On January 16, 2014 the Federal Trade Commission (FTC) unanimously reaffirmed its broad authority to regulate a healthcare provider’s data security program deemed inadequate by the FTC in protecting consumers from identity theft or misuse of personal information. The FTC held that a provider’s program is inadequate if it fails to provide reasonable and appropriate data security measures. A company’s failure to provide reasonable and appropriate data security measures falls within the purview of Section 5(a) of the FTC Act’s prohibition of “unfair … acts or practices.” Further, the FTC held that HIPAA, HITECH, and other statutes do not restrict the FTC’s authority under Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), to challenge data security measures that it has reason to believe are unfair acts or practices.
The impetus for this ruling comes from an August 2013 complaint filed against LabMD, a clinical laboratory, alleging that LabMD failed to employ reasonable and appropriate measures to prevent unauthorized access to consumers’ personal information, constituting an unfair act or practice in violation of Section 5(a) of the Act. LabMD moved to dismiss the FTC’s complaint, arguing that the FTC had no authority to address private companies’ data security programs under the Act, and that by enacting Health Insurance Portability and Accountability Act (“HIPPA”) and other statutes, Congress implicitly restricted the FTC’s authority to enforce the Section 5 of the Act in the field of data security. In denying LabMD’s motion to dismiss, the FTC determined that nothing in the federal statutes reflected a ‘clear and manifest’ intent of Congress to restrict the FTC’s authority over unfair data and security practices. Furthermore, the FTC held that “so long as the requirements of those statues do not conflict with one another, a party cannot plausibly assert that, because it complies with one of these laws, it is free to violate the other.”
As the FTC reasserts its broad authority under the Act, healthcare providers should reexamine their data security programs to ensure that they adequately protect consumers’ personal information in the event of an investigation by the FTC.