LabMD recently announced its plans to wind down operations, citing its ongoing legal battle with the Federal Trade Commission (FTC) over the company’s data security practices as a major cause. In a letter dated January 6, LabMD president Michael Daugherty informed the company’s customers and workforce that the medical testing laboratory would no longer be accepting new specimens after January 11 and that the company’s phones and internet access would be discontinued shortly thereafter. Daugherty’s letter blamed the FTC’s “debilitating investigation and litigation” as a major source of the company’s decision to wind down operations.
In August 2013, the FTC filed an administrative complaint charging LabMD with violating Section 5 of the FTC Act based on allegations that the company failed to implement reasonable and appropriate security protections for consumers’ personal information, including medical information (read our prior post for more details on the complaint). LabMD aggressively fired back this past November, filing a motion to dismiss the administrative complaint. At the core of LabMD’s defense was the argument that the FTC lacked authority to regulate the company’s data security practices because LabMD (as a covered entity) was subject to the security requirements of the Health Insurance Portability and Accountability Act (HIPAA).
LabMD, a medical testing laboratory, maintains that Congress gave the Department of Health and Human Services sole authority to regulate the security of health information under HIPAA and other health privacy laws, and hence the FTC never should have brought an enforcement action against LabMD based on allegations of deficient security controls in the first place. In an order issued on January 16, the FTC denied LabMD’s motion to dismiss the administrative complaint and emphasized the agencies broad authority to define and regulate unfair acts and practices under Section 5, including the practices of HIPAA-regulated entities.
The FTC’s dismissal of LabMD’s motion confirms that the agency does not view HIPAA as a shield against Section 5 and the agency’s enforcement authority. The decision could have far-reaching implications for entities governed by HIPAA. The LabMD case makes clear that the HIPAA Security Rule is not the only standard to consider when covered entities and business associates are managing organizational security risks, and suggests that the FTC’s increased focus on the protection of health data will continue.