HIPAA Covered Entity Challenges FTC’s Authority to Regulate Data Security

04/17/2014

Although a federal court recently ruled that the United States Federal Trade Commission (the “FTC”) has the authority to regulate data security practices, a clinical testing laboratory is arguing that the FTC’s regulatory authority does not extend to entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”).

Last week, a United States District Court in New Jersey rejected hotel chain Wyndham Worldwide’s argument that the FTC lacks authority under Section 5 of the FTC Act to regulate corporate data security practices (see our coverage here). Shortly after that ruling was issued, the FTC moved to dismiss what it characterized as a similar argument by LabMD, Inc.

In its response, LabMD distinguished the Wyndham challenge to the FTC’s authority, which questioned whether the FTC had any authority to regulate corporate data security practices, and argued more narrowly that “HIPAA regulation of data security is incompatible with FTC over-regulation.” Specifically, LabMD stated that the FTC imposed additional and conflicting requirements beyond those found in HIPAA or its implementing regulations, and that, under the current regime, a covered entity’s compliance with the HIPAA Security Rule is no defense to an FTC action. “Congress never intended FTC to have such sweeping and over-riding authority to intervene and impose new and additional requirements on entities regulated by expert sister agencies.”

The court has not yet ruled on the FTC’s motion to dismiss. Because the field of data security involves a complex web of state and federal regulations, as well as multiple government agencies, the healthcare industry should monitor this case and the related administrative proceeding, which could clarify the FTC’s role in regulating and enforcing the security of electronic patient information.

For additional information about the LabMD case or regulatory issues involving the security of health information, please contact:

Ron Breaux
214.651.5688
ron.breaux@haynesboone.com

 

Kenya Woodruff
214.651.5446
kenya.woodruff@haynesboone.com

Emily Westridge Black
512.867.8422
emily.westridgeblack@haynesboone.com 

Jennifer Kreick
214.651.5492
jennifer.kreick@haynesboone.com

 

Timothy Newman
214.651.5029
timothy.newman@haynesboone.com

 

Email Disclaimer