The FTC stated "Congress has never enacted any legislation that, expressely or by implication, forecloses the Commission fro challenging data security measures that it has reason to believe are "unfair...acts or practices." They also stated "companies may well be obligated to ensure their data security practices comply with both HIPAA and the FTC Act. But so long as the requirements of those statutes do not conflict with one another, a party cannot plausibly assert that, because it complies with one of these laws, it is free to violate the other."
The "failure to employ reasonable and appropriate measures to prevent unauthorized access to personal information" violated the agency's regulations.The ruling provides a closer look at the FTC's rationale for its authority over health data security. Many believed health data security was only regulated by HIPAA under the Health and Human Services Office of Civil Rights. But according to Kirk Nahra, a partner with Wiley Rein, the ruling is "significant" because "the FTC is saying that everyone regulated by HIPAA has to worry about us too."
- Federal Trade Commission
The FTC claims the lab "Did not use readily available measures to prevent and detect unauthorized access to personal information." One readily available method to detect unauthorized access, even by authorized users, is low-cost on-demand SaaS analytics services.
Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.Sources:
(a) FTC Affirms Data Security Authority Over HIPAA-Covered Entities - www.iHealthBeat.org, 01/29/2014