HIPAA compliance is mandatory, not optional, with both federal and state governments stepping up HIPAA enforcement.Recently, our Los Angeles HIPAA lawyers have handled HIPAA breaches involving the following scenarios:

• A nurse at a home healthcare agency left a set of patient papers in the passenger of her car, during a visit to a friend’s house. The papers were stolen, and the home healthcare agency had to file a HIPAA breach notification report with the California Department of Public Healthy and the federal Department of Health & Human Services, and to notify the affected patients.

• A caseworker at an alcohol and drug abuse outpatient facility thought she had forwarded a patient’s file to the insurance company. The insurance company never received the file, and the caseworker reported to her superiors that the file was lost. The alcohol and drug abuse outpatient treatment facility had to go through HIPAA breach notification.

• A third healthcare facility performed an in-home intake of a potential patient. It was a windy day, the caretaker dropped the files, and the front sheet, containing critical patient information, blew away. Once again, HIPAA breach notification was required.

In each case:

• the healthcare facility conducted an internal investigation;

• the worker was disciplined (or terminated);

• the healthcare facility contacted HIPAA counsel to review, revise, and update internal HIPAA policies and procedures to ensure that similar HIPAA breaches would not recur;

• the healthcare facility is exposed to federal and state HIPAA penalties that can be onerous.

In December 2013, HHS Office for Civil Rights (OCR) entered into a Resolution Agreement with Adult & Pediatric Dermatology, P.C. (AP Derm). The agreement included a settlement of $150,000 and a corrective action plan. This HIPAA breached involved the protected health information (PHI) of about 2,200 patients, located on an unencrypted thumb drive, stolen from the vehicle of an AP Derm workforce member (the thumb drive was never founded). Even though AP Derm duly reported the breach to OCR, notified patients in a timely way, and, since the breach involved more than 500 individuals, provided the requisite media notice, the penalty was still assessed.

The moral of the story is that HIPAA compliance requires more than lip service. At minimum:

• Review, update, and upgrade all HIPAA policies and procedures and be sure you work with HIPAA lawyers to tailor all the documents to your facility or practice.

• Consult with appropriate IT professionals regarding security of electronic protected health information (ePHI) as part of your security management process.

• If you have a HIPAA breach, consult with HIPAA legal counsel regarding breach notification.

• Ensure that all members of the workforce have in-person or online HIPAA training.

• Learn how to mitigate HIPAA breaches as part of your breach notification process

The Federal Trade Commission (FTC) won a $2.2 million judgment against health food marketer Wellness Support Network, Inc. (WSN) in federal court for the “Diabetic Pack” and the “Insulin Resistance Pack.”

The FTC alleged that WSN’s claims that the health packs would prevent or treat diabetes were deceptive because they were not supported by adequate scientific proof and WSN’s claims about the amount of proof it had were false.

FTC cited the use of keywords, metatags, and Google Adwords — such as “diabetic cure,” “remedies diabetes,” and “diabetes treatment.”

What online health and wellness companies don’t realize is that they are subject not only to FDA rules about crafting valid structure/function claims (as opposed to therapeutic, medical, disease claims), but also to FDA and FTC rules about substantiation.

Put simply, you can’t make a disease claim for a dietary supplement, and even if you make a proper structure/function claim, you must have substantiation.

FDA and FTC each have more detailed legal rules and regulations about substantiation for dietary supplements / nutraceuticals and other health and wellness products.

FTC requires that all advertisers have competent and reliable evidence to substantiate their claims.

Marketers of health and wellness products are at particular risk of enforcement action, because they feel they can market more aggressively by mentioning diseases such as cancer, diabetes, or even thyroid conditions, and link these to their products.

As this case shows, FDA and FTC can look to meta-tags, online advertising links, etc. – and marketing companies cannot afford to ignore how the consumer and expert testimonials that appear on their sites (and social media sites) can be construed to make disease claims or, claims that lack substantiation.

In this case, the reviewing court accepted the opinion of the FTC’s expert that WSN’s disease prevention and treatment claims should have been, but were not, supported by consistent results from well-conducted controlled, randomized, and double-blind human clinical studies with statistically significant results. This is in fact the gold standard.

The principals were also held jointly and severally liable for the $2.2 million judgment.

Be sure to contact FDA regulatory counsel to evaluate substantiation for any claims you make for health and wellness products. Ask California FDA lawyer Michael H. Cohen to assess whether your health and wellness products meet FDA and FTC regulatory compliance requirements.