FTC Joining the Regulatory Framework for Health Care Data Security Practices
On January 16, 2014, the Federal Trade Commission (FTC or Commission) issued a decision denying a motion to dismiss by LabMD, Inc. (LabMD) in an administrative proceeding against it. The bulk of the decision centered on rejecting LabMD’s argument that the FTC lacked authority to regulate LabMD’s data security practices because LabMD already was subject to HIPAA’s security regulations. The FTC alleged that LabMD “failed to provide reasonable and appropriate security for personal information on its computer networks,” and that this failure could lead to consumer identity theft and unauthorized disclosure of private medical information. The agency asserted that the alleged security failure and consumer harm represents an unfair act or practice under Section 5 of the FTC Act.
In its decision, the Commission first emphasized Congress’s intent for the FTC to have broad authority to define and proscribe unfair acts or practices. The Commission also cited numerous cases to support its position that it may ascertain, on a case-by-case basis, specific practices that should be condemned as “unfair.”
Next, the Commission highlighted its consistent use of authority under the FTC Act to regulate unreasonable data security activities that qualify as unfair acts or practices. The Commission cited numerous case examples, including a 2006 complaint against a corporation that obtained information about consumers’ private telecommunications usage and disclosed that information to unauthorized third parties. The Commission’s 2006 complaint alleged that the corporation’s conduct violated Section 5(a) of the FTC Act because it “caused or [was] likely to cause substantial injury to consumers that [was] not reasonably avoidable by consumers and [was] not outweighed by countervailing benefits to consumers or competition.” Complaint at ¶ 13, FTC v. Accusearch, Inc., Case No. 06-CV-105-D (D. Wyo. Sept. 28, 2007). In that case, a district court awarded summary judgment to the Commission, and the Tenth Circuit affirmed. FTC v. Accusearch, Inc., 570 F.3d 1187 (10th Cir. 2009).
Finally, the Commission determined that HIPAA and other statutes do not serve as a shield against the FTC Act’s applicability. LabMD argued that Congress has implicitly foreclosed the Commission from enforcing the FTC Act in the narrower field of health care. The Commission, in response, cited Supreme Court precedent that states, “An implied repeal will only be found where provisions in two statues are in ‘irreconcilable conflict,’ or where the [later] Act covers the whole subject of the earlier one and ‘is clearly intended as a substitute.'” Branch v. Smith, 538 U.S. 254, 273 (2003). Although the Commission addressed the “irreconcilable conflict” scenario and noted that “HIPAA evinces no congressional intent to preserve anyone’s ability to engage in inadequate data security practices that unreasonably injure consumers,” it failed to fully address whether HIPAA, a statute enacted after the most recent FTC amendment, covers the whole subject area of health care data security practices.
Reactions to this FTC decision are coming quickly. The decision could have far reaching ramifications for entities already subject to HIPAA. Beginning January 28, 2014, reports surfaced that LabMD will wind down its business with the company citing the FTC investigation as a reason. Observers will continue to watch closely to see how the FTC will join the Department of Health and Human Services as a regulator of health care data security practices.