HIPAA Security Rules Don’t Apply to You? The FTC Can Still Use Them as a Benchmark

The recent decision by the Federal Trade Commission (FTC) against LabMD is interesting on many levels.  For wellness companies and others who may not be HIPAA Covered Entities or Business Associates, however, the case should serve as a wake-up call regarding the FTC’s stance on the importance of data security.  In short, the FTC expects companies that collect, store or transfer sensitive personal information, such as information collected by wellness programs, to do the following:

  1. Keep sensitive data in your system only as long as you have a business reason to have it;
  2. Assess the vulnerability of each connection to commonly known or reasonably foreseeable attacks;
  3. Scan computers on your network to identify and profile the operating system and open-network services;
  4. Monitor outgoing traffic for signs of a data breach; and
  5. Take time to explain the rules to your staff, and train them to spot security vulnerabilities.

According to the FTC, LabMD, a clinical laboratory that conducted tests on patient specimen samples and reported test results to its physician customers, failed to take these security measures.  As a result, LabMD installed file-sharing software that exposed the medical and other sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users.  LabMD then left the information there, freely available, for 11 months, leading to the unauthorized disclosure of the information.

The FTC found LabMD’s lax approach to data security to unreasonable and inappropriate and therefore in violation of Section 5 of the FTC Act.  LabMD is not alone, however.  To date, the FTC has brought nearly 60 data security cases under its deception and unfairness authority. My forthcoming book, Rule the Rules on Workplace Wellness Programs, highlight a number of those cases.  The FTC views the unauthorized disclosure of a prospect of a person’s sensitive information, such as health or financial information, even if there is no evidence of actual harm (such as identity theft) to constitute substantial injury worthy of action.

What is interesting about this case is that LabMD qualified as a HIPAA covered entity and therefore was subject to the HIPAA privacy and security rules.  Yet, it was not the federal Office of Civil Rights, which has enforcement authority over HIPAA, that took this action against LabMD.  It was the FTC, which does not have HIPAA enforcement authority.  Nevertheless, the FTC said that HIPAA security requirements serve as a useful benchmark for reasonable behavior.  So, if the FTC can take action for security practices that it deems unreasonable, and the FTC views HIPAA security practices as reasonable, even those companies that are not subject to HIPAA security rules may want to adhere to those rules in order to minimize their risk of action by the FTC.

Another valuable lesson from the LabMD case is that LabMD had privacy and security policies and procedures.  But, there was no follow-through on those policies and procedures.  For example, LabMD had a compliance manual which mandated that its compliance officer establish in-house training sessions regarding privacy and security, but it did not actually provide such training.  In addition, LabMD’s employee handbook stated that sharing health information unnecessarily was illegal and that the company was required to take specific measures to ensure compliance with the law.  Yet, LabMD failed to employ adequate measures to prevent employees form accessing personal information not needed to perform their jobs.

The moral of the story is that if you have a compliance plan, follow it.  If you don’t have one and you collect, store or transfer personal information, get one and follow it.  If you need help with developing such a compliance plan or offering training on data privacy or security, contact the Center for Health and Wellness Law, LLC.

Back to blog