You may have heard me speak or write about the risk of businesses using phony HIPAA compliance seals in their marketing. My warnings were based on a conversation I had with a Federal Trade Commission (FTC) attorney when we were both speaking at the National HIPAA Summit. She told me if a company has a breach or a compliance violation while displaying a seal, the FTC would consider it consumer fraud.
The FTC announced exactly that on December 16 in a settlement with SkyMed, a company that offers transportation services to travelers if they become seriously ill or are injured while away from home. According to the FTC complaint, SkyMed had a “HIPAA compliance shield” all over its website when a security researcher notified the company about an unsecure database with approximately 130,000 membership records that may have been breached. The FTC found that displaying the seal was an unfair business practice under Section 5 of the FTC Act that protects consumers. While the FTC did not issue a fine, it put SkyMed on a 20-year monitored compliance program that will be very expensive.
According to Healthcare Info Security, “The consent order also prohibits SkyMed from making misrepresentations including about how the company protects the privacy, security, availability, confidentiality or integrity of any personal information, as well as its participation ‘in any privacy or security program sponsored by a government or any third party, including any self-regulatory or standard setting organization.’ In other words, never use a seal, even if it comes from a third-party.
The article quotes regulatory attorney Paul Hales of the law firm Hales Law Group, who is not involved in the SkyMed case. He calls the company's use of a HIPAA compliance seal on its website "a stupid marketing mistake."
I once asked the head of a company how he could offer a HIPAA compliance seal based just on some questionnaires and discussions. I told him that even the federal government does not certify compliance. He answered, “If you read the fine print, you will see that it doesn’t mean they are compliant.” I replied that I was reading the big print that said their HIPAA compliance was verified.
Don’t make the same mistake. Remove any HIPAA compliance seals from your website. If you are reselling any HIPAA services to clients that are displaying a seal of compliance, tell them to remove the seal immediately. If a client has a breach or compliance violation, they may sue you for your role in providing them with the seal, which may not be covered by your Errors and Omissions insurance because of the deceptive business practice exclusion.