LabMD Case Continues to Highlight HIPAA Not The Only Law Utilized for Prosecuting Breaches

The consequences of a security breach of protected health information (PHI) for a health care provider is no longer only a HIPAA issue and  can be financially costly and come from multiple sources.   Those following the saga of LabMD know that if data is breached not only can the Office of Civil Rights (OCR) levy fines based on HIPAA, but more recently the Federal Trade Commission (FTC) has utilized its powers to go after health care providers labeling it an “unfair practice”.

The case of LabMD took another twist last week, when the  House Committee on Oversight and Government Reform  (Committee) issued a letter on June 17, 2014 to Kelly Tshibaka, Acting Inspector General for the FTC, notifying the FTC that the Committee is investigating Tiversa, Inc. the company that provided the FTC information for its enforcement action against LabMD.

Interestingly, while the June 17 letter focuses on the potential issues in the relationship between Tiversa and the FTC, it also states, “In addition to concerns about the merits of the enforcement action with respect to the FTC’s jurisdiction….”   This is notable because, as discussed in our February 12 blog    the FTC used its power under Section 5 of the Federal Trade Commission Act to prosecute an  “unfair act or practice” to file a complaint against LabMD when LabMD allegedly failed to protect, among other information, names, dates and social security numbers of thousands of consumers.  While LabMD argued HIPAA and the HITECH Act gave HHS authority over such issues, to date the FTC has been allowed to proceed with the case.

The LabMD case can have important ramifications in terms of data breaches if the FTC wins its case.  But in addition to the OCR and FTC, providers also need to be aware that in some states patients could have a private right of action to sue providers for data breaches.   While HIPAA does not create a private right of action, state law may allow a patient to sue based on breach of privacy or other state laws.  All of this highlights the need for health care providers to have updated HIPAA policies and procedures and to stay abreast of the governments regulations related to HIPAA particularly in light of ever changing technology.


Speak Your Mind