The Federal Trade Commission (FTC) announced a consumer fraud settlement against a company that displayed a ‘HIPAA Compliant’ seal on its website.
After a data breach, SkyMed, a company that provides emergency evacuation memberships for travelers, was cited in December 2020 for not properly protecting member information, failing to adequately assess risks, and failing to monitor its network to detect unauthorized access. While no financial penalty was assessed, SkyMed agreed to a consent order requiring a 20-year monitored compliance program.
On each page of its website, SkyMed displayed a ‘HIPAA Compliant’ seal, which the FTC said deceived consumers by giving the false impression that its policies and procedures met the requirements of HIPAA.
The US Department of Health & Human Services (HHS) Office for Civil Rights (OCR) enforces HIPAA. The FTC has federal authority to protect consumers against fraudulent and unfair business practices, as do state attorneys general. One incident can bring multiple penalties.
I wasn’t surprised by this penalty. Several years ago, when we both were speakers at the National HIPAA Summit, I discussed seals of compliance with an attorney from the FTC. I brought up the subject because several online HIPAA services were offering Seals of Compliance, and I wanted to know if there would be a problem if my consulting company offered them.
I had spoken to the head of another company offering compliance services, that promotes the use of a Seal of Compliance based on completing a questionnaire and an interview, not the deeper types of assessments we do with network scanning tools and onsite visits. He told me that if I read the fine print on his website I would see his seal really didn’t mean anything.
The FTC attorney told me that if anyone displaying a seal had a data breach or compliance violation, they could be charged with defrauding consumers. That is exactly what happened to SkyMed.
HIPAA compliance is a journey, not a destination. It requires corrections and adjustments. On any given day you might not be compliant. Your IT security may slip, allowing a breach to occur.
A new HIPAA law provides a ‘safe harbor’ against audits and fines if you consistently implement a government-recognized cybersecurity program. That will give you more protection against penalties if you have a breach or violation.
It’s bad enough to be the victim of hacking or even a mistake, failure to adequately secure data, and not perfectly implementing compliance policies and procedures.
Don’t make it worse by displaying a seal that brings the FTC down on you. If you use one on your website or marketing, it’s smart to remove it now.