There’s Another Sheriff in Town

Since the effective date of the Omnibus Rule in 2013, you may have been busily readying yourself for the new HIPAA compliance requirements. However, if compliance with the Omnibus rule was your only focus, you may be surprised to discover they aren’t the only sheriff chasing down HIPAA violators. The Federal Trade Commission has recently reminded us all they also have jurisdiction over HIPAA, and they have their own set of compliance requirements you must contend with.

With the passage of the Omnibus Rule, many people thought we’re now dealing with an updated, consolidated, and relatively concise body of laws and requirements to contend with. But recently, the FTC successfully took action against a healthcare laboratory for HIPAA violations they considered to be unfair acts or practices. The ruling went on to express the FTC’s belief that under Section 5 of the FTC Act, they have jurisdiction in such cases and intend to continue their enforcement activities.

There could be a number of reasons the FTC has chosen to reinforce their territorial rights now. To start with, the top HIPAA cop, the Office for Civil Rights, has recently had a turnover in senior leadership. Additionally, an OIG report in November of 2013 was highly critical of the existing enforcement efforts of the OCR, citing failures to conduct periodic audits and to consistently follow its own investigation procedures. To be fair to the OCR, the tasks they were put upon to achieve, the budget they were given to do it with, and the time frame they were allotted would have challenged even the most efficient organization to accomplish successfully. Does a turf war exist, as some insiders have alleged? Does the FTC perceive a gap in HIPAA enforcement that they are capable of closing? Or, is the FTC continuing to carry on consistently with previous enforcement efforts?

The Omnibus Rule was intended to update and consolidate  multiple parts into a single law. It was intended to provide clear and distinct guidance on what the healthcare community needs to do to become and remain HIPAA compliant, and precisely what to do when events like breaches occur. However, the FTC was mentioned in the Omnibus Rule as an enforcement arm, they have a history of HIPAA enforcement, and they also have their own set of compliance guidelines, although theirs are not as easily definable. After all, a violation of “fair business practices”, as was cited in their recent case against LabMD, is an ambiguous legal concept.

We respect the rights and the jurisdiction of the FTC to enforce HIPAA and pursue violations. While it’s an added burden on the healthcare community to comply with multiple agencies for the same set of laws being applied from differing perspectives, it’s the reality of our current enforcement climate.

by Jeff Mongelli, CEO of Acentec, Inc.