Lawsuit Questions FTC’s Authority To Regulate Health Data Security
March 26, 2014 in News
LabMD, a cancer-detection services company, has filed a lawsuit against the Federal Trade Commission challenging the agency’s regulatory authority over health data security laws, Gov Info Security reports (Kolbasuk McGee, Gov Info Security, 3/21).
Background on Case
In 2013, FTC filed a complaint against LabMD for two privacy breaches in 2008 and 2012 that affected about 10,000 patients.
In the complaint, FTC wrote that LabMD’s “failure to employ reasonable and appropriate measures to prevent unauthorized access to personal information” violated the agency’s regulations.
In response, LabMD argued that FTC’s enforcement action conflicts with health information security regulations under HIPAA, adding that FTC was practicing an “extralegal abuse of government power.”
However, on Jan. 16 FTC ruled 4-0 to reject LabMD’s claims, saying, “Contrary to LabMD’s contention, Congress has never enacted any legislation that, expressly or by implication, forecloses the Commission from challenging data security measures that it has reason to believe are ‘unfair … acts or practices’” (iHealthBeat, 1/29).
In the lawsuit filed last week in the U.S. District Court for the Northern District of Georgia, the company bolstered its argument and asked the court to issue a preliminary injunction to block FTC’s enforcement action against LabMD (Gross, PCWorld, 3/21).
The lawsuit notes that FTC has yet to specify any problems with the company’s data security protocols or what the company did wrong since FTC began its investigation (Ellison, Becker’s Hospital Review, 3/24).
It also alleges that FTC lacks “the power to broadly regulate data security and that Congress delegated the authority to regulate protected health information to … HHS” (Gold, FierceHealthIT, 3/25).
Specifically, the company is seeking a declaration that FTC lacks jurisdiction under Section 5 of the Federal Trade Commission Act to regulate personal health information security practices.
Adam Greene, a privacy attorney at Davis Wright Tremaine, said the lawsuit could have “significant consequences for the entire health care sector,” which currently faces scrutiny from multiple state and federal government regulators over data breaches involving protected health information.
FTC declined to comment on the latest filing (Gov Info Security, 3/21).