By Peyton M. Sturges
Jan. 23 --The Federal Trade Commission Act Jan. 16 rejected LabMD Inc.'s arguments that because the company
is a covered entity under the Health Insurance Portability and Accountability
Act, the FTC lacks authority to take data security enforcement action against
it under Section 5 of the FTC Act's unfairness prong (In re LabMD, Inc., FTC, No. 9357, dismissal
In denying LabMd's motion to dismiss the FTC
administrative enforcement action, the commission said its enforcement
authority under the FTC Act doesn't conflict with the Health and Human Services
Department's regulation of health information data security practices under
The commission voted 4-0 to reject LabMD's motion, with
Commissioner Julie Brill not participating after her December 2013 recusal (13
PVLR 32, 1/6/14).
Kirk Nahra, a partner with Wiley Rein LLP, in
Washington, called the FTC's assertion of authority in the case, despite
LabMD's allegation of a conflict between HIPAA and the FTC Act, “significant”
for HIPAA-covered entities. “This is the FTC saying that everyone regulated by
HIPAA has to worry about us too,” he said.
Nahra, who is a member of
Bloomberg BNA's Privacy & Security Law Report's advisory board said that
this is the first case involving a health-care company that is presumably a
HIPAA-covered entity in which the company has contested the FTC's
LabMD is an Atlanta-based
cancer-detection services company. In an administrative complaint, the FTC
alleged that the company's billing department manager made a report containing
the personal information of approximately 9,300 consumers available through a
peer-to-peer file-sharing network . A second incident allegedly occurred when a
police department found LabMD documents, containing the personal information of
several hundred consumers, in the possession of identity thieves.
FTC alleged that LabMD's “failure to employ reasonable and appropriate measures
to prevent unauthorized access to personal information” was an unfair act or
practice under Section 5 of the FTC Act, 15 U.S.C. § 45.
filed a complaint in the U.S. District Court for the District of Columbia
against the FTC, contending that the commission engaged in an “extralegal abuse
of government power” through its use of the unfairness prong of Section 5 in
the administrative action .
Hotelier Wyndham Worldwide Corp. asserted in
a separate court proceeding that the FTC's reading of its unfairness authority
exceeds what Congress intended. Following Nov. 7, 2013, oral arguments on
Wyndham's motion to dismiss the FTC's lawsuit alleging that the company's
security practices failed to prevent data breaches, the court refused Wyndham's
request to stay discovery .
patient-information protection requirements of HIPAA are largely consistent
with the data security duties that the Commission has enforced pursuant to the
FTC Act,” the commission ruled. It noted that the FTC and the HHS “have worked
together 'to coordinate enforcement actions for violations that implicate both
HIPAA and the FTC Act'” and that “the two agencies have obtained favorable
results by jointly investigating the data security practices of companies that
may have violated” both laws.
The FTC and HHS announced joint
enforcement actions resulting in large fines against national drug store
chainsRite Aide in July 2010(9 PVLR 1117, 8/2/10) and CVS Caremark Corp. in
February 2009 (8 PVLR 295, 2/23/09).
“LabMD and other companies may well
be obligated to ensure their data security practices comply with both HIPAA and
the FTC Act. But so long as the requirements of those statutes do not conflict
with one another, a party cannot plausibly assert that, because it complies
with one of these laws, it is free to violate the other,” the commission
Although not unexpected, the commission's decision is an important
development because it provides details concerning the FTC's rationale for
continuing to exercise authority over data security generally--in order to
protect consumers and police unfair business practices-- as well as in the
health information protection and health data security arena, which many
providers believed, or hoped, was governed only by HIPAA and was the sole
province of the HHS and its Office for Civil Rights, attorneys told BNA.
W. Reece Hirsch, with Morgan, Lewis
& Bockius LLP, San Francisco, said the FTC's decision addresses significant
issues that “have been percolating for a while” and has important implications
for both federal court cases. “The FTC ruling has implications for the
Wyndham case because it provides more detail about the FTC's rationale
for asserting jurisdiction over data security practices under the FTC Act,” he
“The FTC in its ruling also makes good points concerning why HIPAA
does not preempt the commission's FTC Act authority,” Hirsch said, noting that
the FTC explained that HIPAA isn't exclusive and contains no bar to FTC actions
against covered entities.
Although the Wyndham case has broader
application in theory, the LabMD case is of particular concern for
HIPAA-covered entities, he continued, because it highlights the fact that they
may be subject to enforcement actions based on differing interpretations by the
two agencies. “Equally problematic,” Hirsch said, “is the fact that there is no
formal FTC guidance from which companies, health care or otherwise, can
determine whether their data security efforts comply with the FTC Act.”
Given the FTC's intent to exercise broad enforcement authority, “covered
entities and other organizations are well-served to have a formal data security
compliance program in place so that, should the FTC investigate a breach, they
will be able to demonstrate that they have taken a reasonable approach to
securing consumer data,” Hirsch concluded.
To contact the
reporter on this story: Peyton M. Sturges in Washington at firstname.lastname@example.org
To contact the editor on this
story: Donald G. Aplin at email@example.com
Full text of the
commission's order denying the motion to dismiss is available at http://op.bna.com/hl.nsf/r?Open=psts-9fmms7.
To view additional stories from Privacy & Security Law
Report® register for a free trial now