Despite Legal Challenge, Consumer Advocates Push to Expand FTC’s Health Data Security Role

Several consumer advocates have urged Congress to give the FTC full authority in telehealth, citing the commission’s technical expertise and emerging data security enforcement background. Technology industry groups have pressed the FDA to clarify its role in the space, recently backing a bill to do that (http://1.usa.gov/1eOyduo). Others, such as LabMD CEO Michael Daugherty, question the FTC’s presence at all in the healthcare arena. The 1996 Health Insurance Portability and Accountability Act (HIPAA) -- dictating the security of large swaths of health data -- is the purview of the FDA and HHS, he told us, and that shouldn’t change. Daugherty has taken his argument to court, challenging the FTC’s authority to bring health data security enforcement action, which the commission did against LabMD (WID Aug 30 p9).

The FTC, FDA and HHS have “overlapping jurisdiction” over health data security, said Mark Eichorn, assistant director of the FTC’s Consumer Protection Bureau Division of Privacy and Identity Protection. Eichorn told us the FTC and HHS frequently communicate. The FTC will pass potential cases to HHS and vice versa, he said. “It’s important that we coordinate."

The overlap derives from gaps in HIPAA coverage, said Joe Hall, Center for Democracy & Technology chief technologist. HIPAA regulates “covered entities” -- a healthcare provider, or insurance company -- and the outside contractors those entities work with, Hall said. But companies collecting health data directly from consumers fall outside HIPAA, he said. That’s an ever-expanding range of services, from WebMD to fitness apps tracking food intake or glucose levels. HIPAA and thus the FDA and HHS don’t necessarily cover these products, Hall said.

The FTC has stepped in to cover those gaps using its Section 5 authority, Eichorn said. The agency’s “role has remained consistent,” in that “we have considered health privacy to be a priority for many years,” he said. But “it does seem like we've brought more health-related cases recently,” he said, citing five over the past few years: Accretive, AcneApp and Acne Pwner, GMR Transcription Service (http://1.usa.gov/Lxjo4B), Epic Marketplace and Cbr Systems.

Only one of those cases was a healthcare-related mobile app: A 2011 action against AcneApp and Acne Pwner (http://1.usa.gov/1mrXlg6). The FTC brought action against the apps because of deceptive claims about the apps’ health benefits, not for inadequate data security measures, said a commission release (http://1.usa.gov/1bJO8LI). But it was the first time the FTC had targeted health claims in the mobile app market, the FTC said. “The deceptive part is quite easy” for the FTC in the healthcare arena, said CDT’s Hall. “The unfairness prong is a little in the air right now."

The three complaints Eichorn cited targeted companies for failing to properly secure sensitive personal information -- medical billing service Accretive (http://1.usa.gov/1cFMJU9), medical transcript service GMR (http://1.usa.gov/Lxjo4B) and cord blood bank operator Cbr Systems (http://1.usa.gov/1eOfQl0). Accretive and GMR agreed to their respective settlements within the past two months. In the Epic Marketplace complaint, the FTC alleged the online advertiser was secretly gathering information on consumers’ Internet searches for sensitive medical issues (http://1.usa.gov/1kTtH1N). The FTC is also boosting its research in this area, holding a public workshop March 20 and 21 on healthcare competition (WID Feb 18 p7). The workshop will focus, in part, on “electronic health care records, health data exchanges, technology platforms for health care payers and providers, and certain other consumer-oriented technological advances,” the FTC said (http://1.usa.gov/1eXaVnS).

Health Goes Mobile

This is the year of “view, download and transmit,” Hall said. Consumers are gravitating toward telehealth, using mobile networks or Internet connections to transmit health-related information, he said. “We expect a lot of medical records to be on consumer devices, be they mobile, computer.” This poses two challenges: One, consumer devices aren’t secured as well as more traditional systems; two, the monetization model for healthcare apps is very different from that of a doctor’s office, Hall said. “You can imagine you will see sensitive data shared with advertising networks analytics platforms,” he said. “Apps themselves don’t have a good track record of being secure."

A Privacy Rights Clearinghouse (PRC) study in July backed Hall’s assertion. It reviewed 43 “popular” health and fitness apps and concluded “it is clear that there are considerable privacy risks for users” (http://bit.ly/1bJSxON). Many apps sent unencrypted data without informing consumers or shared information with third-party sites without user knowledge, PRC said. These practices were most egregious among free apps, according to the research. “Consumers should not assume any of their data is private in the mobile app environment -- even health data that they consider sensitive.” PRC didn’t identify which apps it reviewed. PRC is funded through cy pres awards from class action lawsuits against healthcare companies and other consumer advocates such as the Rose Foundation, California Consumer Protection Foundation and Consumer Federation of America. “That was the exact kind of thing the FTC needs in terms of a hint,” Hall said.

"Because of the nature of the market, there are going to be things that fall, and should fall, outside the FDA’s reach,” said Daniel Castro, a senior analyst focusing on information technology for the Information Technology and Innovation Foundation (ITIF). “So the FTC is going to have to fill in that gap.” ITIF describes itself as a nonpartisan think tank researching issues related to the growing digital economy. Its backers have included a number of industry sources, such as Cisco, eBay, Google and IBM, philanthropic organizations like the Alfred P. Sloan Foundation, and government organizations such as the National Institute of Standards and Technology and the U.S. Agency for International Development.

FTC Suited to Step In

The FTC’s structure and expertise make it well-suited to step in, said several observers. “Unlike the other federal agencies, [the FTC] decided they want top computer scientists to help them understand all these massive electronic threats to everything,” said Deborah Peel, chairwoman of Patient Privacy Rights, which advocates for increased consumer access to healthcare data. The move at the agency started four years ago, Hall said, when the FTC realized “they have to be able to pull these things apart.” Companies weren’t going to be forthcoming with the technical details required to fully understand an app’s security measures, he said. “They have a shop and some labs that do this stuff."

Conversely, “HHS has no computer scientist,” Peel said. Hall agreed: “I don’t see that same tech expertise residing in HHS.” The FDA approves new medical devices, though, Castro said. This type of premarket approval “is the most stringent type of device marketing application required by FDA,” said its website (http://1.usa.gov/18ttQV1). Applicants must display “sufficient valid scientific evidence that provides reasonable assurance that the device is safe and effective for its intended use or uses,” it said. “All medical devices carry a certain amount of risk” when it comes to security and privacy, said an FDA spokeswoman by email. “The FDA allows devices to be marketed when the probable benefits to patients outweigh the probable risks.” In 2005, the FDA issued security guidance for medical devices using off-the-shelf software, she said (http://1.usa.gov/1hwtn8J) and the agency more recently issued a draft of information security guidelines in 2013 (http://1.usa.gov/1fesgc5). “Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity, and are responsible for putting appropriate mitigations in place to address patient safety and assure proper device performance,” the spokeswoman said.

During the approval process, “the FDA is more interested in regulating performance outcomes than on regulating security,” Castro said. “That doesn’t mean they can’t” regulate security, he said, “they just haven’t done a lot of that in past.” The agency traditionally reviews products directly tied to medical treatment -- everything from tongue depressors to pacemakers with microchips, said its website. “The FDA doesn’t have the ability to look at thousands of apps,” Castro said. “That’s not realistic.” Even if the FDA could test mobile apps for security -- as it does for products like pacemakers -- the concept of privacy is “subjective” and often “procedural,” Hall said. Healthcare apps don’t necessarily require FDA approval anyway, partly because they are not always covered under HIPAA, and partly because the FTC has taken the lead on health data security, Castro said.

Some, like LabMD’s Daugherty, view the FTC’s taking the lead as an egregious overreach of its authority. “What is the FTC doing in healthcare?” Daugherty said. “They don’t even understand how a basic lab works,” he said. “How can you sue us and not understand the basic functions?” When the FTC approached Daugherty with its complaint, he refused to sign a consent decree and settle with the agency, he said. The FTC is usurping HHS’s power, pursuing LabMD without alleging any HIPAA violation, he said. “One of the reasons I didn’t sign a consent decree is how awful they are, how untrustworthy they are.” The 20-year monitoring period is excessive, Daugherty said. LabMD would have had to pay for biennial audits and be subject to fines if the company’s security standards violated the consent decree, he said. The consent decree didn’t include reasonable information on exactly what security measures LabMD needed to avoid these fines, Daugherty said. “They have no data security standards ... and they argue that they don’t have to. That’s pretty chilling."

LabMD instead filed a motion for dismissal with FTC administrative law judges (ALJs) in November (http://1.usa.gov/1hNXVyS). It was denied in January (http://1.usa.gov/1byLthU). Cause of Action also filed a lawsuit on behalf of LabMD against the FTC. In late January, LabMD said it was shutting down due to “the FTC’s abuse of power” (WID Jan 30 p16). FTC Consumer Protection Bureau Director Jessica Rich responded in an email statement that “the goal in this case has always been to ensure that this sensitive information is appropriately protected.” And on Feb. 10, the FTC filed a motion claiming LabMD was stalling by failing to comply with discovery obligations (http://1.usa.gov/1eYeX9u). Daugherty doesn’t believe he will win at the administrative court level. The system is biased toward the FTC because the commission has the authority to overrule ALJs, he said.

LabMD Concerns Shared

Lawmakers have expressed similar concerns, saying in a November House Judiciary Antitrust Law Subcommittee hearing that the FTC has moved forward with cases in almost all of the few instances in which an ALJ has ruled in favor of the defendant over the past two decades (WID Nov 18 p2) . “The administrative process is a mockery of justice in this country,” Daugherty said. He'll take his case to a federal court and then the Supreme Court if necessary, he vowed, a process he estimated will take five to six years. “People understand my case is not about my case,” he said.

A ruling against the FTC could be seen as a court telling healthcare services: “Yeah [you're] under a different regime,” said Ifrah Law Internet privacy lawyer Michelle Cohen. The LabMD case “is the most prominent case” relating to healthcare data security, Hall said. It will raise the questions: “Is this on HHS to bring down HIPAA privacy and security and liability? Or is this something that the FTC is the only place that has general authority to do something?” Hall said.

Congress should move quickly to ensure the FTC doesn’t lose its authority over health data security, Peel and Hall said. “Our coalition wants to put FTC in charge of health privacy, because HHS has been notoriously on the side of industry,” said Peel, a physician and psychoanalyst. The Health Information Technology (HITECH) Act of 2009 led to HHS’s increasing security and privacy measures in HIPAA by clarifying when health data breaches had to be reported to HHS, raising penalties for noncompliance with safety requirements and granting patients the right to ask for copies of their electronic medical records (http://1.usa.gov/Na8eTY). But Peel believes HIPAA is fatally flawed. “The only thing you have now is a right to beg ... a right to ask them not to disclose your data,” she said. The rules should focus more on asking for consent when data is collected or moved, as opposed to giving consumers the right to view that information after the fact, Peel said.

'Clear Authority’ for FTC Sought

"We need to have clear authority, and that authority needs to be effective,” Hall said. “This needs to be one federal agency.” That should be the FTC, he said. In the February issue of Health Affairs, a peer-reviewed healthcare policy journal, Hall and CDT Health Privacy Project Director Deven McGraw proposed a “comprehensive regulatory framework developed and enforced” by the FTC to govern telehealth privacy and security. The paper called for legislation that would authorize the FTC to bring stakeholders together and create this regulatory framework. “The FTC would approve all of these codes” and have the authority to enforce them, Hall told us. “The thing that would get people to the table is essentially giving people safe harbor from Section 5 authority” under the FTC Act if they fully comply with the code, Hall said. “That’s a robust incentive if the FTC were to deem that conduct consumer protective enough.” If stakeholders couldn’t agree on a mandatory code of conduct, the FTC would be able to set its own telehealth guidelines, Hall said. Telehealth “is so huge and is going to become such a big issue within a year, we think it would be appropriate and necessary” to give the FTC siloed authority through legislation, in lieu of more omnibus privacy legislation CDT and other consumer advocates have been pushing for (WID Dec 2 p1), Hall said.

Congress should clarify the FDA’s medical device jurisdiction, Castro said. He supports legislation aimed at accomplishing that from Sens. Angus King, I-Me., and Deb Fischer, R-Neb. (http://1.usa.gov/1eOyduo). The FDA now “can use its definition of a medical device to assert broad regulatory authority over a wide array of low-risk health IT, including mobile wellness apps, scheduling software and electronic health records,” said a news release from King about the bill, which was introduced Feb. 10. The Preventing Regulatory Overreach To Enhance Care Technology (PROTECT) “Act gives clarity to FDA’s regulatory process to focus on products that pose a legitimate risk to human health.” Rep. Marsha Blackburn, R-Tenn., introduced similar legislation, the Software Act, in the House last year. Blackburn co-chairs the Bipartisan Privacy Working Group with Rep. Peter Welch, D-Vt.

The bill would give certainty to the app developer community, said David LeDuc, Software & Information Industry Association senior director-public policy. “It wouldn’t do anything to alter the broader regulatory landscape,” he said. “It seeks to tighten up the current FDA regulatory authority.” Castro said items that aren’t medical devices, such as ancillary healthcare apps, shouldn’t be subject to the FDA’s long approval process. “Frankly, I think it would be detrimental to innovation in this space” if the FDA were to exclusively regulate such a fast-moving industry, he said. Castro and LeDuc both said that getting the bill to President Barack Obama’s desk is “an uphill battle.” But it’s a rare issue “that has bipartisan support in the House and Senate,” LeDuc said.

For all the potential shifts, the FTC is satisfied with the current health data security landscape, Eichorn said. The current overlap ensures full financial relief in cases where a company or service is not fully covered by either agency, he said. In 2009, the FTC and HHS teamed up to take action against CVS for inadequately protecting its consumers’ and employees’ financial and medical information (http://1.usa.gov/1d0lgd3). HHS alleged HIPAA violations for the unsecured data in the pharmacy and the FTC alleged similar charges for employee records, and credit card and Social Security numbers. In 2010, both agencies brought similar action against Rite Aid (http://1.usa.gov/NaUSH5).

If one takes the approach that only one agency should have had jurisdiction in these cases “which agency would that be?” Eichorn asked. “If only one of us had done these cases, neither would have had complete relief.” He sees the current, overlapping jurisdiction as “the only system,” he said. “I don’t think you could say, ‘You're only covered by one or the other.'”