The Federal Trade Commission (FTC) earlier this year entered into a consent order with CVS Caremark that sends a strong signal to hospitals (and other covered entities) that elective content in their "Notice of Privacy Practices" may have compliance and enforcement implications.

Based on allegations that an entity covered under the "Health Insurance Portability and Accountability Act" (HIPAA) did not adequately secure its patients' protected health information, the FTC charged the entity with "unfair" and "deceptive" practices for including language in its notice that stated the importance of customers' privacy.

The Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) also investigated CVS Caremark for HIPAA violations stemming from the same facts. The company agreed to pay $2.25 million to settle the charges - the largest amount paid under HIPAA.

In this first joint action by the FTC and OCR, the two agencies coordinated their investigation of news media reports in 2006 that some CVS Caremark pharmacies were throwing trash containing personal information into unsecured dumpsters. For example, unused prescription labels, orders and bottles with prescription labels allegedly were thrown into regular commercial trash. The OCR charged that CVS Caremark failed to take reasonable and appropriate security measures to protect the protected health information of its patients because it did not implement reasonable policies and procedures to securely dispose of personal information and did not adequately train its employees.

The FTC echoed these charges and also alleged that the covered entity did not utilize reasonable measures to assess compliance with its own policies and procedures and did not employ a reasonable process for discovering and remedying risks to personal information.

Of particular note to all covered entities is the FTC's allegation that given the failure of these security policies and employee training procedures, CVS Caremark engaged in "deceptive" trade practices by including in its notice the claim that "CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information." 

In other words, because the entity violated HIPAA by failing to adequately safeguard personal information, its statement that nothing was more important than maintaining the privacy of health information was "deceptive." In addition, the FTC alleged that the company's security practices were "unfair" because they failed to protect the sensitive information.

To settle these allegations, CVS Caremark agreed to "establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from consumers and employees." The FTC consent order also prohibits the company from making future misrepresentations of its security practices and requires the company to hire a third-party auditor to perform biannual audits of the company's security program for 20 years.

Everyone understands that much of the content of the HIPAA notice is specifically required by the federal regulations. But the mandatory content is legalistic and the disclaimers seem to require hospitals to assume an adversarial posture that does not inspire patient confidence. As a result, many hospitals include "consumer friendly" language like that which (given the security failure) forms the basis for the FTC complaint.

If your HIPAA notice includes such non-mandatory content, the FTC's recent actions should be of particular interest. It is easy to imagine a situation in which employee training and security policies (such as those surrounding disposal of trash) might result in actions where this is a disclosure of patient information.  Likewise, there may be other scenarios where physicians or other personnel fail to comply with written policies for securing patient information, and where it might be alleged that a hospital had not made sufficient efforts to detect and remedy such noncompliance.

As a result of the FTC's action, hospitals faced with those or similar situations, need to consider not only their obligations under HIPAA, but also whether their own Notice of Privacy Practices may create additional exposure under the "Consumer Protection Act" - and under the consumer protection acts of each of the 50 states.

Congress enacted numerous changes to HIPAA as part of the 2009 "American Recovery and Reinvestment Act," P.L. 111-5. Among other provisions, the legislation authorizes state attorneys general to enforce HIPAA violations (and provides for specific statutory damages).

To the extent that state attorneys general had any doubt about how this enforcement authority might work under their existing authority, the FTC's consent order in the CVS Caremark case pretty clearly signals how they might proceed. In addition to any changes being made to assure compliance with other provisions of the law, hospitals may want to consider revising their notices to eliminate extraneous language that might create needless enforcement risk.

Boswell and Kraner are attorneys with the Washington, DC-based law firm of Hogan and Hartson, an outside AHA counsel.