FTC Retains Authority to Regulate Data Security at HIPAA Covered Entities - For Now

05/16/2014

The healthcare industry will have to wait for a court to answer the question of whether the United States Federal Trade Commission (the “FTC”) has authority to regulate data security practices of entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”). 

On Monday, a federal district judge dismissed LabMD, Inc.’s case without reaching the merits, declining to disrupt the underlying administrative proceeding. The FTC originally issued an administrative complaint against LabMD for failing to provide adequate protection for patient information stored on its internal network. After the FTC denied LabMD’s motion to dismiss the administrative complaint, LabMD filed suit in the district court challenging the FTC’s authority under Section 5 of the FTC Act to address alleged security breaches of protected health information regulated by HIPAA (see our coverage here). The federal court dismissed the case for lack of jurisdiction, holding that the order to deny the motion to dismiss did not constitute a final agency action.

Although the federal court stated in a footnote that the “likelihood of a favorable jurisdictional or merits outcome for LabMD is slight,” it left the door open for a later resolution in the court system, noting that LabMD has some rights of appeal after the administrative process is complete.

For additional information about the LabMD case or regulatory issues involving the security of health information, please contact: 

Ron Breaux
214.651.5688
ron.breaux@haynesboone.com

 

Kenya Woodruff
214.651.5446
kenya.woodruff@haynesboone.com

Emily Westridge Black
512.867.8422

Jennifer Kreick
214.651.5492
jennifer.kreick@haynesboone.com

 

Timothy Newman
214.651.5029
timothy.newman@haynesboone.com

 

Email Disclaimer