Published on:

FTC Reaffirms its Broad Authority in Regulating Private Healthcare Providers’ Inadequate Data Security Programs

On January 16, 2014 the Federal Trade Commission (FTC) unanimously reaffirmed its broad authority to regulate a healthcare provider’s data security program deemed inadequate by the FTC in protecting consumers from identity theft or misuse of personal information. The FTC held that a provider’s program is inadequate if it fails to provide reasonable and appropriate data security measures. A company’s failure to provide reasonable and appropriate data security measures falls within the purview of Section 5(a) of the FTC Act’s prohibition of “unfair … acts or practices.” Further, the FTC held that HIPAA, HITECH, and other statutes do not restrict the FTC’s authority under Section 5(a) of the FTC Act, 15 U.S.C. ยง 45(a), to challenge data security measures that it has reason to believe are unfair acts or practices.

The impetus for this ruling comes from an August 2013 complaint filed against LabMD, a clinical laboratory, alleging that LabMD failed to employ reasonable and appropriate measures to prevent unauthorized access to consumers’ personal information, constituting an unfair act or practice in violation of Section 5(a) of the Act. LabMD moved to dismiss the FTC’s complaint, arguing that the FTC had no authority to address private companies’ data security programs under the Act, and that by enacting Health Insurance Portability and Accountability Act (“HIPPA”) and other statutes, Congress implicitly restricted the FTC’s authority to enforce the Section 5 of the Act in the field of data security. In denying LabMD’s motion to dismiss, the FTC determined that nothing in the federal statutes reflected a ‘clear and manifest’ intent of Congress to restrict the FTC’s authority over unfair data and security practices. Furthermore, the FTC held that “so long as the requirements of those statues do not conflict with one another, a party cannot plausibly assert that, because it complies with one of these laws, it is free to violate the other.”

As the FTC reasserts its broad authority under the Act, healthcare providers should reexamine their data security programs to ensure that they adequately protect consumers’ personal information in the event of an investigation by the FTC.

Since the inception of the HIPAA Privacy and Security Rules in 1996, Wachler & Associates has counseled providers and other covered entities of all sizes in HIPAA compliance. In order to attain compliance, providers should update security policies and procedures, business associate agreements, privacy policies and procedures, and HIPAA privacy notices. If your entity does not already have these procedures in place, Wachler & Associates can help you implement these important compliance measures. In addition, all employees should receive ongoing training in HIPAA compliance. If you have any questions or require assistance implementing a compliance plan for your organization, please contact an experienced healthcare attorney at 248-544-0888 or at wapc@wachler.com.