FTC Retains Authority to Regulate Data Security at HIPAA Covered Entities - For Now


The healthcare industry will have to wait for a court to answer the question of whether the United States Federal Trade Commission (the “FTC”) has authority to regulate data security practices of entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”). 

On Monday, a federal district judge dismissed LabMD, Inc.’s case without reaching the merits, declining to disrupt the underlying administrative proceeding. The FTC originally issued an administrative complaint against LabMD for failing to provide adequate protection for patient information stored on its internal network. After the FTC denied LabMD’s motion to dismiss the administrative complaint, LabMD filed suit in the district court challenging the FTC’s authority under Section 5 of the FTC Act to address alleged security breaches of protected health information regulated by HIPAA (see our coverage here). The federal court dismissed the case for lack of jurisdiction, holding that the order to deny the motion to dismiss did not constitute a final agency action.

Although the federal court stated in a footnote that the “likelihood of a favorable jurisdictional or merits outcome for LabMD is slight,” it left the door open for a later resolution in the court system, noting that LabMD has some rights of appeal after the administrative process is complete.

For additional information about the LabMD case or regulatory issues involving the security of health information, please contact: 

Ron Breaux


Kenya Woodruff

Emily Westridge Black

Jennifer Kreick


Timothy Newman


Email Disclaimer