In August 2013, the U.S. Federal Trade Commission did something usually done by HHS' Office for Civil Rights — it accused a healthcare company of failing to adequately protect consumers' health information following a data breach.
In this case, the defendant, medical testing laboratory LabMD, suffered a data breach when more than 9,000 consumers' medical records from LabMD were found on an external peer-to-peer sharing network. Another data security incident occurred in 2012, when about 500 consumers' protected health information was discovered in the possession of identity thieves.
The FTC complaint that followed these incidents alleges LabMD's data security measures were substandard and led to the data incidents. By not fully protecting consumer information, LabMD is in violation of Section 5 of the Federal Trade Commission Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce," according to the complaint.
However, the FTC complaint does not specify of which data security standards LabMD ran afoul, nor has the FTC produced any standards in the ongoing legal battle. During the trial, an FTC representative pointed to public statements made by the FTC, some educational material and the data protection guidelines that exist in the general IT industry as standards, but ultimately said "there is no rulemaking, and no rules have been issued, other than the rule issued with regard to the Gramm-Leach-Bliley Act...for financial institutions" in regards to data security standards.
This lack of clarity prompted LabMD to file a motion to compel, which forced the FTC to disclose which standards the company allegedly violated. Despite the FTC's response it need not "allege the specific industry standards Respondent failed to meet or specific hardware or software Respondent failed to use," LabMD's motion was ultimately granted May 5 and will allow LabMD to dispose an FTC representative in the near future.
Whatever standards the FTC points to during the deposition won't be based in HIPAA regulations or the HITECH Act, however, as the FTC has emphasized throughout the trial LabMD's violations are based on Section 5 of the FTCA. This case could therefore present another set of standards by which all healthcare organizations must ensure data security compliance, creating additional burdens and confusion in the industry, says Cliff Baker, managing partner of healthcare consulting firm Meditology, who was called by LabMD to testify at the trial as an expert witness.
"As an industry, we've had an eye on HIPAA and what HHS has provided in terms of guidance and the standards they believe the industry should be implementing," says Mr. Baker. "Now there is a new regulatory body governing that same issue, and we're concerned about the new standards and what 'reasonable and appropriate' standards means to them."
In addition to the challenge of conforming to two sets of standards, Mr. Baker worries the standards the FTC uses to assess security safeguards won't be as sensitive as HIPAA and HITECH regulations to the vast difference in size and resources of healthcare providers.
"HIPAA was created with a consideration to the organizations in the industry, so it has privacy and security standards that are as reasonable and appropriate to both large, multinational companies at one end of the spectrum and single-physician practices at the other," he says. "HHS has been mindful of the resource expectations it is imposing on the industry, and has been adopting guidance with that context in mind."
This case, however, reveals the FTC may not be as mindful of an organization's size or resources when applying security standards, he says. LabMD was a small laboratory with 20-odd employees, and when the company began to wind down its operations in January, co-founder and CEO Michael Daugherty cited the ongoing legal battle with the FTC as the cause.
"This complaint has not been applied in the context of [LabMD's] size and resource capabilities," says Mr. Baker, and a ruling in favor of the FTC could lead to a new set of standards not easily achievable by smaller organizations.
An FTC win "would also create a lot of anxiety in the industry as we try to figure out what these expectations are," he says.
However, a ruling in favor in LabMD would "reconfirm" HIPAA and HHS' data security guidelines as the industry's standards, he says. A legal precedent of HIPAA and HITECH as the overriding regulations for data protection would give providers a sense of security. "It would be a sigh of relief," he says.
Last week, providers were denied that sense of relief when a federal judge ruled against LabMD's motion to dismiss the case, paving the way for more FTC intervention.
"This is a setback for provider efforts to protect information, as the industry is desperately seeking regulatory clarity and simplification in a seemingly losing battle against growing threats to disclosures of protected health information," said Mr. Baker.
More Articles on Data Security:
How Kootenai Health Is Reaping the Benefits of VDI, SSO
LabMD Files Appeal in Federal Lawsuit Against FTC
Whistle-Blower Drops Class-Action Lawsuit Against UPMC Over Data Breach