FTC rules HIPAA not a barrier to security enforcement

Entities covered under the Health Insurance Portability and Accountability Act also may be subject to security enforcement by the Federal Trade Commission, the latter confirmed with a unanimous ruling against a medical testing laboratory that mishandled patient information.

The case dates back to last summer, when the FTC filed a complaint against Atlanta-based LabMD for two separate privacy breaches--one that occurred in 2008 and one that took place in 2012--that impacted a total of roughly 10,000 patients. LabMD, in turn, claimed that FTC was overstepping its statutory authority because the company was a covered entity under HIPAA.

FTC, however, disagreed, voting 4-0 on Jan. 16 to reject the company's motion, Bloomberg BNA reported. In the ruling, FTC said that LabMD had misinterpreted "the Commission's expressions of support for legislation relating to data security," and called LabMD's arguments "unpersuasive."

"Contrary to LabMD's contention, Congress has never enacted any legislation that, expressly or by implication, forecloses the Commission from challenging data security measures that it has reason to believe are 'unfair … acts or practices,'" FTC said. "LabMD relies on numerous 'targeted statutes' that Congress has enacted in recent years 'specifically delegating' to the Commission or to other agencies 'statutory authority over data-security' in certain narrower fields. But LabMD has not identified a single provision in any of these statutes that expressly withdraws any authority from the Commission.[N]othing in HIPAA or in HHS's rules negates the Commission's authority to enforce the FTC Act."

San Francisco-based attorney W. Reece Hirsch, with Morgan, Lewis & Bockius LLP, told Bloomberg BNA that the ruling is "problematic," saying that at present, no guidance exists from FTC that can help companies determine if their privacy and security protocols comply with the FTC Act.

A report published in December 2012 by the Ponemon Institute determined that data breaches were costing health organizations close to $7 billion annually. Still, privacy experts speaking last summer at the Healthcare Privacy Summit in Washington, D.C., called current efforts to deal with health data security too reactive.

To learn more:
- here's the Bloomberg BNA article
- here's the ruling (.pdf)