Who’s Enforcing HIPAA?

The Federal Trade Commission’s (FTC) insistence that it has the authority to enforce data security breaches by HIPAA-covered entities has some people crying foul. We tweeted about this issue a few weeks ago when the FTC first stuck its thumb in the HIPAA pie, but it’s worth taking a closer look at the problem and its potential repercussions for doctors, dentists and clinics, as well as medical call centers and other business associates.

HIPAA falls under the jurisdiction of the Department of Health & Human Services which polices compliance through its Office of Civil Rights (OCR). However, the FTC, which is responsible for protecting consumers and policing unfair business practices, is now asserting that its authority over data security gives it enforcement jurisdiction over HIPAA data breaches. (Click here to read iHealthBeat’s informative and concise explanation of the FTC case that started the brouhaha.)

The issue of who’s in charge of enforcing healthcare data security is too new to have started an interagency jurisdiction battle, but it may come down to that. At this point, the overlap in jurisdictions means medical practitioners are being forced to serve two masters, complying with both HIPPA and the FTC Act. This has the potential to not only seriously complicate and confuse the process of HIPAA compliance, but the very different enforcement styles of the two agencies raises the stakes for anyone found to be out-of-compliance.

For medical professionals used to OCR’s rule-based style of regulation, the FTC’s litigation-based approach is intimidating. Complicating the issue is the fact that while OCR has taken pains to carefully spell out HIPAA compliance standards and procedures, the FTC provides no such guidance. Healthcare providers have no way of knowing whether their data security measures comply with the FTC Act. To call the situation problematic is an understatement.