Thursday, January 30, 2014

FTC Data Security Authority Over HIPAA-Covered Entities

A September 2013 blog covered the original Federal Trade Commission (FTC) claim about a lab failing to protect data on 9,000 patients. On January 16, 2014 the FTC ruled to reject the lab's argument that that the FTC's enforcement action conflicts with health information security regulations under HIPAA.

The FTC stated "Congress has never enacted any legislation that, expressely or by implication, forecloses the Commission fro challenging data security measures that it has reason to believe are "unfair...acts or practices." They also stated "companies may well be obligated to ensure their data security practices comply with both HIPAA and the FTC Act. But so long as the requirements of those statutes do not conflict with one another, a party cannot plausibly assert that, because it complies with one of these laws, it is free to violate the other."

The "failure to employ reasonable and appropriate measures to prevent unauthorized access to personal information" violated the agency's regulations.
- Federal Trade Commission
The ruling provides a closer look at the FTC's rationale for its authority over health data security. Many believed health data security was only regulated by HIPAA under the Health and Human Services Office of Civil Rights. But according to Kirk Nahra, a partner with Wiley Rein, the ruling is "significant" because "the FTC is saying that everyone regulated by HIPAA has to worry about us too."

The FTC claims the lab "Did not use readily available measures to prevent and detect unauthorized access to personal information." One readily available method to detect unauthorized access, even by authorized users, is low-cost on-demand SaaS analytics services.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) FTC Affirms Data Security Authority Over HIPAA-Covered Entities - www.iHealthBeat.org, 01/29/2014

No comments:

Popular Posts

Copyright © 2010-2017 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.