HIPAA Business Associates and the Risk of Data Security Breaches

The case against LabMD illustrates the dangers of using an unsecure network to share patients' protected health information.

As Jeff Mongelli, CEO of Acentec indicates, "Risk can be a funny thing. With the passage of the Omnibus Rule, many people thought we're now dealing with an updated, consolidated, and relatively concise body of laws and requirements to contend with. In early March, the Federal Trade Commission (FTC) successfully took action against a healthcare laboratory for HIPAA violations they considered to be unfair acts or practices. The Order on LabMD's Motion to Dismiss went on to express the FTC's belief that under Section 5 of the FTC Act, they have jurisdiction in such cases and intend to continue their enforcement activities."

Yet, before the Affordable Care Act and the Omnibus Rule, there was the FTC's 2009 enforcement action against CVS Pharmacy and the 2010 enforcement action against Rite Aide Pharmacy. In both of these cases, the pharmacy corporations (Covered Entities under HIPAA) were penalized for violations of the Privacy and Security Rules in relation to customers' protected health information. The Rite Aide action involved a separate but related action with the U.S. Department of Health and Human Services (HHS). Therefore, the FTC's Order and its analysis is not a surprise.

The FTC substantiated its position by citing the U.S. Supreme Court's interpretations of the Federal Trade Commission Act. "Neither the language nor the history of the [FTC] [A]ct suggests that Congress intended to confine the forbidden methods to fixed and unyielding categories." FTC v. R.F. Keppel & Bro. Inc., 291 U.S. 304, 310 (1934). And, the legislative history, which dates back to 1914, as well as the 1938 Amendments, support the notion that the FTC's enforcement ability over "deceptive acts and practices." Moreover, "The cardinal rule is that repeals by implication are not favored. Where there are two acts upon the same subject, effect should be given to both if possible." Posadas v. Nat'l City Bank of N.Y., 296 U.S. 497, 503 (1936). Therefore, enforcement of HIPAA noncompliance can and has come from a variety of sources.