Those who dwell in the world of health care privacy and security know well that the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) is the federal agency that issues the regulations, provides guidance and ultimately enforces the complex requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended by the Health Information Technology for Economic & Clinical Health Act of 2009(HITECH). But we also know, as citizens of the 21st Century, that privacy and security concerns extend far beyond insurance claims and health records in our doctors’ offices. With every new smartphone we indulge in, every online purchase we make, every retail loyalty program for which we register, we share valuable chunks and tidbits of data about ourselves that now can be used to tell others far more about us than we ever would have dreamed possible, or probably desire. The internet and astounding connectivity of so many technological devices, both consumer and commercial, allow extremely private and sensitive information to be accessed by parties we do not know and cannot imagine, for both our benefit and detriment.
While HIPAA addresses the privacy and security of health-related information maintained by a “covered entity”, there is no federal statute that addresses the totality of information available about us, sometimes known as “big data”, and no federal agency specifically designated by law to specifically monitor internet data security and enforce against improper actors. Technology has grown faster than the law yet again. However, the Federal Trade Commission (FTC) has stepped into this void, citing its broad powers under Section 5 of the FTC Act, bringing enforcement actions against nearly 50 companies since 2000 for “unfair” or “deceptive” acts and practices. The FTC has partnered with HHS in enforcement actions in the health care industry, including Rite Aid Corporation and CVS Caremark Corporation. The FTC also is proceeding on its own in a wide variety of industries where companies have made certain alleged promises about customer data but acted incongruently with those promises. This activity by the FTC is receiving a great deal of attention and has prompted us at the Wyatt HITECH Law blog to begin dedicating a portion of our coverage to it, to the extent that it may relate to the privacy and security of health information.
Although the FTC began its enforcement efforts respecting the collection of data via internet activity over a decade ago, it has stepped up its efforts significantly in the past few years. Under the mantle of “deceptive” acts or practices, FTC has settled cases with Google (two, in fact), Facebook, Myspace and others, alleging that those companies deceived customers by promising to keep their data confidential but failing to do so. “Unfair” commercial practices have been pursued by the FTC where there is conduct that substantially harms consumers (or threatens to), that consumers cannot reasonably avoid, and where the harm outweighs the benefits. In privacy and security cases, the FTC has taken action against companies that fail to provide reasonable data security. Such actions have been taken against the Wyndam hotel chain, LexisNexis and Twitter.
The FTC now is broadening its focus from individual companies that collect personal data, to “big data” collected from many sources and combined into huge data sets, often by data brokers, and made available to many entities for a wide variety of uses, from weather forecasting to product development to targeted advertising. Big data is collected by social media, mobile apps, commercial enterprises with whom we conduct business, and importantly, from the “internet of things”.
The “internet of things” is a term given to all the smart appliances and devices we now own that connect to the internet. Smartphones, home security systems, cars with built-in tire pressure monitors or that can even drive themselves, and health-related devices like implanted heart monitors and blood sugar level monitors are all everyday devices that communicate with one another, the companies who designed them, and with third parties. They provide an astounding amount of information about us, especially when combined. A 2000 study by Harvard privacy expert Latanya Sweeny showed that, in spite of widely hailed anonymization techniques, 87% of the population could be identified based on just three data points — gender, birthdate and ZIP code. Identification is likely much easier now, nearly fourteen years later, since the burgeoning of the internet of things.
To help guide businesses and policymakers who are concerned about protecting consumer privacy, and to indicate that it is serious in its efforts, the FTC has taken several steps beyond the enforcement efforts generally described above. The FTC has created a Division of Privacy and Identity Protection to focus on this issue. Privacy expert Latanya Sweeny was named the FTC’s chief technologist in November 2013, signaling the agency’s interest in the possibilities and limits of de-identification of data collected from consumers. The FTC has posted many articles about security of mobile apps on its website, as it sees these as an area particularly fraught with risk. Finally, in March 2012 the FTC issued a report entitled “Protection Consumer Privacy in an Era of Rapid Change”, which describes best practices for companies, which include privacy by design, simplified choice for consumers and businesses, and greater transparency. The report also calls for federal legislation to establish baseline privacy and data security standards, and to address transparency of data brokers.
The FTC has indicated it is particularly interested in the privacy of “sensitive personal information,” such as geolocation data and health information. The March 2012 report discusses these sensitive topics, and recent comments by FTC personnel have reinforced it. A significant case currently pending in federal court brought by the FTC involves private identifying information of approximately 9,000 customers of Atlanta medical testing company LabMD. This information was found among the files on a peer-to-peer (P2P) file sharing network, and as the FTC investigated the source of the data on the files, it traced some of it back to LabMD and issued a Civil Investigative Demand (CID) to the company for information about its security measures. In addition to defending its actions, LabMD has objected to the FTC’s authority to issue the CID in the first place, on the ground that the FTC’s enforcement actions in the area of information security are not based on legislative or executive action on privacy, and that its authority under the unfairness category of the FTC Act is insufficient. Rather, LabMD argues, in matters of data security it is regulated under HIPAA exclusively by HHS. Given FTC’s history of enforcement in this area, and the lack of federal data security legislation, the health care industry is watching this case closely.
Every time there’s a news report of a data breach, we realize that our sphere of personal cyber privacy and security may be getting smaller by the day. Federal regulators are aware of this too, and until Congress acts otherwise, it appears the FTC is likely to be an active player in trying to keep the new frontier safe. With the recognition that nothing is more private, and potentially can cause more harm, than leaked information about our health, expect this subject area to remain at the forefront of cyber security efforts by the FTC, in all kinds of app(lication)s.