finally

  2. HIPAA enforcement: Business Associate Agreement rulemaking needed first – time to plan ahead

  3. HIPAA: Liability to Private Parties for Violations

« Health IT Wisdom at the End of 2013 and Start of 2014
Patients to Have Right to Access Lab Test Result Data »

Comments

  1. David Harlow says

    March 22, 2014 at 9:06 am

    For more on this story see iHealthBeat: http://j.mp/1gL0E9V

    The FTC can keep its hooks in regulated entities for a long time; OCR can impose long-term compliance agreements with monitoring as well.

    The Secret Service has recently thrown its hat in the ring of HIPAA enforcement, too. See: http://j.mp/1glU7rp Join the party, boys!

Follow me on Twitter

David Harlow 💉😷 Follow 43,243 17,535

Mastodon @healthblawg@c.im #HealthCare #MedDevice #Compliance #Privacy @MyOmnipod #HIPAA #digitalhealth #HarlowOnHC #pinksocks Tweets are tweets No more no less

healthblawg
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
3h 1641080431243042816

The latest Harlow On Health Care Daily #HarlowOnHC #digitalhealth #healthcare #innovation #privacy #hcldr Thx: @joyclee @ClimaxBetty @_timos_ #digitalhealth #healthtech

Image for twitter card

What satisfied EHR users do differently

healthcareitnews.com A new Arch Collaborative user's guide dives into what 3,000 highly satisfied electronic health reco...

paper.li

Reply on Twitter 1641080431243042816 Retweet on Twitter 1641080431243042816 0 Like on Twitter 1641080431243042816 0 Twitter 1641080431243042816
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
7h 1641015055335432193

ICYMI> Paul Schrimpf, at Prophet Consulting, Driving Health Care Transformation — Harlow on Healthcare https://healthblawg.com/2022/12/paul-schrimpf-prophet-consulting.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Paul Schrimpf, at Twitter feed image.
Reply on Twitter 1641015055335432193 Retweet on Twitter 1641015055335432193 1 Like on Twitter 1641015055335432193 0 Twitter 1641015055335432193
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
14h 1640909216356487173

ICYMI> Frank McGillin, CEO, The Clinic by Cleveland Clinic — Harlow on Healthcare #digitalhealth #hcldr #hitsm

Image for twitter card

Frank McGillin, CEO, The Clinic by Cleveland Clinic

Harlow on Healthcare: Conversations with Healthcare Innovation Leaders

healthblawg.com

Reply on Twitter 1640909216356487173 Retweet on Twitter 1640909216356487173 0 Like on Twitter 1640909216356487173 0 Twitter 1640909216356487173
Load More
Follow me on Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

Connect with David

  • Twitter
  • Facebook
  • LinkedIn
  • RSS
  • Email
  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2023
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]