Security Breaches May Lead to Charges of Consumer Law Violations

February 3, 2014 – In The News
Medical Practice Compliance Alert

Michael Kline and Elizabeth Litten were quoted in the Medical Practice Compliance Alert article “Security Breaches May Lead to Charges of Consumer Law Violations.” While the full text can be found in the February 3, 2014, Medical Practice Compliance Alert, a synopsis is noted below.

The loss of patient information can trigger not only investigations of HIPAA violations, but of breaches of federal or state consumer protection laws as well.

A medical billing company agreed to a settlement with the Federal Trade Commission (FTC) following the theft of a laptop containing information on 23,000 patients from an employee’s car.

The company has already paid $2.5 million to the state for HIPAA violations, and because it is a business associate, the theft has also triggered investigations of at least two of its client hospitals that were also found in violation of HIPAA, said Elizabeth Litten.

The FTC seems to prefer long-term corrective action plans, imposing a 20-year compliance program on the company, while the HHS’ Office for Civil Rights (OCR) tends to resolve HIPAA violations through voluntary compliance and resolution agreements, imposing corrective action plans of three to five years, according to Michael Kline.

A 20-year correction action plan is “extraordinary,” Kline says. “The cost of 20 years of compliance is monstrous. God forbid you make another mistake. And imagine how it affects your ability to operate to take other action, like merge.”

According to Kline, health care organizations should expect increased scrutiny from the FTC. “The FTC is trying to move into health care. It’s trying to expand its jurisdiction,” he says.

While the FTC is limited in that it deals only with interstate commerce, if a business associate of a company operates in more than one state and gets in trouble, even a company with its practice in one state may end up a part of the investigation.

“If your business associate does something bad, you’re in the soup,” Kline says.

A data breach could also trigger state investigations by attorneys general looking to enforce their states’ consumer protection laws. “This can be the springboard for states investigating consumer fraud,” Kline says.

“Once it’s known that you’ve taken one on the chin, others may come after you. And they can pick and choose the cases they want to pursue,” says Kline. “Don’t assume you’re only vulnerable to enforcement from one agency.”