Healthcare cyber summer sizzle

The Federal Trade Commission (FTC), which is tasked with protecting consumers continued its data privacy and security enforcement streak in June – this time, with an added twist – the first case to focus on genetic information. On June 16, the FTC announced that it charged 1Health.io f/k/a Vitagene with privacy and security deficiencies for failing to do the following:

1. Leaving sensitive genetic and health data unsecured,
2. Deceived consumers about their ability to get their data deleted, and
3. Retroactively changed its privacy policy without either adequately notifying or obtaining consumer consent when the company had already collected the data.

The key take-aways from the proposed settlement and FTC press announcement include notable items that compliance officers, executive teams and boards should heed:

1. According to Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, “[c]ompanies that try to change the rules of the game by re-writing their privacy policy are on notice [because] [t]he FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data.”
2. Strengthen genetic information protections.
3. Instruct third-party contract laboratories to destroy all consumer DNA samples that have been retained for more than 180 days.

In sum, companies that handle individually identifiable health information (IIHI) should ensure that they are adhering to HIPAA and NIST technical, administrative, and physical safeguards to protect the security of the consumer’s data, while making sure privacy remains intact by ensuring that the confidentiality and disclosure of such data is not being touted as being compliant when it is not and not getting the appropriate authorizations and consent. Cultivating a culture of compliance is critical and the use of IIHI for remunerative purposes and/or wrongful disclosure is on the FTC’s radar.

Similarly, in June 2023 the U.S. Department of Health and Human Services (HHS) reached a $240,000 settlement with MultiCare Yakima Valley Hospital for the actions of several guards employed by the third-party security firm it utilized. The settlement involves a series of wrongful access of patient’s protected health information (PHI) by 23 security guards for “snooping” through electronic health records of 419 patients, who were treated in the emergency room between 2016-2017. Although HHS launched an investigation into the incident in 2018, it took nearly five years to settle. Readers should take note that “snooping” through patient medical records can lead to criminal HIPAA violations, even if there is no downstream remuneration.

In closing, in order to mitigate liability, even though the FTC Act does not expressly mention compliance with the HIPAA Privacy Rule and the Security Rule or the Genetic Information Non-Disclosure Act (GINA), companies should consider utilizing the resources available on the HHS website to cultivate a culture of compliance and mitigate liability in the long run.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.