by Ann F. Triebsch
As observers of data security enforcement are aware, the Federal Trade Commission (FTC) determined on January 16, 2014, that even entities that are already subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA) are also subject to FTC jurisdiction and enforcement powers for data security breaches. In the LabMD decision, the FTC denied the motion to dismiss sought by LabMD in the administrative case against it, which was formally filed in August, 2013. This outcome, though anticipated, has stirred up plenty of discussion, including about how to know whether or not you’re storing data in a way that satisfies the FTC, and what happens if you’re not. For entities that are subject to HIPAA and have been following the HIPAA Security Rule regulations, is this enough? Should they be doing more to also demonstrate compliance to the FTC?
In its motion to dismiss, LabMD argued the FTC Act’s prohibition of “unfair … acts or practices” did not apply to a company’s failure to implement reasonable and appropriate data security measures, that by implementing HIPAA, Congress had implicitly stripped the FTC of its authority in the field of health data security, and that because the FTC had issued no regulations in the area for LabMD to follow, LabMD essentially was denied due process. The FTC found no merit in any of these arguments.
While the decision is not much of a surprise to FTC observers and experts in the data security regulation field, it is not welcome to those entities and individuals subject to HIPAA who already have to meet the strict privacy and security standards of that statute. “Covered entities”, which include health care providers, health care benefit plans, and health care clearinghouses, and the business associates of these “covered entities”, now not only have to comply with the technical requirements of HIPAA, they also have to be concerned about whether they are satisfying the FTC’s requirement that their data security systems are “fair” to the patients whose health information they maintain. Essentially the FTC has made clear that everyone regulated by HIPAA will be regulated by the FTC as well.
But how is one to comply with the FTC’s vague “unfairness” standard when there are no regulations, especially in a very technical and ever-changing industry? The FTC indicated in a hearing on the LabMD matter that it has no plans to introduce regulations, and that companies that maintain private data should use reasonable security measures and consider potential consumer harm that could result from a breach. It also advised to keep an eye on FTC enforcement actions and take cues from those.
The FTC recently settled its fiftieth information security complaint, four of which concerned health information. (LabMD is the fifth complaint involving health information.) Number 50 involved a medical transcription service who agreed to a 20-year consent order for security breaches by its overseas business associate. (GMR Transcription Services.) So while we know the FTC has jurisdiction only over entities engaged in interstate commerce, it does not feel compelled to stop at national borders.
Further, the FTC is not persuaded that compliance with another federal agency’s regulations over the same subject matter carries any weight as to whether the actions in question are “fair”. In LabMD, a potential breach of the patient files in question occurred in 2008 when a rogue employee loaded music-sharing software onto his work computer in violation of company rules. This resulted in the patient files becoming available via the music-sharing software program over the internet. The incident was discovered and repaired, and there was never a determination that a HIPAA violation occurred. The FTC acknowledged that LabMD appeared to be following appropriate security protocols. Yet, despite the fact that the company had an appropriate policy in place, there was a single policy violation that was remedied, and no finding of a HIPAA violation, the FTC deemed that LabMD acted in an “unfair” manner. One might reasonably ask, “What more could LabMD have done?”
Consider the perspective of a small business owner: You’re running a business in the healthcare industry, which you understand is highly regulated. Fair enough, you went into it with your eyes open, knowing compliance would always be a major challenge. But now you are subject to enforcement from a federal agency against “unfair” acts that are undefined by regulations, and other agency guidance is minimal. The subject matter of the enforcement is heavily regulated by another federal agency, but compliance with its regulations doesn’t give you any cover. You still have to meet an additional vague standard, one that potentially changes with the often-weekly introduction of new technology and the FTC’s enforcement actions.
How can a business have any confidence that it is compliant with FTC standards? That is the point made by Forbes magazine in an article on the case and by LabMD owner and CEO Michael Daugherty’s new book about his experience with the FTC, The Devil Inside the Beltway. Further, how can you make decisions about what data protection systems in which to invest when you do not know the standards to be met? The Forbes article recommends that businesses work with the Chamber of Commerce to persuade Congress and the FTC that this is not a reasonable regulatory environment. A hopeful plan, but not much solace in the meantime.
It is not that the FTC does not know how to issue regulations specific to health information. It does, and it has, implemented health information breach notice regulations pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH): The FTC’s Health Breach Notification Rule (FTC Breach Rule). The FTC Breach Rule applies to vendors operating in the personal health record space and the FTC began enforcing the Rule in February 2010. This Rule requires certain businesses who are not covered by HIPAA but who offer electronic personal health records to notify their customers and others if there is a breach of unsecured, individually identifiable electronic health information. The FTC Breach Rule mimics HIPAA notification requirements in many of its provisions. As indicated, “covered entities” already subject to HIPAA are not subject to the FTC Breach Rule. While the FTC Breach Rule arguably offers reasonable guidance on how to appropriately deal with a breach of health information in an electronic format, becasue it was promulgated under HITECH rather than the FTC Act, it does not incorporate the “fairness” standard.
What happens if the FTC decides to proceed against your company for unfair data security practices? First, it will pursue the case with vigor. In LabMD, just last week on February 10, 2014, the FTC filed a Motion for Discovery Sanctions against LabMD on the basis of its alleged failure to comply with discovery obligations in the case. The FTC does not have the authority to levy fines, but it can order “consumer redress” and pursue consent orders that include civil penalties. Of the cases to date, the FTC has settled with the entity in question agreeing to pay civil penalties, submit to data monitoring, and/or enter into a long-term (up to 20 years) corrective action plan. While paying fines is unpleasant, certainly, having the FTC look over your shoulder for twenty years is daunting to say the least, and will certainly hamstring efforts you may pursue to enlarge or sell your business. And if an entity violates a provision of a consent order after it becomes final, it is liable for a civil penalty of up to $16,000 for each violation.
In sum, it appears that aside from the publication of the FTC Breach Rule, the FTC expects the data security industry to figure out for itself where the line is between reasonable and unfair security measures. The FTC has published various forms of guidance on its website on this question, but there is no clear standard. The cost of a poor guess and getting caught in the spotlight, however, are very high. Stay abreast of industry best practices, err on the side of caution and stay tuned here as we try to figure out what’s coming next.