That’s a bold statement. What’s behind it?
Two recent, high-profile settlements (with telehealth providers) are setting a strong precedent for how the Federal Trade Commission (FTC) is planning to deal with non-compliance going forward.
Non-compliance with what?
These two telehealth providers were found to be in non-compliance with the FTC’s Health Breach Notification Rule.
What’s the Health Breach Notification Rule?
This rule requires companies to alert the FTC when they have a data breach. This includes all unauthorized access, including when a third-party shares health data in inappropriate ways (like selling it to advertising companies, for example).
Why is this in the FTC’s domain?
The FTC is an organization designed to protect consumers. This includes consumer (or patient) privacy and security, and it’s their job to create and enforce telehealth privacy and security regulations.
What should a telehealth provider do to avoid non-compliance?
Start with these three things:
- Review the recent settlements between the FTC and the two telehealth providers. These cases set a clear direction for what providers need to do to protect their patients’ data.
- Mitigate risk by implementing (or updating) your policy for managing your patient data (including what constitutes authorized use), and make sure you extend that policy to all third parties. And be open with your patients how their data is being handled and clarify potential risks.
- Evaluate your third-party vendors in terms of how they store, secure, and eventually delete patient telehealth data, as you can be liable for their non-compliance.
Pexip was built as a security-first video technology platform to help organizations ensure their data is protected. You can learn more about our solution for healthcare here: https://www.pexip.com/industry/healthcare.