While the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) intensifies its enforcement of the Health Insurance Portability and Accountability Act (HIPAA), covered entities and business associates may well find the Federal Trade Commission (FTC) knocking at their door. The FTC takes the position that Congress granted it broad powers to regulate unfair and deceptive practices under Section 5 of the FTC Act, including concurrent jurisdiction over the privacy and security practices of companies regulated under HIPAA.
The FTC has a history of working with OCR in a parallel manner to investigate security practices. The agencies began coordinating efforts in the 2009 and 2010 with the investigations into the health information disposal practices of CVS Caremark and Rite Aid. Both pharmacy chains entered a consent decree with the FTC under the FTC Act and a resolution agreement with HHS under HIPAA.