Senior Communications Manager
Kirk Nahra Discusses Electronic Health Record Service Company’s FTC Settlement
Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice and co-chair of the Health Care Practice, was quoted in an article published June 16 by DataGuidance’s Privacy This Week, which focused on the Federal Trade Commission’s (FTC) recent settlement with a small, cloud-based electronic health record service for health care providers. The FTC stated that the company publicly disclosed consumers’ private information without sufficiently informing them about how it would handle their data, and failing to obtain their consent.
Mr. Nahra said, “This case involves what the FTC sees as a more straightforward deception case. It says consumers were misled. The FTC has always had the authority to engage in this kind of enforcement. In many of the data security cases, there is nothing affirmatively misleading – just the question of whether reasonable and appropriate security for personal information is a required practice. Every kind of entity, health care included, needs to pay attention to the FTC’s ability to go after deceptive practices involving consumers.”
The FTC, in a recent blog post, stated that companies familiar with only the Health Insurance Portability and Accountability Act (HIPAA) may not be used to the FTC’s approach. From the timing, it is unclear if this particular company, “which is clearly a business associate under the HIPAA, was yet subject to enforcement under it,” Mr. Nahra said.
“The FTC generally believes that it can take action against an entity that violates the FTC’s standards regardless of whether they are regulated by HIPAA,” he explained. “The FTC may be saying that they believe consumers can be deceived even when a HIPAA authorization form is signed.”