Who Is The More Active Privacy Enforcer: FTC or OCR?

You may also like...

4 Responses

  1. Dissent says:

    Thank you for a provocative post, Bob. Some thoughts:

    As you note, there are significant differences that make interpretation of the statistics difficult. Perhaps one of the biggest ones is that entities are required to self-report breaches to HHS. They are not required to do so to FTC, so a more reasonable basis for comparison would be to compute the percent of complaints FTC receives that they investigate – not the total number of investigations.

    I’d also note that until very recently, OCR took the approach that it was obligated to investigate every complaint it received. In my conversations with HHS this past year, they informed me that that is no longer the case and that now, regional OCR directors determine which cases they will investigate. The explanation for this unadvertised change is reportedly lack of resources – something that has presumably plagued the FTC all along as well.

    Another point I’d raise is that unlike OCR, which investigates complaints against single entities, many FTC investigations have involved multiple companies or entities, which adds to the time, complexity, and cost of their investigations. Because any FTC case may involve a number of businesses, your numbers do not really accurately reflect the number of entities charged by or investigated by FTC, although I grant you that even if they did, OCR would score higher on that measure.

    But are OCR’s investigations and enforcement actions really leading to improved privacy for the public any more than the FTC’s are? If FTC tackles Facebook and gets it to implement changes, that affects many more people than an OCR investigation that results in the one entity improving privacy protections – particularly if other entities don’t hear about it. OCR’s fines and settlements are actually less effective than FTC’s, in my opinion, although both fail in that they do not require any admission of wrongdoing.

    If you want to consider an alternative model, I’d look at CDPH’s monitoring and enforcement of medical privacy breaches under California’s statute. We have statistics on the number of their investigations and fines, and can see a trend where some types of breaches have decreased significantly. I’ve occasionally posted their stats on http://www.phiprivacy.net

    Overall, I’d like to see the FTC have more authority and teeth – and use them. It seems that every time they try to flex their muscle, however, members of Congress threaten to strip them of authority they do have. That needs to stop.

  2. Matt says:

    Thanks for the thoughtful post, Bob. HIPAA and HITECH impose substantive standards for privacy and data security. The FTC Act does not. Until it does, the FTC will be a lousy and sloppy enforcer.

    The FTC’s enforcement power in this area is limited because privacy (on which it really has not enforced) and data security (on which it has) do not fit well into “unfair” or “deceptive” acts or practices. There are two separate issues: the privacy problem is that companies are not doing enough to avoid collecting, using, and distributing information that they do not need and that consumers do not want collected; the data security problem is that companies are vulnerable to unintentional or ultra vires leaks of the information they collect.

    The problem is that the FTC Act is a poor place to house enforcement power for either of these problems. Data overreach may fully comply with a privacy notice (and therefore not be deceptive) and still be a poor practice and harmful. The hubbub over Wyndham is proof of the FTC’s weak mandate to fold data security practices (which are at least somewhat well-researched and available to businesses,) let alone privacy practices, into its unfairness authority. Laws mandating FIPPs and bringing enforcement under the FTC are regularly proposed, and consistently killed.

    If there is a government role for privacy enforcement, much more must be done to create and arm an enforcer.

  3. Bob Gellman says:

    I thought I would respond to the two comments. Dissent and Matt make good points, and we all seem to be in agreement that the FTC either needs more authority or we need some one else to do it. That’s surely the bigger issue.

    I don’t object to a more powerful FTC being an enforcer, but I’d rather have someone else doing privacy policy. See my article “A Better Way to Approach Privacy Policy in the United States: Establish a Non-Regulatory Privacy Protection Board,: 54 Hastings Law Journal 1183 (2003),http://bobgellman.com/rg-docs/Gellman-Hastings-03.pdf.

    One quibble. Dissent has a point that some FTC cases affect more people than many OCR cases. But some OCR cases involve large hospitals or health care companies and may have broader conseqences. Also, it’s not all that clear that the targets of FTC cases always do what they said they would do or that it makes any real difference. I don’t know that Google and FB have changed their stripes in any meaningful way.

    Some companies that have been the target of FTC actions got dinged a second time for not complying with consent decrees. That gives the FTC two cases, when there was only one real enforcement action. I’m thinking of an Experian case, but I haven’t looked for more.

    There’s more (on all sides) that could be quibbled about, but one quibble is enough. Thanks for the thoughtful comments.

  4. OCR said on Sept. 6 that it has not changed its policy regarding responding to every patient complaint it receives. However, as my recent white paper suggests, the majority of complaints OCR receives are outside its HIPAA privacy and security rule jurisdiction or were not timely. OCR is not going to investigate complaints outside its HIPAA jurisdiction.

    For many years, I’ve felt that OCR could do a better job of referring many of these other complaints to agencies with the jurisdiction, such as the FTC. But that has not happened in any formal way I can detect.

    In 2009, I wrote a column for iHealthBeat, How to Consolidate the Patch work of Health Information Confidentiality Law, that explores this issue in greater depth. http://www.melamedia.com/IHealthBeat0209.Column.pdf

    OCR’s position regarding HITECH Act breaches is different. The agency decided not to investigate every breach report. As of July 2013, it has received more than 81,000 self-reported breaches. Most of these affected fewer than 500 patients and thus are not considered major breaches.

    OCR says it simply does not have the resources to pursue every breach report.

    This is a confusing environment because the vast number of self-reported breaches are HIPAA security or privacy rule violations. But they are not the subject of patient complaints.

    One of the interesting things about this is that patients must be notified of a breach and the organization’s response to it.

    So since September 2009, patients have learned about HIPAA violations through HITECH. However, we have not seen a significant increase in patient complaints because of the breach notifications.

    The white paper, which Bob so graciously cited in his blog, goes into greater detail on the possible reasons for this.