Medical practices healthcare providers and their business associates may be faced with a double jeopardy threat now that the Federal Trade Commission (FTC) has asserted its right to prosecute data breaches by entities subject to HIPAA regulation (see our previous blog post). The FTC ruling makes it possible for a breach of patient information to be considered both a violation of HIPAA rules and the FTC Act which could lead to separate investigations by the FTC and Department of Health & Human Services Office of Civil Rights (OCR). With each agency having the power to levy penalties, the current situation leaves healthcare providers facing a double jeopardy threat.
Complicating the situation is the FTC’s lack of formal guidance that could be used by medical practices to develop specific compliance procedures. We can only hope that specific FTC guidance will be forthcoming or that the FTC and OCR will find a way to cooperate on this issue. Until that time, medical practices and their business associates must take steps to protect themselves.
For the time being, the best advice for medical practices seems to be to create a strong patient information security system with policies and procedures based on HIPAA regulations. Medical practices and healthcare business associates that have implemented and documented a thorough risk analysis, specific breach prevention and notification policies and procedures, and a comprehensive staff training program and have ensured that their business associates have done the same are considered unlikely to run afoul of either OCR or the FTC.
If you’re looking for a medical answering and messaging service that is 100% HIPAA compliant, give us a call. All MedConnectUSA operators are HIPAA trained and our services are HIPAA compliant and Hitech secure.