Practices Could Face More HIPAA Regulatory Burdens Due to FTC Ruling

The Federal Trade Commission (FTC), on January 16, rejected LabMD Inc.'s arguments that the FTC lacks authority to institute data security enforcement action against it. 

Although most states have ordinary data security breach laws, which are enforced by state attorneys general, there isn't a federal data security breach law.  Instead, the FTC must bring legal action, if at all, against companies that violate consumers' privacy rights using a provision of the FTC Act, which bars "unfair and deceptive acts and practices in or affecting commerce."

According to HealthITSecurity.com, the conflict started with an August FTC complaint against LabMD Inc., over  a breach of 9,300 patients’ personal information, including names and social security numbers, on a public file-sharing network.   The Atlanta-based medical laboratory challenged the action, claiming claimed that the FTC has no authority to address private companies’ data security practices as “unfair ... acts or practices” under Section 5 of the FTC Act's unfairness prong. Part of the rub: healthcare providers are already regulated by HIPAA and HITECH.

The risk of financial loss following the theft of healthcare data and identity is central to both state and federal regulatory concerns.  The stakes are high because dollars lost from stolen healthcare identity can be many times greater than the theft of simple credit card information.  Once stolen, healthcare identity theft is harder to detect, harder to track, and thus takes more time to fully “cancel.” That means hundreds of thousands of dollars could be charged to insurance companies and the government before anyone finds out.

Protection is absolutely necessary, but some in the healthcare industry questions whether the FTC should enter the picture.  Simply put, why does the FTC need to plow the same ground as the HHS Office for Civil Rights (OCR)?  One possible answer lies in the fines and publicity that can be earned by administrative agencies through prosecution of businesses; even those covered by a specific federal regulation granting jurisdiction to another agency.

Normally, FTC regulators are able to point to an insufficient patchwork of state laws as the basis for asserting federal authority. Here, the OCR already regulates the protection of the health data at risk under a national standard, so that argument seems tenuous at best. 

This leaves the FTC open to accusations of jumping on the bandwagon, dog-piling, or engaging in a practice also known as making “alphabet soup,” where excessively large numbers of three-letter regulatory law enforcement agencies converge to pounce on the bad guy. 

“[This is] one of the biggest cases going on right now from a regulatory standpoint. I’m not sure how it’s going to play out, but there may be a jurisdictional fight going on at the moment between the FTC and the Office for Civil Rights (OCR) in the LabMD case,” Scott L. Vernick, a partner at Fox Rothschild LLP and head of its Privacy and Data Security Practice, told HealthITSecurity.com. 

We will likely not see a resolution to this turf war any time soon. Shortly after the ruling, LabMD shut its doors for good, leaving the question unanswered by the courts. 

Clearly LabMD did something stupid, but is extending FTC power the answer? Given the fact we have a department with authority to regulate healthcare providers, will adding a new agency create safety, or merely mean more healthcare providers, physicians practices and businesses like LabMD will be forced shut their doors.