Two recent settlements underscore the FTC's status as an enforcement agency with the power to enforce consumers’ rights in relation to their sensitive information.
When most people think of protected health information (PHI) and personally identifiable information (PII) in relation to the illicit sharing and tracking of data, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) springs to mind.
Although the Federal Trade Commission (FTC) has enforced violations of data breaches and statements about securing customers’ PHI in accordance with HIPAA (i.e., CVS (Feb. 18, 2009) and Henry Schein (May 23, 2016)), two recent settlements underscore its status as an enforcement agency with the power to enforce consumers’ rights in relation to their sensitive information. First, let’s step back to 2009 when the FTC’s Health Breach Notification Rule came on the scene. Specifically, 16 C.F.R. Part 318,
The Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media.
While it has some language similarities to the HIPAA Breach Notification Rule, it is not limited to covered entities, business associates, and subcontractors, as defined in 45 CFR 160.103. Also, the FTC’s enforcement authority is derived from Section 5 - The Federal Trade Commission Act of 1914 as amended. Two recent enforcement action settlements, which occurred between February and early-March 2023, underscore its authority and both are notable for distinct reasons:
In sum, these actions serve as somber reminders that the U.S. Department of Health and Human Services – Office for Civil Rights is not the only federal government agency with the authority to address privacy and security violations related to sensitive personal and health data. From a compliance standpoint, persons should ensure that the FTC Health Breach Notification Rule is covered in training, policies and procedures, and BAA agreements.
Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.