Accretive Health recently agreed to settle a Federal Trade Commission (FTC) complaint that stems from a July, 2011 incident in which an Accretive employee’s laptop was stolen from his car. As a medical billing and revenue management services provider, Accretive grants its employees access to “sensitive personal health information” including “patient names, dates of birth, billing information, diagnostic information and Social Security numbers,” according to the FTC. The FTC’s compliant alleged that information of this nature, relating to 23,000 patients, was stored on the stolen laptop.
While it is not surprising that this situation gave rise to privacy concerns, what is unique is that the reaction to this matter came from the FTC in the form of a complaint and not via OCR action. Normally, the Office for Civil Rights (OCR) enforces the HIPPA Privacy Rule by investigating complaints or conducting compliance reviews of covered entities. OCR matters are generally resolved through voluntary compliance, corrective action or resolution agreement. The FTC, on the other hand, is charged with curbing unfair business practices by enforcing the FTC Act and traditionally not an entity which polices data security controls by HIPAA-covered entities.
In the Accretive complaint, the FTC’s assertion is that Accretive had failed “to employ reasonable and appropriate measures to protect personal information against unauthorized access” in violation of the unfairness principle set forth in Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), and that its “inadequate data security measures unfairly exposed sensitive consumer information to the risk of theft or misuse.”
The FTC’s reliance on the unfairness principle set forth in the Act has been under attack. Wyndham Worldwide and LabMD have both responded to FTC complaints similar to Accretive’s by asserting that the FTC’s application of the unfairness principle to data security enforcement exceeds the authority granted to the Commission by Congress.
While it remains to be seen whether Wyndham Worldwide and LabMD can successfully challenge the FTC’s application of the unfairness principle to their data security enforcement activities, Accretive has agreed to a no fault administrative consent order with the FTC. According to this proposed consent, Accretive will be required to implement a comprehensive data security program to protect the personal health information of its customers. The measures must include administrative, technical and physical safeguards and will be subject to required bi-annual third party evaluation.
The proposed consent order can be found here: http://www.ftc.gov/sites/default/files/documents/cases/131231accretivehealthorder_0.pdf The FTC has also released its own analysis of the proposed settlement, available here: http://www.ftc.gov/sites/default/files/documents/cases/131231accretivehealthanal.pdf