The U.S. Federal Trade Commission (FTC) Staff Report titled "Internet of Things: Privacy & Security in a Connected World," released in January 2015, continues to generate interest and questions about the regulation of health information within and beyond HIPAA. This article explores the intersection of HIPAA/HITECH and the increasing involvement of the FTC in enforcing privacy and security protections for health information.
HIPAA Regulation of Protected Health Information
HIPAA, together with the HITECH Act and implementing regulations, was enacted to update the health care system in order to provide consistency in the use and disclosure and in the privacy and security of protected health information (PHI). The HIPAA Privacy Rule governs the uses and disclosures of PHI, including regulating permitted and prohibited uses and disclosures. The HIPAA Security Rule requires the protection of electronic PHI (ePHI) through the implementation of administrative, physical and technical "safeguards" of the information system. Additionally, the Breach Notification Rule requires the investigation and notification of breaches of unsecured PHI. The U.S. Department of Health and Human Services (DHHS) enforces HIPAA and has both audit authority and the ability to impose civil monetary penalties.
The HIPAA regulations apply to "covered entities," which include health care providers that transmit health information in electronic form in connection with HIPAA-covered transactions, health plans and health care clearinghouses. Following passage of the HITECH Act in 2009, HIPAA’ s privacy, security and breach notification rules are directly applicable to HIPAA "business associates" — independent contractors or agents of HIPAA-covered entities that create, receive, maintain or transmit PHI on behalf of a covered entity
Furthermore, HIPAA’s and the HITECH Act’s requirements apply to specific categories of health information, namely PHI. PHI is information created or received by a health-related entity, such as a health care provider or an insurance company, that can be traced to a specific individual and that relates to the past, present or future health or condition of an individual; payment or insurance plan information of an individual; or treatment of an individual that is maintained or transmitted in any way by the entity.
What is noteworthy in today’s environment of interconnectivity of health and medical information is the specific (limited) scope of HIPAA. Namely, HIPAA regulates only that information qualifying as PHI and only regulates uses/disclosures, privacy and security of PHI by HIPAA-covered entities and business associates. What falls outside of these spheres are the many types of health information and medical data generated or shared by individuals and entities who do not constitute HIPAA-covered entities and business associates. Examples of these types of non-HIPAA-regulated medical data include the following:
wellness tracking information created and shared by individual consumers
medical data sent to a person directly from his or her medical device
information sharing that is not with a health care provider, health plan or other covered entity
mobile medical applications used by consumers
exchange of health care information in the cloud.
For the myriad exchanges of information and sharing of individual health and medical information that does not "pass through" a health care provider or health plan, the uses, disclosures, privacy and security of that information falls outside of the scope of HIPAA and, consequently, the DHHS enforcement authority.
FTC and Privacy by Design
From a consumer protection perspective, however, the FTC utilizes its broad powers of enforcement under the Federal Trade Commission Act (FTC Act), particularly section 5, which prohibits unfair or deceptive practices.
Fundamental to privacy/security under U.S. federal legislation is the FTC concept of privacy/security by design. In March 2012, the FTC issued a report titled "Protecting Consumers’ Privacy in an Era of Rapid Change," which we analyzed in a June 2012 client alert titled "FTC Releases Final Report on Consumer Privacy Best Practices." This report has been a blueprint for legislation regulating consumer privacy/security. Key concepts of the FTC report include the following:
(1) "Privacy by Design"
promote privacy throughout the organization and at every stage of the development of products and services
delete consumer data that is no longer needed and allow consumers to do the same
provide reasonable security for data
limit collection of data (consistent with the context of a particular transaction)
implement reasonable data retention and disposal policies
maintain reasonable accuracy of data.
(2) Simplify Consumer Choice
provide consumer choice for any communications not related to the original transaction
"do not track" mechanisms allow consumers to control collection and use of their online data
certain choices require consumers to "opt in."
(3) Improve Transparency to Consumers
clearer and shorter privacy notices
provide access to consumers’ data
educate consumers about the company’s data privacy practices.
The FTC has used its enforcement powers to protect consumers from false and misleading unfair trade practices, such as those described in privacy and data security policies (including both online website policies and offline policies). The FTC has brought numerous enforcement actions against companies for failing to comply with the companies’ own privacy policies and for the unauthorized disclosure of personal data, including more than 130 spam and spyware cases, more than 40 general privacy lawsuits and more than 50 cases against companies that have engaged in unfair or deceptive practices that put consumers’ personal data at unreasonable risk.1
FTC and the Internet of Things
In the FTC’s report "Internet of Things: Privacy & Security in a Connected World" (IoT Report), the FTC recommended steps that businesses can take to protect consumers’ privacy and security considering the ever-increasing number of Internet-connected devices. We analyzed the IoT Report in a March 2015 client alert titled "What Your TV Wouldn’t Tell You and Your Fridge Didn’t Know: FTC Best Practices for Consumer-Facing IoT Devices."
In discussing the benefits and risks of the Internet of Things, the IoT Report emphasized the benefits of health care–connected devices. The IoT Report cited examples of insulin and blood pressure monitors that enabled consumers to monitor their own vital health signs, without visiting a physician’s office, and noted the ability of patients to give to caregivers and relatives access to the information. One panelist noted:
connected health devices can "improve quality of life and safety by providing a richer source of data to the patient’s doctor for diagnosis and treatment[,] . . . improve disease prevention, making the healthcare system more efficient and driving costs down[,] . . . [and] provide an incredible wealth of data, revolutionizing medical research and allowing the medical community to better treat, and ultimately eradicate, diseases."
IoT Report at 7–8 (quoting Comment of Consumer Elec. Ass’n, #484 cmt #00027 at 16).
Although the IoT offers many important benefits, the IoT Report described the heightened security and privacy risks generated by the increased connectivity between devices and the Internet. The potential security risks to consumers include (1) enabling unauthorized access to and misuse of personal information, (2) facilitating attacks on other systems and (3) creating risks to personal safety.
Additionally, panelists noted that privacy risks with the IoT flow from the direct collection of personal information, financial information and precise geolocation and from the collection of personal information, habits, locations and physical conditions over time. By way of example, the IoT Report described a consumer’s use today of a fitness tracker for wellness-related purposes but noted the same data gathered by the device could later be used to price health or life insurance or to infer the user’s suitability for credit or employment. IoT Report at 16, n. 67.
The IoT Report summarized the FTC’s November 2013 workshop on the privacy and security concerns presented by the IoT, particularly how the Fair Information Practice Principles (FIPPs) of notice, choice, access, accuracy, data minimization, security and accountability should apply to the IoT. Many of the protections adopted by HIPAA are based on the FIPPs. The IoT Report sets forth the FTC’s recommended best practices in the areas of data security, data minimization and notice and choice for companies that develop and/or sell consumer-facing IoT devices.
The IoT Report recommends the following security best practices:
"security by design" — building security into devices at the outset, including (1) conducting privacy and security risk assessments, (2) minimizing data collected and (3) testing security measures before product launch
"culture of security" — personnel practices that promote good security, including training employees about the importance of security and ensuring that security is managed at an appropriate level in the organization
"third-party service providers" — ensure that, when outside service providers are hired, those providers are capable of maintaining reasonable security and provide reasonable oversight of the selected providers
"defense in depth strategy" — implement a strategy whereby multiple layers of security may be used to defend against a particular risk
"access control measures" — implement measures to keep unauthorized users from accessing a consumer’s device, data or personal information stored on the consumer’s network
"monitor products" — continue to monitor connected devices throughout their expected life cycles and, where feasible, provide security patches to cover known vulnerabilities.
The IoT Report also recommends that companies consider data minimization — limiting the collection of consumer data and retaining that information only for a set period of time. The IoT Report acknowledges the need for flexibility around new uses of data and notes that "these interests can and should be balanced with the interests in limiting the privacy and data security risks to consumers." IoT Report at 33, n. 137. Under the IoT Report’s recommendations, companies can choose to (1) collect no data, (2) collect types of data limited to the categories required to provide the service offered by the device, (3) collect only less sensitive data or (4) de-identify the data collected. With respect to de-identifying data, the methods for de-identification and the technologies available to re-identify data continue to evolve. Companies looking to de-identify must do so effectively, remain current with the technological developments and commit to not re-identify the data while having enforceable agreements with third parties with whom they share the de-identified data agreeing to the same.
The FTC staff also recommends that companies notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations. The IoT Report acknowledges that there is no one-size-fits-all approach to how that notice must be given to consumers, particularly because some IoT devices may have no consumer interface or are simply too small for providing notice or consent. In the IoT Report, the FTC staff describes some options for companies to provide notice and choice to consumers, including choice at the point of sale, tutorials, codes on the device, choices during set-up, management portals or dashboards, icons and general privacy menus.
IoT Report and General Privacy Legislation
The FTC continues to recommend that Congress enact strong, flexible and technology-neutral federal legislation to strengthen the FTC’s existing data security enforcement tools and to provide notification to consumers when there is a security breach. In support of its call for such legislation, the IoT Report provides a specific example noting the limits of HIPAA:
In addition, as demonstrated at the workshop, general privacy legislation could ensure that consumers’ data is protected, regardless of who is asking for it. For example, workshop participants discussed the fact that HIPAA protects sensitive health information, such as medical diagnoses, names of medications, and health conditions, but only if it is collected by certain entities, such as a doctor’s office or insurance company. Increasingly, however, health apps are collecting this same information through consumer-facing products, to which HIPAA protections do not apply. Commission staff believes that consumers should have transparency and choices over their sensitive health information, regardless of who collects it. Consistent standards would also level the playing field for businesses.
IoT Report at 52.
The FTC staff, in the IoT Report, continues by noting their own enforcement abilities despite the lack of such legislation:
While Commission staff encourages Congress to consider privacy and security legislation, we will continue to use our existing tools to ensure that IoT companies continue to consider security and privacy issues as they develop new devices and services.
IoT Report at 53.
FTC Enforcement and PaymentsMD
Using its enforcement authority under section 5 of the FTC Act, the FTC recently approved final orders against PaymentsMD, LLC and its former CEO for violating consumer privacy by collecting personal medical information without consent. As described in the complaints, PaymentsMD provided a free consumer health billing site — Patient Portal — which enabled consumers to access and view records of their past and upcoming payments for any medical providers using PaymentsMD’s billing services. PaymentsMD separately developed a new fee-based electronic health record portal site service — the Patient Health Report — which would enable consumers to access, review and manage their consolidated health records through their Patient Portal account.
As described in the complaints, the FTC alleged that PaymentsMD altered the sign-up process for Patient Portal to include permission to collect consumer’s health information for the Patient Health Report. Through various design features, the complaints alleged that consumers would reasonably believe that the four authorizations provided (and which could be simultaneously authorized through a single checked box) were to be used for the Patient Portal services for which they were registering. However, two of the four authorizations allowed the company to collect sensitive health information from third parties to populate the Patient Health Report service.
According to the complaints, PaymentsMD, through a third party, then contacted health insurance companies, pharmacies, medical offices and laboratories seeking consumers’ health information without adequately informing consumers that the company would be seeking that information. Of the 31 companies that were sent 5,550 requests for consumers’ health information, one company fulfilled the requests while the others refused. Ultimately, PaymentsMD did not sell any Patient Health Reports and received multiple complaints from customers who were only informed after registering for the Patient Portal that their health information was being collected for the health report service.
The FTC alleged that the acts and practices of PaymentsMD and its CEO constituted deceptive acts and practices in violation of section 5(a) of the FTC Act. Under the terms of the settlements, any information collected relating to the Patient Health Report service must be destroyed. Additionally, the company and its former CEO are banned from deceiving customers about the ways they collect and use information, and they must obtain affirmative express consent before collecting health information about a consumer from a third party.
One of the fascinating aspects of this particular case was the FTC’s use of its enforcement authority in a case involving customers’ health information (which would be PHI if provided by the health care providers requested to supply the information). Companies operating in the health information space should take note of this case and the FTC’s exercise of investigation and enforcement. Additional information about the settlement and the case is available on the FTC website at https://www.ftc.gov/enforcement/cases-proceedings/132-3088/paymentsmd-llc-matter.
As the IoT Report and the PaymentsMD settlement demonstrate, regulation and enforcement of privacy and security of health related information is no longer solely a HIPAA question.
Companies involved in the development, sale or use of devices and applications involving health information need to be conscious that, even if the information does not constitute HIPAA PHI, other governmental authorities — including individual state agencies and attorneys general, the FTC, and others (such as the Food and Drug Administration in regulating medical applications as medical devices) — will be monitoring companies developing and selling IoT devices for violations.
Companies involved in the development, sale or use of devices and applications involving health information should carefully consider and implement, where possible, the best practices recommended by the FTC in the IoT Report.
If you would like assistance or have questions about privacy and security issues with the IoT, health-related information or HIPAA, the attorneys in Pepper Hamilton’s Privacy, Security and Data Protection Group and Health Care Services Practice Group have the skills and practical experience necessary to assist you.
1 Federal Trade Commission 2014 Privacy and Data Security Update, available at https://www.ftc.gov/system/files/documents/reports/privacy-data-security-update-2014/privacydatasecurityupdate_2014.pdf.
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.