On March 22, 2016, the FTC called for Congress to pass legislation to deter fraud and medical identity theft in the rapidly growing health IT sector. This suggested legislation is likely the swan song of FTC Commissioner Julie Brill, who will resign from her position at the end of the month. The FTC has been very aggressive in using its existing authority to initiate enforcement actions regarding data security breaches and related privacy and security issues, but it is now calling for legislation that will strengthen its ability to protect consumers’ privacy by seeking civil penalties for all data security and breach notification violations “in appropriate circumstances.”
In support of such legislation, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, presented testimony before the House Oversight and Government Reform Subcommittees on Information Technology and Health, Benefits, and Administrative Rules, in which she outlined the FTC’s current efforts to protect consumers’ medical data in an increasingly digitized health industry. According to the FTC, many of the entities involved in digitizing healthcare through consumer-facing health products and services are not covered by the Health Insurance Portability and Accountability Act (HIPAA). However, the FTC has been able to use Section 5 of the FTC Act, which prohibits certain unfair and deceptive practices, to attempt to regulate the data security practices of some of these entities.
The FTC highlighted multiple enforcement actions it has taken against companies that gather, use, and share consumers’ medical data outside of traditional healthcare situations. Specifically, the FTC has successfully prosecuted entities that give consumers’ medical data to third parties without their informed consent, that fail to maintain reasonable and appropriate data security practices, and that falsely represent that their data security practices are secure.
The FTC also outlined multiple initiatives it has utilized to strengthen privacy and data protection in the health IT sector through consumer and business education. These initiatives include an FTC-run website and blog on privacy and data protection, and a joint effort with the Food and Drug Administration, Office for Civil Rights, and Department of Health and Human Services to provide app developers with interactive tools to aid them in determining which federal laws apply to their health and fitness apps.
The FTC’s call for increased authority over health information privacy is consistent with its broader efforts in the area of consumer privacy protection. The FTC has attempted to increase public awareness of emerging data security and privacy risks, including by launching its “Start with Security” initiative and recently hosting PrivacyCon. In addition, the FTC has investigated or brought enforcement actions against a variety of firms, most notably technology companies, for endangering consumers’ privacy in violation of the FTC Act by, for example, installing potentially invasive mobile applications without consent, misusing sensitive personal information, and attempting to collect consumer data without adequate notice or consent.