In its July 29, 2016 decision in LabMD, Inc., the Federal Trade Commission clearly signaled its intent to get more involved in the regulation of health privacy. Specifically, the case indicates that the agency intends to go well beyond its traditional role of protecting consumers against deception and to begin scrutinizing the nuts and bolts of companies’ health data security practices.
In most cases, the privacy of individually identifiable health information is protected by HIPAA’s Privacy Rule, which is enforced by the Department of Health and Human Services. But HIPAA covers only data transactions between “covered entities” (providers, health plans, and health care clearinghouses) and their “business associates” (various kinds of service providers). A lot falls through the HIPAA cracks, including the communication of individual patient information between treating physicians and testing laboratories, which is not covered by the HIPAA Privacy Rule. (However, HHS has used HIPAA to determine that patients must be given access to their genetic testing data; see our prior coverage.) This is the crack that the FTC sought to fill in LabMD.
As I noted above, one piece of news in this case is the FTC’s move into the health privacy area. LabMD was in the clinical laboratory business from 2001 until 2014, when it suspended its testing business. However, it has retained its previously collected patient samples and data and continues to provide past test results to providers. Therefore, one lesson to be drawn from the decision is that if you are in the health business but not covered by HIPAA, you cannot assume that you are unregulated—the FTC will be watching, even if no one else is, for as long as you keep individual health data.
Now the FTC is telling you what you have to do. In a series of recent business cases (involving, for example, car dealers and hotels), the FTC has gone beyond posted privacy policies to closely examine just what companies are doing to protect consumers’ personal and financial information. The agency is insisting that privacy and data security practices be reasonable, a loosely defined and evolving standard that seems to focus on industry best practices. The regulatory algorithm is that unreasonable privacy practices=unfair trade practices, and thus violate section 5. (The most comprehensive—albeit somewhat dated—statement of the FTC’s outlook can be found in its 2012 report on consumer privacy.)
This is precisely the approach the FTC took in the LabMD case. Among the data security practices deemed unreasonable were: failing to use an intrusion detection system, neglecting to monitor file integrity or traffic coming across the firewalls, never deleting any data, and not training employees. One consequence of this inattention was that employees installed P2P file-sharing software that exposed thousands of health records to the outside electronic world.
Exposed is a key word here: there was no evidence of any actual data theft. The FTC found this irrelevant, however. Its decision relied on the rarely cited section 5(n) of the FTC Act, which provides that an act or practice can be held unfair if it “causes or is likely to cause substantial harm to consumers.” So the threat of harm is enough, and the absence of actual harm is no defense.
A couple of other legal issues in the LabMD case are worth mentioning. The first concerns the FTC’s authority to judge the substantive adequacy of privacy practices, as opposed to merely ensuring that companies live up to their privacy policies. A number of FTC targets have challenged this authority, including LabMD, which asked both the FTC itself and two different federal courts to rule that the agency was going too far. Its requests were rejected, as has happened in every other case. The leading case is Wyndham Hotels (2015), where the U.S. Court of Appeals upheld the FTC’s authority to regulate the substance of cybersecurity.
A second point concerns remedies. While the FTC has the power to fine offenders, it did not seek a monetary penalty against LabMD. Instead, it imposed (via injunction) detailed requirements for improved security practices. Prospective targets should not take much comfort from this: he agency can seek fines, and LabMD complained bitterly about the burden imposed by the injunction. One piece of good news for targets is that private parties cannot sue for violations of the FTC Act, although they may have comparable rights under similarly worded state “Little FTC Acts” (e.g., North Carolina’s).
Companies that collect, transfer, store, or use individual health information should keep these points in mind:
• The fact that you’re not a covered entity or business associate under HIPAA does not mean that you’re free from federal regulation—the FTC is aggressively asserting its authority in the interstices of privacy law.
• The FTC clearly believes that in privacy and data security, unreasonable=unfair and is thus illegal.
• Reasonableness is a fluid and evolving concept, likely to be tied to best practices in a given industry.
• To get a more specific idea of what the FTC thinks is and isn’t reasonable in the health context, read the full LabMD decision carefully, paying close attention to the technical details. In designing your own practices, avoid LabMD’s specific pitfalls, and whatever you do, do it better than LabMD did.
• The LabMD decision doesn’t mention this, but the FTC does not have jurisdiction to regulate nonprofits. Someone else—including your state government—will, however, and the FTC’s privacy standards are likely to provide a model for other regulators.