Jan. 23 --The Federal Trade Commission Act Jan. 16 rejected LabMD Inc.'s arguments that because the company is a covered entity under the Health Insurance Portability and Accountability Act, the FTC lacks authority to take data security enforcement action against it under Section 5 of the FTC Act's unfairness prong (In re LabMD, Inc., FTC, No. 9357, dismissal denied 1/16/14).
In denying LabMd's motion to dismiss the FTC administrative enforcement action, the commission said its enforcement authority under the FTC Act doesn't conflict with the Health and Human Services Department's regulation of health information data security practices under HIPAA.
The commission voted 4-0 to reject LabMD's motion, with Commissioner Julie Brill not participating after her December 2013 recusal (13 PVLR 32, 1/6/14).
Kirk Nahra, a partner with Wiley Rein LLP, in Washington, called the FTC's assertion of authority in the case, despite LabMD's allegation of a conflict between HIPAA and the FTC Act, “significant” for HIPAA-covered entities. “This is the FTC saying that everyone regulated by HIPAA has to worry about us too,” he said.
Nahra, who is a member of Bloomberg BNA's Privacy & Security Law Report's advisory board said that this is the first case involving a health-care company that is presumably a HIPAA-covered entity in which the company has contested the FTC's authority.
LabMD is an Atlanta-based cancer-detection services company. In an administrative complaint, the FTC alleged that the company's billing department manager made a report containing the personal information of approximately 9,300 consumers available through a peer-to-peer file-sharing network . A second incident allegedly occurred when a police department found LabMD documents, containing the personal information of several hundred consumers, in the possession of identity thieves.
The FTC alleged that LabMD's “failure to employ reasonable and appropriate measures to prevent unauthorized access to personal information” was an unfair act or practice under Section 5 of the FTC Act, 15 U.S.C. § 45.
LabMD later filed a complaint in the U.S. District Court for the District of Columbia against the FTC, contending that the commission engaged in an “extralegal abuse of government power” through its use of the unfairness prong of Section 5 in the administrative action .
Hotelier Wyndham Worldwide Corp. asserted in a separate court proceeding that the FTC's reading of its unfairness authority exceeds what Congress intended. Following Nov. 7, 2013, oral arguments on Wyndham's motion to dismiss the FTC's lawsuit alleging that the company's security practices failed to prevent data breaches, the court refused Wyndham's request to stay discovery .
“The patient-information protection requirements of HIPAA are largely consistent with the data security duties that the Commission has enforced pursuant to the FTC Act,” the commission ruled. It noted that the FTC and the HHS “have worked together 'to coordinate enforcement actions for violations that implicate both HIPAA and the FTC Act'” and that “the two agencies have obtained favorable results by jointly investigating the data security practices of companies that may have violated” both laws.
The FTC and HHS announced joint enforcement actions resulting in large fines against national drug store chainsRite Aide in July 2010(9 PVLR 1117, 8/2/10) and CVS Caremark Corp. in February 2009 (8 PVLR 295, 2/23/09).
“LabMD and other companies may well be obligated to ensure their data security practices comply with both HIPAA and the FTC Act. But so long as the requirements of those statutes do not conflict with one another, a party cannot plausibly assert that, because it complies with one of these laws, it is free to violate the other,” the commission said.
Although not unexpected, the commission's decision is an important development because it provides details concerning the FTC's rationale for continuing to exercise authority over data security generally--in order to protect consumers and police unfair business practices-- as well as in the health information protection and health data security arena, which many providers believed, or hoped, was governed only by HIPAA and was the sole province of the HHS and its Office for Civil Rights, attorneys told BNA.
W. Reece Hirsch, with Morgan, Lewis & Bockius LLP, San Francisco, said the FTC's decision addresses significant issues that “have been percolating for a while” and has important implications for both federal court cases. “The FTC ruling has implications for the Wyndham case because it provides more detail about the FTC's rationale for asserting jurisdiction over data security practices under the FTC Act,” he said.
“The FTC in its ruling also makes good points concerning why HIPAA does not preempt the commission's FTC Act authority,” Hirsch said, noting that the FTC explained that HIPAA isn't exclusive and contains no bar to FTC actions against covered entities.
Although the Wyndham case has broader application in theory, the LabMD case is of particular concern for HIPAA-covered entities, he continued, because it highlights the fact that they may be subject to enforcement actions based on differing interpretations by the two agencies. “Equally problematic,” Hirsch said, “is the fact that there is no formal FTC guidance from which companies, health care or otherwise, can determine whether their data security efforts comply with the FTC Act.”
Given the FTC's intent to exercise broad enforcement authority, “covered entities and other organizations are well-served to have a formal data security compliance program in place so that, should the FTC investigate a breach, they will be able to demonstrate that they have taken a reasonable approach to securing consumer data,” Hirsch concluded.
To contact the reporter on this story: Peyton M. Sturges in Washington at email@example.com
To contact the editor on this story: Donald G. Aplin at firstname.lastname@example.org
Full text of the commission's order denying the motion to dismiss is available at http://op.bna.com/hl.nsf/r?Open=psts-9fmms7.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).