Legal consequences abound at every corner in healthcare. Each month this blog discusses examples of what those consequences can be.
Last month’s post focused on the National Labor Relations Board. In this post, my last of 2016, I want to focus on another federal agency that may also be unfamiliar to many healthcare providers and their staff: the Federal Trade Commission (FTC). Specifically, this post will discuss how the FTC regulates healthcare providers?
The FTC was established by the Federal Trade Commission Act of 1914. As explained on the FTC website:
The Federal Trade Commission Act is the primary statute of the Commission. Under this Act, as amended, the Commission is empowered, among other things, to (a) prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce; (b) seek monetary redress and other relief for conduct injurious to consumers; (c) prescribe rules defining with specificity acts or practices that are unfair or deceptive, and establishing requirements designed to prevent such acts or practices; (d) gather and compile information and conduct investigations relating to the organization, business, practices, and management of entities engaged in commerce; and (e) make reports and legislative recommendations to Congress and the public. A number of other statutes listed here are enforced under the FTC Act.
My focus will be on Section 5(a) of the Act. It provides in pertinent part:
(1) Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.
(2) The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations *** from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.
The FTC has used the authority conferred on it by Section 5(a) to become a leading “enforcer” of privacy and data security.
The most prominent example of FTC enforcement of privacy and data security is its action again Wyndham Hotel & Resorts. Wyndham challenged the FTC’s authority to act against it. After that challenge to the FTC’s enforcement authority under Section 5(a) was rejected by the United States Court of Appeals for the Third Circuit, Wyndham entered into a settlement with the FTC. The FTC’s allegations against Wyndham, and the terms of the settlement, are summarized in a FTC release of December 9, 2015:
Wyndham Hotels and Resorts has agreed to settle FTC charges that the company’s security practices unfairly exposed the payment card information of hundreds of thousands of consumers to hackers in three separate data breaches.
Under the terms of the settlement, the company will establish a comprehensive information security program designed to protect cardholder data – including payment card numbers, names and expiration dates. In addition, the company is required to conduct annual information security audits and maintain safeguards in connections to its franchisees’ servers.
‘This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,’ said FTC Chairwoman Edith Ramirez. ‘Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.’
The proposed stipulated federal court order requires Wyndham Hotels and Resorts to obtain annual security audits of its information security program that conform to the Payment Card Industry Data Security Standard for certification of a company’s security program. ***.
Turning to the role of the FTC with regard to the healthcare sector, the FTC commenced an enforcement action against LabMD, Inc. This action, and the FTC’s resolution, is explained in a FTC release of July 29, 2016:
The Federal Trade Commission today announced the issuance of an Opinion and Final Order reversing an Administrative Law Judge (ALJ) Initial Decision that had dismissed FTC charges against medical testing laboratory LabMD, Inc. In reversing the ALJ ruling, the Commission concludes that LabMD’s data security practices were unreasonable and constitute an unfair act or practice that violated Section 5 of the Federal Trade Commission Act.
The case concerns the alleged failure by Respondent LabMD, Inc., which operated as a clinical laboratory for physicians, to protect the sensitive personal information, including medical information, of consumers. Over the course of its operations between 2001 and 2014, LabMD collected sensitive personal information, including medical information, for over 750,000 patients.
As explained in its unanimous opinion, written by Chairwoman Edith Ramirez, the Commission concludes that the ALJ applied the wrong legal standard for unfairness and finds that ‘LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system. Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.’
The Commission further finds in its opinion that ‘these failures resulted in the installation of file-sharing software that exposed the medical and other sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users. LabMD then left it there, freely available, for 11 months, leading to the unauthorized disclosure of the information.’
The Commission in its decision concludes that ‘the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n),’ and that LabMD’s disclosure of a file containing this information for 9,300 consumers caused substantial injury. In addition, the Commission finds that LabMD’s security practices were ‘likely to cause substantial injury,’ as they led to the exposure of sensitive information to millions of online P2P users, and because complaint counsel proved that the likelihood and magnitude of potential harm were both high. Complaint counsel’s expert witnesses identified a range of harms such as medical identity theft that can often result from the unauthorized disclosure of the types of sensitive personal information maintained by LabMD on its computer network.
The FTC final order in LabMD is now on appeal. In LabMD, INC. v. FTC, No. 16-270-D (11th Cir. Nov. 10, 2016), the court of appeals granted LabMD’s motion to stay enforcement of the FTC’s Final Order. The court noted that, among other things LabMD ceased operation in January of 2014 and had “essentially no assets.” The court of appeals granted the stay because, among other things, it held that LabMD had “made a strong showing that the FTC’s “factual findings and legal interpretations may not be reasonable.” The court also noted that compliance with the Final Order would cause LabMD irreparable harm “in light of its current financial situation” and that a stay would not injure any other party or the public.
What the courts of appeals did must be put in perspective. First, the court did not reach any decision on the merits. Instead, it addressed the propriety of a stay of enforcement. Second, the court questioned whether LabMD’s actions could be construed to be “unfair” absent any evidence of a “tangible harm to any consumer.” These points are unique to LabMD. It remains to be seen how the appeal will be decided on the merits and there is nothing in the appellate decision that suggests that the FTC cannot, under appropriate facts, enforce privacy and data security.
Wyndham and LabMD are examples of FTC enforcement authority with regard to privacy and data security. However, the FTC does more than act as an enforcement agency. Among other things, it issued “Start with Security: A Guide for Business” in June of 2015 and released guidance for developers of mobile health apps on April 5, 2016.
What do Wyndham and LabMD teach in terms of privacy and data security in the healthcare sector? First, under appropriate circumstances (whatever the FTC might define such circumstances to be) the FTC will act against a healthcare provider which fails to protect against unreasonable data security. Second, any FTC action will be derived from its statutory authority and, accordingly, a healthcare provider might also be investigated and charged for “independent” obligations imposed on it by HIPAA or State laws. Third, Wyndham and LabMD emphasize the importance of adopting, implementing, and monitoring sound privacy and data securities practices by healthcare providers.
**Editor’s note: The views expressed in this column are those of the author alone and should not be interpreted otherwise or as advice.