Serving Clients Nationwide. Call us at 608-579-1267


HIPAA Security Rules Don't Apply to You? The FTC Can Still Use Them as a Benchmark

Posted by Barbara J. Zabawa | Aug 07, 2016 | 0 Comments

The recent decision by the Federal Trade Commission (FTC) against LabMD is interesting on many levels.  For wellness companies and others who may not be HIPAA Covered Entities or Business Associates, however, the case should serve as a wake-up call regarding the FTC's stance on the importance of data security.  In short, the FTC expects companies that collect, store or transfer sensitive personal information, such as information collected by wellness programs, to do the following:

1.  Keep sensitive data in your system only as long as you have a business reason to have it;

2.  Assess the vulnerability of each connection to commonly known or reasonably foreseeable attacks;

3.  Scan computers on your network to identify and profile the operating system and open-network services;

4.  Monitor outgoing traffic for signs of a data breach; and

5.  Take time to explain the rules to your staff, and train them to spot security vulnerabilities.

According to the FTC, LabMD, a clinical laboratory that conducted tests on patient specimen samples and reported test results to its physician customers, failed to take these security measures.  As a result, LabMD installed file-sharing software that exposed the medical and other sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users.  LabMD then left the information there, freely available, for 11 months, leading to the unauthorized disclosure of the information.

The FTC found LabMD's lax approach to data security to unreasonable and inappropriate and therefore in violation of Section 5 of the FTC Act.  LabMD is not alone, however.  To date, the FTC has brought nearly 60 data security cases under its deception and unfairness authority. My forthcoming book, Rule the Rules on Workplace Wellness Programs, highlight a number of those cases.  The FTC views the unauthorized disclosure of a prospect of a person's sensitive information, such as health or financial information, even if there is no evidence of actual harm (such as identity theft) to constitute substantial injury worthy of action.

What is interesting about this case is that LabMD qualified as a HIPAA covered entity and therefore was subject to the HIPAA privacy and security rules.  Yet, it was not the federal Office of Civil Rights, which has enforcement authority over HIPAA, that took this action against LabMD.  It was the FTC, which does not have HIPAA enforcement authority.  Nevertheless, the FTC said that HIPAA security requirements serve as a useful benchmark for reasonable behavior.  So, if the FTC can take action for security practices that it deems unreasonable, and the FTC views HIPAA security practices as reasonable, even those companies that are not subject to HIPAA security rules may want to adhere to those rules in order to minimize their risk of action by the FTC.

Another valuable lesson from the LabMD case is that LabMD had privacy and security policies and procedures.  But, there was no follow-through on those policies and procedures.  For example, LabMD had a compliance manual which mandated that its compliance officer establish in-house training sessions regarding privacy and security, but it did not actually provide such training.  In addition, LabMD's employee handbook stated that sharing health information unnecessarily was illegal and that the company was required to take specific measures to ensure compliance with the law.  Yet, LabMD failed to employ adequate measures to prevent employees form accessing personal information not needed to perform their jobs.

The moral of the story is that if you have a compliance plan, follow it.  If you don't have one and you collect, store or transfer personal information, get one and follow it.  If you need help with developing such a compliance plan or offering training on data privacy or security, contact the Center for Health and Wellness Law, LLC.

About the Author

Barbara J. Zabawa

Barbara is lead author of the book Rule the Rules on Workplace Wellness Programs, published by the American Bar Association. She is a frequent writer and speaker on health and wellness law topics, having presented for national organizations such as WELCOA, National Wellness Institute, HPLive, Healthstat University and HERO. Barbara J. Zabawa is a Clinical Assistant Professor for the University of Wisconsin Milwaukee College of Health Sciences, Department of Health Services Administration where she teaches graduate and undergraduate courses in health law and compliance, US health care delivery and health professions career development. Barbara also owns the Center for Health and Wellness Law, LLC a law firm dedicated to improving legal access and compliance for the health and wellness industries.  Before graduating with honors from the University of Wisconsin Law School, she obtained an MPH degree from the University of Michigan. Immediately prior to starting her own firm, she was Associate General Counsel and HIPAA Privacy Officer for a large health insurer where she advised on Affordable Care Act matters. She was also a shareholder and Health Law Team Leader at a large Wisconsin law firm. Barbara serves health and wellness professionals and organizations across the country as an advocate, a transactional lawyer and a compliance resource. Her commitment to improving health and wellness also shows through her community service. Barbara founded the Wellness Compliance Institute, a nonprofit organization that seeks to improve wellness program and activity compliance. She also is a Board Member for the Rogers Memorial Hospital Foundation, a health care organization that specializes in treating mental illness and she chairs the State Bar of Wisconsin Health Law Section. Barbara is licensed to practice law in both Wisconsin and New York.


There are no comments for this post. Be the first and Add your Comment below.

Leave a Comment

Make Compliance a Selling Point

You work hard to differentiate yourself from the pack. The Center can help. The Center offers compliance evaluations and support to give you and your clients confidence in the services you provide. Backing up your health or wellness services with the Center's expertise in health and wellness compliance can enhance the credibility and effectiveness of your health or wellness service. Contact us today. We would love to be your legal partner!

Contact Us

Fill out the form on this page or call us at 608.579.1267