Although a federal court recently ruled that the United States Federal Trade Commission (the “FTC”) has the authority to regulate data security practices, a clinical testing laboratory is arguing that the FTC’s regulatory authority does not extend to entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”). 

Last week, a United States District Court in New Jersey rejected hotel chain Wyndham Worldwide’s argument that the FTC lacks authority under Section 5 of the FTC Act to regulate corporate data security practices (see our coverage here). Shortly after that ruling was issued, the FTC moved to dismiss what it characterized as a similar argument by LabMD, Inc. 

In its response, LabMD distinguished the Wyndham challenge to the FTC’s authority, which questioned whether the FTC had any authority to regulate corporate data security practices, and argued more narrowly that “HIPAA regulation of data security is incompatible with FTC over-regulation.” Specifically, LabMD stated that the FTC imposed additional and conflicting requirements beyond those found in HIPAA or its implementing regulations, and that, under the current regime, a covered entity’s compliance with the HIPAA Security Rule is no defense to an FTC action. “Congress never intended FTC to have such sweeping and over-riding authority to intervene and impose new and additional requirements on entities regulated by expert sister agencies.” 

The court has not yet ruled on the FTC’s motion to dismiss. Because the field of data security involves a complex web of state and federal regulations, as well as multiple government agencies, the healthcare industry should monitor this case and the related administrative proceeding, which could clarify the FTC’s role in regulating and enforcing the security of electronic patient information.