Friday the 13th was a bad day for the Federal Trade Commission (FTC) and a very good day for the healthcare industry. I covered the dispute in the LabMD case in Physicians Practice in February 2014, just after the FTC ruled in favor of itself and its own strained extension of HIPAA-type jurisdiction over beleaguered healthcare providers. Opponents, including LabMD, argued that physicians and healthcare providers have enough to worry about in the context of patient privacy, security and breach notification under HIPAA, the Omnibus Rule, and HITECH, which is already adequately enforced by the United States Department of Health and Human Services’ Office of Civil Rights (“OCR”).
The FTC seemed to be jumping on the HIPAA bandwagon as well, but unlike the OCR, the FTC lacked a specific statute or rule granting it the authority to regulate healthcare patient privacy. Thus, the FTC decided for itself last year that it had jurisdiction under Section 5 of the FTC Act. The agency said that a failure to institute reasonable and appropriate data security standards constituted an “unfair trade practice” under the FTC Act because the conduct “caused or is likely to cause substantial injury to consumers.”
On Nov. 17, Chief Administrative Law Judge D. Michael Chappell rejected the FTC’s theory in the LabMD case, holding that the “harm” required to bring a cause under Section 5 of the FTC Act required more than “hypothetical or theoretical harm” caused by the lab’s conduct and therefore insufficient to maintain the commission’s allegations. In other words, the mere possibility that someone might be harmed was insufficient and the FTC incorrectly assumed the right to file a HIPPA-type action against LabMD.
This ruling squares with the outcome of many state lawsuits seeking damages under state law, which are frequently tossed out of court because the cases are based upon the mere possibility of harm, rather than actual demonstrable injury.
The LabMD conflict started in August 2013, when the FTC filed a complaint against LabMD Inc., over a breach of 9,300 patients’ personal information, including names and social security numbers, on a public file-sharing network. The Atlanta-based medical laboratory challenged the action, claiming the FTC has no authority to address private companies’ data security practices as “unfair … acts or practices” under Section 5 of the FTC Act’s unfairness prong. The FTC ruled in January 2014 that it did have jurisdiction.
Prior to Friday’s decision, the FTC had obtained consent decrees in 53 out of 55 cases brought against businesses in recent years – all of which were based merely upon the possibility of harm.
“The reason that the decision was so shocking and important is that because the security standard imposed by the FTC has never been challenged in any court, the FTC has created an enormous castle of air in recent years that everyone has come to believe in,” Kilpatrick Townsend & Stockton LLP big data, privacy and information security practice co-leader Jon Neiditz told Law360 in a story reported earlier this week. “But with this decision, that whole castle of air has been completely deflated.”
The case is surely far from over. The ALJ decision can be appealed to the commissioner and then to the courts. Nevertheless, for an overregulated healthcare industry, Friday the 13th was a good day.