HIPAA Risk Analysis Tip – FTC Exerting Data Security Authority

HIPAA Risk Analysis Tip – FTC Exerting Data Security Authority | LabMD Case

On August 29, 2013, The Federal Trade Commission filed a complaint against medical testing laboratory LabMD, Inc. alleging that the company failed to reasonably protect the security of consumers’ personal data, including medical information.

Less than six months later, in a letter dated January 6, LabMD president Michael Daugherty informed the company’s customers and workforce that the medical testing laboratory would no longer be accepting new specimens after January 11 and that the company’s phones and internet access would be discontinued shortly thereafter.   The company has decided to wind down operations according to its press release dated January 28, 2014, entitled FTC ACTIONS FORCE LABMD TO WIND DOWN OPERATIONS.

Here’s today’s big RISK ANALYSIS TIP – Complete Analysis of All Other Potential Sources of Risk and Liability

The Devil Inside the BeltwayI spoke to Mr. Daugherty on Saturday, February 1st about the FTC actions and his plans.  He recently wrote a book entitled “The Devil Inside the Beltway”.  The book tells the story of LabMD’s journey through the FTC process and exposes a systematic and alarming investigation by one of the US Government’s most important agencies.  Mr. Daugherty has indicated that, at least in the short term, he plans to speak out publicly on his ordeal and write additional books that are aimed at helping other small business from experiencing what LabMD experienced.

The original complaint alleged that LabMD billing information for over 9,000 consumers was found on a peer-to-peer (P2P) file-sharing network and then, in 2012, LabMD documents containing sensitive personal information of at least 500 consumers were found in the hands of identity thieves.

The case is part of an ongoing effort by the Commission to ensure that companies take reasonable and appropriate measures to protect consumers’ personal data.  Many argue, including LabMD, that the FTC is overstepping its bounds and becoming hyper-vigilant in the absence of specific rules and regulations around data security.  I asked Mr. Daugherty to comment and he provided the following statement:

“The biggest  issue is that we did all this and it didn’t matter one bit.  There are no standards or rules and the FTC argues they don’t need any. Their efforts are a waste as Snowden walked out with a thumb drive. 

The FTC does not know nor can they prove if or where our file got out or else they are refusing to tell us. Hindsight is always 20/20. P2P risks were not widely known in 2008 and millions of files leaked as late as 2009  per congressional testimony. This is a story about doing it right and still getting screwed.  Many vulnerabilities today are unknown and in 2018 the FTC will say you should have known them based on their term “reasonably foreseeable”. 

We believe in knowledgable power, not compliance by fear.” 

The Biggest Lesson Learned: Complete Analysis of All Other Potential Sources of Risk and Liability

HIPAA Covered Entities and Business Associates need to consider all their sources of risks and liabilities as it relates to safeguarding all sensitive information whether it is Protected Health Information (PHI) or any other Personally Identifiable Information (PII).  For example, in addition to the Department of Health and Human Services (DHHS) Office for Civil Rights (OCR) enforcement actions, it is important to ask these kinds of questions:

  1. Do you have compliance obligations that overlap with HIPAA Privacy, Security and Breach Notification Rules such as Meaningful Use Attestation? CMS or Insurance Exchange privacy requirements?
  2. Do you handle any “super PHI” (e.g., Drug and Alcohol addiction, STD,Psychotherapy notes and is it subject to even more stringent requirements?
  3. Are you subject to a whistleblower filing a complaint under the False Claim Act?
  4. Have you completed pre-emption analyses for all states / jurisdiction in which you operate?
  5. Are you compliant with all applicable state breach notification laws?
  6. Are you or your colleagues subject to sanctions under professional ethics provisions of your associations or other affiliations?
  7. If your company a publicly traded organization subject to reporting and disclosure requirements by the Securities and Exchange Commission (SEC), are you meeting those requirements?
  8. Could you be liable for enforcement action by the Federal Trade Commission (FTC) for unfair or deceptive practices under Section 5 of the FTC Act?
  9. Is your State Attorney General active in enforcement of state and federal Privacy and Security regulations?

Risk Analysis Resources Are Available to You Now

Clearwater Compliance offers best-in-class HIPAA-HITECH Privacy, Security and Breach Notification software and services. Our years of direct front-line, real-world experience with deep privacy and security skill-sets will help you assess and implement the required people, process and technology controls cost-effectively.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Wanna be even more hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like to keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Risk Analysis Tip – OCR to Increase Security Rule EnforcementHIPAA Risk Analysis Tip – MU Attesters, Is this the Beginning? >>
Tweet about this on Twitter2Share on LinkedIn1Share on Google+1Share on Facebook2Email this to someone

Tags:

Trackbacks/Pingbacks

  1. Court Decision Sets “Binding and Persuasive Precedent” Regarding FTC Authority to Police Data Security Practices - HIPAA-HITECH Compliance Software & Consulting - Clearwater Compliance - April 11, 2014

    [...] Another company, LabMD, recently shut down operations over the FTC’s investigation and is also challenging FTC authority/jurisdiction. [...]

Leave a Reply