- In the Federal Trade Commission’s (FTC) eyes, its enforcement authority under the FTC Act doesn’t clash with the Department of Health and Human Services (HHS) role in regulating HIPAA. According to bna.com, the FTC voted 4-0 to reject LabMD’s motion that it lacks authority to take data security enforcement action (Commissioner Julie Brill didn’t vote after being recused in December 2013).
This is the latest of the back-and-forth between the FTC and LabMD. Back in December, FTC responded to LabMD’s attempts to throw out the FTC’s complaint and eliminate several subpoenas for discovery. The conflict is derived from an August FTC complaint against LabMD a breach of 9,300 patients’ personal information, including name and Social Security number, on a public file-sharing network. Some in the healthcare industry have questioned whether the FTC extending its authority away from consumer data to healthcare data will be confusing for HIPAA covered entities.
“[This is] one of the biggest cases going on right now from a regulatory standpoint. I’m not sure how it’s going to play out, but there may be a jurisdictional fight going on at the moment between the FTC and the Office for Civil Rights (OCR) in the LabMD case,” Scott L. Vernick, partner Fox Rothschild LLP and head of its Privacy and Data Security Practice, told HealthITSecurity.com. “The LabMD case is more about personal health information (PHI) than it is about consumer information, but the FTC is taking the lead role.”
The FTC was able to cite Section 5 of the Federal Trade Commission Act, which allows the FTC to prevent “unfair or deceptive acts or practices,” and used it to include personal data. The issue is how this will affect federal jurisdiction over protected health information (PHI) going forward, as HHS has widely been perceived as the governing body in that area. The FTC, however, believes otherwise.
“The patient-information protection requirements of HIPAA are largely consistent with the data security duties that the Commission has enforced pursuant to the FTC Act,” the commission ruled, according to bna.com. It noted that the FTC and the HHS “have worked together ‘to coordinate enforcement actions for violations that implicate both HIPAA and the FTC Act’” and that “the two agencies have obtained favorable results by jointly investigating the data security practices of companies that may have violated” both laws.