Data privacy rules across FTC and HHS
Data Privacy Rules: FTC vs. HHS
FTC (Federal Trade Commission)
Scope: The FTC primarily enforces privacy and data security in consumer protection, especially for businesses not covered by sector-specific laws.
Authority: The FTC uses Section 5 of the FTC Act, which prohibits "unfair or deceptive acts or practices," to regulate companies’ data privacy practices.
Focus: Ensuring companies do not make deceptive statements about data privacy or fail to implement reasonable security safeguards.
HHS (Department of Health and Human Services)
Scope: HHS enforces the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
Authority: Under HIPAA, HHS regulates “covered entities” (health plans, health care providers, and health care clearinghouses) and their business associates.
Focus: Protecting individually identifiable health information (Protected Health Information, PHI), setting standards for use, disclosure, and safeguarding of such data.
Key Differences:
| Aspect | FTC | HHS (HIPAA) |
|---|---|---|
| Governing Law | FTC Act (Section 5) | HIPAA Privacy & Security Rules |
| Coverage | General consumer data, various industries | Health-related data, covered entities |
| Enforcement Approach | Against unfair/deceptive practices | Compliance audits, breach notifications |
| Types of Data Covered | Personally identifiable information broadly | Protected Health Information (PHI) |
Landmark Cases: FTC and HHS Enforcement in Data Privacy
1. FTC v. Wyndham Worldwide Corp. (2015)
Background:
Wyndham, a hotel chain, suffered multiple data breaches compromising thousands of customers' payment card data. The FTC alleged Wyndham failed to maintain reasonable data security measures, constituting unfair practices under Section 5.
Ruling:
The court upheld the FTC’s authority to regulate companies' data security practices under Section 5, ruling that failure to implement reasonable safeguards could be considered unfair practices affecting consumers.
Significance:
This case established that the FTC has clear jurisdiction over data security practices and can hold companies accountable for inadequate protection of consumer data.
2. FTC v. LabMD, Inc. (2018)
Background:
LabMD, a cancer testing laboratory, suffered a data breach exposing personal health data of thousands of patients. The FTC charged LabMD with unfair data security practices.
Ruling:
The administrative law judge initially dismissed the case due to insufficient evidence that consumers were harmed. However, the case highlighted the FTC’s increased attention on health data breaches, especially outside HIPAA-covered entities.
Significance:
The case illustrated challenges in proving harm in data breach cases and demonstrated FTC’s commitment to data security enforcement even in healthcare-adjacent companies not covered by HIPAA.
3. HHS Office for Civil Rights (OCR) v. Anthem Inc. (2018)
Background:
Anthem, one of the largest health insurers, suffered a massive cyberattack exposing the PHI of nearly 79 million people.
Action by HHS:
OCR launched an investigation under HIPAA and found Anthem failed to implement adequate risk analysis and risk management.
Settlement:
Anthem agreed to a $16 million settlement, the largest HIPAA penalty at that time, and agreed to implement a comprehensive corrective action plan.
Significance:
This case underscored the importance of risk analysis and proactive safeguards under HIPAA, with significant financial consequences for failure.
4. FTC v. Facebook, Inc. (2019)
Background:
Following the Cambridge Analytica scandal, the FTC investigated Facebook for deceptive privacy practices related to users’ personal data.
Ruling:
Facebook agreed to a $5 billion settlement and was required to implement strict new privacy controls, submit to regular audits, and enhance oversight of data sharing.
Significance:
This landmark case showed the FTC’s power to impose large fines and enforce privacy reforms on major tech companies, emphasizing the importance of transparent data practices.
5. HHS OCR v. Cottage Health (2020)
Background:
Cottage Health experienced a data breach affecting over 60,000 patients due to unauthorized access to patient records.
Action:
OCR found that Cottage Health failed to conduct an accurate and thorough risk analysis as required by HIPAA Security Rule.
Settlement:
Cottage Health agreed to a $3 million settlement and undertook a corrective action plan including staff training and improved security measures.
Significance:
This case highlights the ongoing scrutiny by HHS OCR over healthcare providers’ adherence to HIPAA’s risk management requirements and the importance of timely breach notification.
Summary
FTC cases tend to focus on whether companies have reasonable data security practices and avoid deceptive privacy claims across various industries.
HHS cases enforce HIPAA compliance specifically around safeguarding health information, with heavy penalties for risk management failures.
Both agencies have the power to impose financial penalties and demand corrective actions, but their jurisdiction and focus differ based on the type of data and industry.
RELATED Blog
0 comments