HIPAA Security Rules Don't Apply to You? The FTC Can Still Use Them as a Benchmark

Posted by Barbara J. Zabawa | Aug 07, 2016 | 0 Comments

The recent decision by the Federal Trade Commission (FTC) against LabMD is interesting on many levels.  For wellness companies and others who may not be HIPAA Covered Entities or Business Associates, however, the case should serve as a wake-up call regarding the FTC's stance on the importance of data security.  In short, the FTC expects companies that collect, store or transfer sensitive personal information, such as information collected by wellness programs, to do the following:

1.  Keep sensitive data in your system only as long as you have a business reason to have it;

2.  Assess the vulnerability of each connection to commonly known or reasonably foreseeable attacks;

3.  Scan computers on your network to identify and profile the operating system and open-network services;

4.  Monitor outgoing traffic for signs of a data breach; and

5.  Take time to explain the rules to your staff, and train them to spot security vulnerabilities.

According to the FTC, LabMD, a clinical laboratory that conducted tests on patient specimen samples and reported test results to its physician customers, failed to take these security measures.  As a result, LabMD installed file-sharing software that exposed the medical and other sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users.  LabMD then left the information there, freely available, for 11 months, leading to the unauthorized disclosure of the information.

The FTC found LabMD's lax approach to data security to unreasonable and inappropriate and therefore in violation of Section 5 of the FTC Act.  LabMD is not alone, however.  To date, the FTC has brought nearly 60 data security cases under its deception and unfairness authority. My forthcoming book, Rule the Rules on Workplace Wellness Programs, highlight a number of those cases.  The FTC views the unauthorized disclosure of a prospect of a person's sensitive information, such as health or financial information, even if there is no evidence of actual harm (such as identity theft) to constitute substantial injury worthy of action.

What is interesting about this case is that LabMD qualified as a HIPAA covered entity and therefore was subject to the HIPAA privacy and security rules.  Yet, it was not the federal Office of Civil Rights, which has enforcement authority over HIPAA, that took this action against LabMD.  It was the FTC, which does not have HIPAA enforcement authority.  Nevertheless, the FTC said that HIPAA security requirements serve as a useful benchmark for reasonable behavior.  So, if the FTC can take action for security practices that it deems unreasonable, and the FTC views HIPAA security practices as reasonable, even those companies that are not subject to HIPAA security rules may want to adhere to those rules in order to minimize their risk of action by the FTC.

Another valuable lesson from the LabMD case is that LabMD had privacy and security policies and procedures.  But, there was no follow-through on those policies and procedures.  For example, LabMD had a compliance manual which mandated that its compliance officer establish in-house training sessions regarding privacy and security, but it did not actually provide such training.  In addition, LabMD's employee handbook stated that sharing health information unnecessarily was illegal and that the company was required to take specific measures to ensure compliance with the law.  Yet, LabMD failed to employ adequate measures to prevent employees form accessing personal information not needed to perform their jobs.

The moral of the story is that if you have a compliance plan, follow it.  If you don't have one and you collect, store or transfer personal information, get one and follow it.  If you need help with developing such a compliance plan or offering training on data privacy or security, contact the Center for Health and Wellness Law, LLC.

About the Author

Barbara J. Zabawa

Attorney Barbara J. Zabawa started the Center for Health & Wellness Law, LLC after she recognized a need for legal services that shared a mission with providers to improve patient outcomes and population health, encourage wellness, protect patient interests in choice of provider and treatment options, provide holistic care, and expand information access. Attorney Zabawa has 20+ years of experience in the health care field, first receiving her Master's in Public Health from the University of Michigan before attending law school at UW Madison, where she graduated with honors in 2001. From 2003-2005, Ms. Zabawa clerked for the Honorable Barbara B. Crabb in the United States District Court for the Western District of Wisconsin and worked on a variety of matters, including employment, patent infringement, civil rights, and contract matters. She also served as a Skadden Fellow representing health care consumers on both the national and local level by helping consumers navigate private insurance coverage issues and advocating for their interests as a Funded Consumer Advocate at the National Association of Insurance Commissioners (NAIC). Attorney Zabawa has worked for a large health insurance company providing advice on the Affordable Care Act as well as HIPAA Privacy and Security compliance. In addition, she was in private practice at a large regional law firm for seven years, where she was a shareholder, led her firm's health care team and served as its HIPAA Privacy Officer. While in private practice, she handled a variety of health law matters, such as compliance with fraud and abuse laws, professional scope of practice matters, state licensing issues, HIPAA privacy and security compliance, Medicare and Medicaid reimbursement and conditions of participation compliance, Accountable Care Organization and other joint venture agreements, employment agreements, as well as business litigation. Attorney Zabawa is the author of the forthcoming book "Rule the Rules of Workplace Wellness Programs." She is a frequent speaker and writer both nationally and regionally on workplace wellness program compliance, the Affordable Care Act, fraud and abuse issues and HIPAA compliance. She has published several law review articles in the practice of health law and has been interviewed by TV, radio and print media regarding wellness, health reform, and HIPAA. She is a Board Member for Rogers Memorial Hospital Foundation, Board President for the Wisconsin Alliance for Women's Health, Board Member for Health Promotion Advocates, and currently serves on the Oversight Advisory Council for the Wisconsin Partnership Program and the State Bar Health Law Section Board. Education JD - University of Wisconsin Law School, cum laudeMPH - University of Michigan School of Public HealthBA - Lawrence University Admitted to Practice: • New York• Wisconsin• Federal District Court of the Western District of Wisconsin• Federal District Court of the Eastern District of Wisconsin• Court of Appeals for the Seventh Circuit• United States Supreme Court


There are no comments for this post. Be the first and Add your Comment below.

Leave a Comment

Accessible Consultations

As a health or wellness professional, your mission to improve the lives of your patients and clients comes first. That's why the Center offers affordable compliance options. For regular access to health and wellness compliance expertise, consider our help desk, which can be arranged for a flat fee. For the rare inquiry, our hourly consultant rate may be best. In any case, the Center works to meet your health and wellness compliance needs.

Make Compliance a Selling Point

You work hard to differentiate yourself from the pack. The Center can help. The Center offers compliance evaluations and support to give you and your clients confidence in the services you provide. Backing up your health or wellness services with the Center's expertise in health and wellness compliance can enhance the credibility and effectiveness of your health or wellness service. Contact us today. We would love to be your legal partner!

Contact Us

McFarland, WI 53558
Phone: 608.579.1267