If you have a HIPAA security breach, you know you could face the wrath of the HHS Office for Civil Rights. But did you know that you could also face enforcement actions by the Federal Trade Commission?
So says a recent court decision involving the Atlanta-based medical laboratory LabMD Inc. On Aug. 29, 2013, the FTC filed an administrative complaint against LabMD for two separate breaches affecting more than 10,000 consumers’ information. The FTC charged that the company failed to “reasonably protect the security of consumers’ personal data” and medical information. Specifically, the FTC’s enforcement action against LabMD was for allegedly “unfair and deceptive acts” under Section 5 of the FTC Act.
In a motion to dismiss the complaint, “Lab-MD argued that because it was regulated by HIPAA, the FTC lacked authority to enforce privacy and se-curity violations” that were within HHS’s jurisdiction, wrote attorneys Linn Foster Freedman and Kathryn M. Sylvia in a recent Nixon Peabody analysis. But on Jan. 16, 2014, the FTC voted unanimously to reject LabMD’s arguments.
The FTC’s refusal to dismiss the enforcement action “confirms that HIPAA regulated businesses will now also have to worry about compliance with FTC regulations and enforcement actions for security breaches,” warned Freedman and Sylvia.
This also means that, “whether or not a privacy or security problem is noted by HHS, the FTC could become involved if there have been deceptive trade practices (e.g., promising security and then not providing it),” explains Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems in Charlotte, Vt.