Legal consequences abound at every corner in healthcare. Each month this blog discusses examples of what those consequences can be.
In a previous post titled “What Does the FTC Have to Do with Healthcare Providers?” I explained the mission of the Federal Trade Commission (FTC). The FTC has used the statutory authority conferred on it by Section 5(a) of the Federal Trade Commission Act of 1914 to become “a leading ‘enforcer’ of privacy and data security.”
Section 5(a) provides in pertinent part:
“(1) Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.
(2) The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations… from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.”
In that previous post, I referenced a challenge to the FTC’s authority under Section 5(a) to address lapses in data security. That challenge came from LabMD, Inc.
LabMD, a now-defunct medical laboratory, suffered a data breach. The data breach resulted from the installation, against LabMD’s policy, of a peer-to-peer file-sharing application on a computer used by a LabMD employee that exposed personal information of over 9,000 consumers. The FTC concluded that LabMD’s “data security practices were unreasonable and constitute[d] an unfair act or practice that violated Section 5…” and ordered it to create and implement a number of security-related practices.” LabMD appealed to the United States Court of Appeals for the Eleventh Circuit which, in a recent decision, limited the scope of the FTC’s enforcement authority. See LABMD, Inc. v. FTC, No. 16-16270 (11th Cir. June 6, 2018) at http://media.ca11.uscourts.gov/opinions/pub/files/201616270.pdf for more.
The Eleventh Circuit assumed for the sake of argument that “LabMD’s negligent failure to design and maintain a reasonable data-security program invaded consumers’ right of privacy and thus constituted an unfair act or practice.” However, the court concluded the FTC’s order was unenforceable because it “contains no prohibitions. It does not instruct LabMD to stop committing a specific act or practice. Rather, it commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness.”
The Eleventh Circuit’s decision has not stripped the FTC of its enforcement authority with regard to data security. However, it has required the FTC, when it finds that inadequate data security becomes unfair or deceptive to consumers, to order specific remedies. And the FTC has done so. For example, the FTC settled in June of 2018 with mobile phone company BLU Products, Inc. (BLU). The FTC had alleged that phones manufactured by BLU and sold to consumers included software that transmitted consumer information to a third-party despite representations that these transmittals had stopped. This was alleged to be a deceptive practice because BLU had stated that it had “appropriate physical, electronic, and managerial security procedures.” The settlement contained specific elements rather than the imposition of broad conditions condemned by the Eleventh Circuit. Moreover, on June 20, 2018, the FTC announced that it would hold a series of public hearings on “whether broad-based changes in the economy, evolving business practices, new technologies, or international developments might require adjustments to competition and consumer protection enforcement law, enforcement priorities, and policy.”
What does all this mean for healthcare providers? As I concluded in my previous post (referenced at the beginning of this post), the FTC can act in appropriate circumstances against a healthcare provider or business associate that makes representations about the adequacy of its data security measures and yet suffers a data breach. The scope of any action will, of course, be within the FTC’s statutory authority and will presumably result in specific corrective measures. Moreover, data security lapses can also be investigated and charges filed against a healthcare provider or business associate under HIPAA and State laws. All this means that sound privacy and data security practices should be adopted, implemented, and monitored.
**Editor’s note: The views expressed in this column are those of the author alone and should not be interpreted otherwise or as advice.