House questions FTC's health data, cybersecurity authority

The Office of the National Coordinator for Health IT isn't the only federal agency being accused by Congress of not knowing the limitations of its regulatory authority when it comes to health IT. Similar charges were leveled at the Federal Trade Commission by members of the House Committee on Oversight and Government Reform at a hearing on Thursday, HealthcareInfoSecurity reported.

While the hearing focused on how the FTC has dealt with cybersecurity cases as a whole, and not just those limited to healthcare, the agency has been a more prominent voice when it comes to the protection of consumer health data over the past year. Just this week, FTC Commissioner Julie Brill spoke about how smartphone apps are gathering and sharing the health information of consumers. A report published by the agency in May recommended that Congress force data brokers to be more transparent about how they use the personal information of consumers--including health information.

What's more, in January, the agency ruled that entities covered under the Health Insurance Portability and Accountability Act may also be subject to security enforcement by the FTC. That ruling stemmed from a case that dates back to last summer, when the FTC filed a complaint against Atlanta-based LabMD for two separate privacy breaches--one that occurred in 2008 and one that took place in 2012--that impacted roughly 10,000 patients. LabMD, in turn, claimed the FTC was overstepping its statutory authority because the company was a covered entity under HIPAA.

Michael Daugherty, CEO of LabMD, was among those who testified in the House committee hearing, saying the company was forced to shutter a majority of its operations earlier this year due to costs associated with the FTC case, according to HealthcareInfoSecurity.

Further, Daugherty said the FTC hasn't exactly been forthcoming about what standards it used in targeting LabMD. "There's nothing for companies to look at, there's no rulemaking," he said.

Committee Chairman Rep. Darrell Issa (R-Calif.) said in the hearing that "safeguards are needed" to guide such FTC processes. "Cybersecurity is not a hard science, you can be sure," he said, according to HealthcareInfoSecurity.

To learn more:
- here's the HealthcareInfoSecurity article