Regulatory double jeopardy? FTC enforcement of privacy and security in healthcare

How should health care companies strengthen their HIPAA compliance programs to manage the risk of a potential FTC investigation?

While the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) intensifies its enforcement of the Health Insurance Portability and Accountability Act (HIPAA), covered entities and business associates may well find the Federal Trade Commission (FTC) knocking at their door. The FTC takes the position that Congress granted it broad powers to regulate unfair and deceptive practices under Section 5 of the FTC Act, including concurrent jurisdiction over the privacy and security practices of companies regulated under HIPAA.

The FTC has a history of working with OCR in a parallel manner to investigate security practices. The agencies began coordinating efforts in the 2009 and 2010 with the investigations into the health information disposal practices of CVS Caremark and Rite Aid. Both pharmacy chains entered a consent decree with the FTC under the FTC Act and a resolution agreement with HHS under HIPAA.

Contributing Author

author image

Amy S. Leopard

Amy S. Leopard is a partner in the Health Care Practice Group at Bradley Arant Boult Cummings LLP (Nashville, Tenn.) where she co-chairs the...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.