FTC Settlement Supports Using Caution with the "HIPAA Compliance" Label
Companies in the healthcare space sometimes tout to prospective customers that they are "Health Insurance Portability and Accountability Act (HIPAA) compliant." A recent Federal Trade Commission (FTC) settlement suggests that entities that provide health-related services should use caution when they make statements to the public about their ability to comply with federal health privacy and security regulations. In December 2020, the FTC announced a draft complaint against SkyMed International Inc. (SkyMed). SkyMed offers emergency travel and medical evacuation services. In connection with its sales to consumers, SkyMed obtains certain personal information as well as detailed health information.
According to the complaint, in March 2019, a "security researcher" found that SkyMed maintained an unsecured cloud database. This database could be found by anyone on the internet, where they could see personal information regarding approximately 130,000 consumer records. In May 2019, SkyMed notified consumers that "no medical or payment-related information" was visible to unauthorized individuals. The FTC alleged, however, that SkyMed deleted the database without actually verifying the types of personal information it held.
The FTC complaint indicates that SkyMed prominently displayed a "HIPAA compliance" seal on every page of its website. In its announcement of the complaint, the FTC noted that the seal had been displayed for nearly five years and that it "deceived consumers." According to the FTC, this "signaled to consumers that a government agency or other third party had reviewed [SkyMed's] information practices and determined that they met HIPAA's requirements." No third party or government agency had evaluated SkyMed's HIPAA compliance program or determined that it complied with HIPAA, however. In fact, the FTC's complaint alleges that SkyMed failed to implement written information security policies, failed to provide adequate training, failed to assess risks to the personal information it stored and stored consumers' personal data on its network and databases without reasonable access controls or authentication protections. SkyMed also allegedly failed to have procedures for deleting personal data when no longer necessary and failed to regularly monitor for unauthorized attempts to transfer the consumer information it held.
In the settlement with the FTC, SkyMed agreed to provide all affected consumers with an email notice of the May 2019 data exposure. The company must also implement and maintain an information security program that meets certain minimum requirements specified in the settlement and obtain third party assessments. SkyMed is also prohibited from "misrepresenting how it secures personal data, the circumstances of and response to a data breach, and whether the company has been endorsed by or participates in any government-sponsored privacy or security program." The situation highlights the fact that companies should avoid representing that they meet certain "HIPAA compliance" standards or are otherwise "HIPAA compliant" if they cannot demonstrate that they are, in fact, adhering to the federal healthcare privacy and security requirements.