Controversy as Federal Trade Commission Recommends HIPAA Revisions

FTC Logo

This blog post covers the controversy created by a new FTC white paper focused on consumer privacy regulations:

  • Basics of the Paper
  • Minimization Controversy
  • Healthcare Data Recommendations
  • Bashing the FTC Report
  • Data Brokers Know Where You Live
  • Conclusion

Basics of the Paper

An analysis by the Federal Trade Commission (FTC) that explored methods to decrease the data vulnerabilities individuals now face from the Internet of Things (IoT) has resulted in rebukes, even from within the regulatory agency itself.

According to Susan D. Hall of FierceHealthIT, the paper was created using a 2013 FTC seminar, an event that was not designed to address the particular challenges of healthcare, as its primary source. It looks at four different aspects of the IoT(one of the four pillars of the “third platform” of computing which represents the real-world expansion of the web into a wide plethora of objects): security, information minimization, notification, and opt-out freedom.

According to a press release from the agency, FTC Chair Edith Ramirez explained its purpose: “”We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”

Minimization Controversy

The promotion of minimization, suggesting that firms should reduce the amount of data they collect and keep, garnered the most criticism. While some firms may find this an easy task, especially with software like available, others may struggle with this mandate.

The document argues for data minimization to resolve a couple of privacy vulnerabilities, stating that a more sizable pool of data makes the system more alluring for cybercriminals and also makes it more possible that the information will be misused by the data administrator (i.e., the company holding the data) or its partners.

Those who took part in the seminar suggested that individuals should be notified more aggressively and should have the right to opt out whenever data is processed in a manner outside the bounds of reasonable expectations. The paper argues for expanding current data laws instead of passing new ones designed particularly for the Internet of Things.

Healthcare Data Recommendations

The Internet of Things paper argued for revising the regulations of HIPAA, noting that mobile apps and the software within personal electronics often gather the same private data as is given to medical practices and insurance providers, but this software that directly interfaces with consumers is not protected by the current law. Americans should have the right to know how their data is being used and to opt out of services if desired, no matter where the data is obtained, urges the report.

Bashing the FTC Report

Dale Castro, a director at the Information Technology & Innovation Foundation, said that the whitepaper is disappointing because it applies a dated, worn-out perspective to groundbreaking systems.

“In calling for companies to reduce their use of data, the FTC misses the point that data is the driving force behind innovation in today’s information economy,” he commented.

Joshua D. Wright, a commissioner at the agency, submitted an opinion diverging from the one stated in the report, suggesting that the document argued for changes without sufficient supporting information.

In early January, in a keynote at the wildly popular annual Consumer Electronics Show in Las Vegas, Ramirez said that protected health information (PHI) was often not sufficiently protected within consumer systems.

“Connected devices that provide increased convenience and improve health services are also collecting, transmitting, storing and often sharing vast amounts of consumer data,” warned Ramirez, noting that the sensitivity of the data makes it especially susceptible to compromise. She stated that holes within data systems represent both a breach threat and a consumer confidence threat.

Data Brokers Know Where You Live

This new report, called “Internet of Things: Privacy & Security in a Connected World,” was a follow-up to one the agency released in May arguing for legislation to compel data brokerages to be more open to users about policies and procedures with data such as medical records. For instance, if a law firm needs medical records for a case, then they may go through a specific company that will conduct medical record retrieval for lawyers, so they can collect what they need. Under the new legislation, this will need to be disclosed to make sure that people know what is happening to their personal data and not be left in the dark.

Additionally, the FTC argued that data brokers should not be able to gather information at all without a user signing an agreement.

Many US citizens are unfamiliar of the concept of brokering data, the authors explain, so notification would make them aware that their data was changing hands.

The FTC researched the May paper by looking at the operations of almost a dozen data brokers. The brokers process data to make educated guesses about individuals by integrating and cross-comparing data, such as information related to PHI, as when a series of purchases are used to conjecture that a given customer is pregnant.

When the report was published, Ramirez explained that “data brokers often know as much–or even more–about us than our family and friends, including our online and in-store purchases, our political and religious affiliations, … and more.”


Data law is a relatively new field that is still developing, and certainly regulations will come and go as the technology landscape evolves. For today’s HIPAA compliance needs, choose a provider that is SSAE 16 audited, meeting the independently approved technology standards of the American Institute of CPAs.

By Kent Roberts

Public Domain FTC logo via Wikipedia