The LabMD Case: What Does it Mean for HIPAA Covered Entities?

On January 16, 2014, the FTC issued a ruling denying a motion to dismiss in a case that has created confusion and concern for health care providers who are subject to the HIPAA regulations.

The case began with a Complaint issued against LabMD by the FTC for “failing to employ reasonable and appropriate measures to prevent unauthorized access to personal information, including dates of birth, SSNs, medical test codes, and health information” which constituted an “unfair act or practice” in violation of Section 5 of the Federal Trade Commission Act.

The specific allegations in the complaint included an allegation that LabMD’s billing department manager had downloaded and installed Limewire, a peer-to-peer (P2P) file sharing application on a computer that contained an insurance aging file which included personal information of approximately 9,300 consumers, including names, dates of birth, SSNs, CPT codes, and health insurance policy numbers.  The use of the P2P application on the computer resulted in the personal information being made publicly available over the internet.

LabMD filed a Motion to Dismiss arguing, among other things, that the HIPAA and HITECH regulations “manifest Congress’s unambiguous intent to give HHS authority over patient-information data-security and to displace whatever Section 5 authority the Federal Trade Commission Act might have to regulate LabMD’s data-security practices as ‘unfair’ acts or practices.

In denying the Motion to Dismiss, the Commission held neither HIPAA nor any other statute cited by LabMD expressly or by implication foreclosed the FTC from challenging data security measures that it has reason to believe are “unfair . . . acts or practices.”

So, what exactly does this mean for providers?

For health care providers that are HIPAA covered entities, this ruling means that the FTC in addition to the Office of Civil Rights (OCR) and state Attorneys General can investigate complaints related to data breaches.  Because the FTC and OCR are independent of each other, there does not appear to be any reason that they could not simultaneously pursue an investigation or complaint and impose penalties independent of one another.

While the FTC does not have specific regulations or guidance for compliance, the list of deficiencies cited by the FTC in the LabMD case are consistent with requirements of the HIPAA Security Rule:

  • Failure to develop, implement, or maintain a comprehensive information security program to protect consumer’s personal information;
  • Failure to use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities on its networks (for example, penetration tests);
  • Failure to use adequate measures to prevent employees from accessing personal information not needed to perform jobs;
  • Failure to adequately train employees to safeguard personal information;
  • Failure to require employees or others with remote access to networks to use common authentication-related security measures (i.e., periodically changing passwords, prohibiting the use of the same password across applications and programs or using two-factor authentication);
  • Failure to maintain and update operating systems of computers and other devices on its networks (e.g., operating systems that were not supported by the vendor);
  • Failure to employ readily available measures to prevent and detect unauthorized access to personal information on its computer networks (e.g., appropriate measures not utilized to prevent employees from installing on computers applications or materials that were not needed to perform their jobs or adequately maintain or review records of activity on its networks).

These deficiencies would most likely also be considered violations of the HIPAA Security Rule.  However, because of the scalable and flexible nature of the HIPAA Security Rule, the expectations are not always clear, especially where small providers are concerned.  Providers should examine their HIPAA Security policies and review their HIPAA Risk Assessment to determine whether they address the above deficiencies.

For health care providers who are not HIPAA covered entities, the Federal Trade Commission Act allows the Federal government an avenue to investigate and penalize data breaches.  Thus, it is important for all providers, regardless of covered entity status to take measures similar to if not equal to those required by the HIPAA Security Rule.

The facts alleged in the LabMD case highlight the importance of training and monitoring staff.  While technology is an important component of HIPAA Security and data security in general, the human component cannot be overlooked.  HIPAA Security policies must be implemented and enforced.

Documents related to this case can be found here.


  1. […] investigation and prosecution of health care providers regarding data security.   As noted in our February 12, 2014 blog on the LabMD case, the FTC in addition to the Office of Civil Rights (OCR) and state Attorneys […]

  2. […] with respect to the FTC’s jurisdiction….”   This is notable because, as discussed in our February 12 blog    the FTC used its power under Section 5 of the Federal Trade Commission Act to prosecute an  […]

Speak Your Mind