FTC steps up protection of consumer health data

The Federal Trade Commission has been taking a tougher regulatory stance on healthcare information technology in recent years, in an effort to protect the privacy and security of consumer health data. A senior FTC official told Congress on Tuesday that lawmakers can expect to see more of the same.

Jessica Rich, director of the FTC’s Bureau of Consumer Protection, warned House Oversight and Government Reform subcommittees that because consumers are taking a more active role in managing their health data through mobile apps and wearable devices, this information is being collected, used and shared outside of doctors’ offices and other traditional medical contexts, putting consumers at risk.

“Many of the entities creating these new consumer-facing products and services are not covered by HIPAA, which only provides protections for health information held or generated by certain covered entities—namely healthcare providers, health plans, and healthcare clearinghouses, and their business associates,” Rich testified. “The entities creating these new products are, however, within the FTC’s jurisdiction in most instances.”

As a result, she said that FTC has been stepping up efforts to protect the privacy and data security of consumer health information, leveraging its authority under Section 5 of the FTC Act—which prohibits unfair or deceptive practices, including the area of health privacy—to bring enforcement actions against companies that fail to maintain reasonable and appropriate data security practices regarding consumer information, including health data.

Bradley Merrill Thompson, an attorney at Washington, D.C.-based law firm Epstein Becker Green who counsels medical device companies on regulatory issues, sees FTC efforts in this area as an attempt to fill in the gaps in the current regulatory system for mobile apps used for healthcare purposes. For example, Thompson says the FTC took notice that the Food and Drug Administration was not pursuing some app developers making products with dubious effectiveness claims for medical apps, and stepped in and picked up that responsibility.

“Who has access to all of this data? And, is it being stored securely?” asked Rich, who said those are the central questions the commission is concerned with from a privacy and security standpoint.

Among the FTC’s recent enforcement actions:

• Settlement of a complaint alleging that medical billing company PaymentsMD deceived thousands of consumers who signed up for an online portal by failing to adequately inform them that the vendor would seek highly detailed medical information about them from pharmacies, medical labs and insurance companies.
• Henry Schein, a dental practice management vendor, agreed to pay $250,000 to settle FTC charges that the company falsely advertised the level of encryption its software provided to protect patient data.
• A settlement with GMR Transcription Services, which allegedly failed to implement reasonable and appropriate security measures resulting in 15,000 files containing sensitive personal information—including consumers’ names, birthdates, and medical histories—were freely available on the Internet.

“FTC clearly perceives a gap in the privacy laws where health information is being held by organizations that don’t fall under HIPAA requirements,” remarks Thompson. “Some might resent what they feel to be an expansionist mission by FTC, but it’s actually hard to argue with the gaps they have identified. I think we can certainly take them at their word and expect more enforcement.”

However, not satisfied with its current regulatory authority, Rich told the House subcommittees that “additional tools” would enhance the FTC’s ability to protect consumers. “To this end, the Commission reiterates its longstanding bipartisan call for federal data security and breach legislation that would allow us to seek civil penalties to deter unlawful conduct and give us jurisdiction over non-profit entities,” she concluded.