As summer temperatures reach records, so do HHS and FTC cyber enforcement initiatives.
The Federal Trade Commission (FTC), which is tasked with protecting consumers continued its data privacy and security enforcement streak in June – this time, with an added twist – the first case to focus on genetic information. On June 16, the FTC announced that it charged 1Health.io f/k/a Vitagene with privacy and security deficiencies for failing to do the following:
The key take-aways from the proposed settlement and FTC press announcement include notable items that compliance officers, executive teams and boards should heed:
In sum, companies that handle individually identifiable health information (IIHI) should ensure that they are adhering to HIPAA and NIST technical, administrative, and physical safeguards to protect the security of the consumer’s data, while making sure privacy remains intact by ensuring that the confidentiality and disclosure of such data is not being touted as being compliant when it is not and not getting the appropriate authorizations and consent. Cultivating a culture of compliance is critical and the use of IIHI for remunerative purposes and/or wrongful disclosure is on the FTC’s radar.
Similarly, in June 2023 the U.S. Department of Health and Human Services (HHS) reached a $240,000 settlement with MultiCare Yakima Valley Hospital for the actions of several guards employed by the third-party security firm it utilized. The settlement involves a series of wrongful access of patient’s protected health information (PHI) by 23 security guards for “snooping” through electronic health records of 419 patients, who were treated in the emergency room between 2016-2017. Although HHS launched an investigation into the incident in 2018, it took nearly five years to settle. Readers should take note that “snooping” through patient medical records can lead to criminal HIPAA violations, even if there is no downstream remuneration.
In closing, in order to mitigate liability, even though the FTC Act does not expressly mention compliance with the HIPAA Privacy Rule and the Security Rule or the Genetic Information Non-Disclosure Act (GINA), companies should consider utilizing the resources available on the HHS website to cultivate a culture of compliance and mitigate liability in the long run.
Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.