Although the Office for Civil Rights (“OCR”) of the Department of Health and Human Services (“DHHS”) is the primary agency enforcing HIPAA, the Federal Trade Commission (“FTC”) also enforces data security of those in the health care business and can do so even if the alleged offender is not a covered entity that is required to comply with HIPAA, particularly its security rule. In F.T.C. v. LabMD, the administrative law judge found for the defendant in a ruling that may help to define the likelihood of harm from a health data security breach.
LabMD, a cancer detection laboratory whose security practices were implemented to comply with HIPAA’s standards, came under an FTC investigation when an employee, in violation of LabMD’s policies, posted peer-to-peer (“P2P”) software in which computing or networking is an application that partitions tasks or workloads between peers (participants). This P2P software exposed some patient data on the file-sharing network.
Perhaps because the breach was not reportable to DHHS back in 2008, the FTC learned of it and filed an enforcement case. When LabMD refused to settle, the FTC brought the case before an administrative law judge of the Office of Administrative Law Judges that Congress had created to adjudicate FTC cases.
After two years of undoubtedly expensive litigation, see the complete case history at LabMD, Inc., In the Matter of FTC MATTER/FILE NUMBER: 102 3099, DOCKET NUMBER: 9357, at https://www.ftc.gov/enforcement/cases-proceedings/102-3099/labmd-inc-matter, the Administrative Law Judge ruled in LabMD’s favor as follows:
Section 5(n) of the FTC Act states that “[t]he Commission shall have no authority to declare unlawful an act or practice on the grounds that such act or practice is unfair unless [1] the act or practice causes or is likely to cause substantial injury to consumers [2] which is not reasonably avoidable by consumers themselves and [3] not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n). Complaint Counsel has failed to carry its burden of proving its theory that Respondent’s alleged failure to employ reasonable data security constitutes an unfair trade practice because Complaint Counsel has failed to prove the first prong of the three-part test—that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers.
First, with respect to the 1718 File, the evidence fails to prove that the limited exposure of the 1718 File has resulted, or is likely to result, in any identity theft-related harm, as argued by Complaint Counsel. Moreover, the evidence fails to prove Complaint Counsel’s contention that embarrassment or similar emotional harm is likely to be suffered from the exposure of the 1718 File alone. Even if there were proof of such harm, this would constitute only subjective or emotional harm that, under the facts of this case, where there is no proof of other tangible injury, is not a “substantial injury” within the meaning of Section 5(n).
At best, Complaint Counsel has proven the “possibility” of harm, but not any “probability” or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case. Accordingly, the Complaint is DISMISSED.
Initial Decision By Chief Administrative Law Judge D. Michael Chappell, Filed on November 13, 2015 (449.18 KB) at https://www.ftc.gov/system/files/documents/cases/151113labmd_decision.pdf.
Although the above is an FTC, not a DHHS OCR HIPAA case, it seems consistent with the Omnibus Rule change in the risk of harm standard. The Omnibus Rule moved away from the “risk of harm” standard and instead created a rebuttable presumption that all breaches must be reported. The Omnibus Rule also modified the definition of “breach” to provide that—
an acquisition, access, use, or disclosure of protected health information in a manner not permitted under . . . [the Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment. 78 Fed. Reg. 5577 (Jan. 25, 2013).
A covered entity or business associate must now undertake a four-factor risk assessment to determine whether or not PHI has been compromised and overcome the presumption that the breach must be reported. The four-factor risk assessment focuses on the following:
(1) the nature and extent of the PHI involved in the incident (e.g., whether the incident involved sensitive information like Social Security numbers or infectious disease test results);
(2) the recipient of the PHI;
(3) whether the PHI was actually acquired or viewed; and
(4) the extent to which the risk that the PHI was compromised has been mitigated following unauthorized disclosure (e.g., whether it was immediately sequestered and destroyed).
Thus, if the unauthorized disclosure was to another practice or to a laboratory, absent something more, it would seem as if there would only be a (in this example, remote) possibility of harm, thus weighing in favor of the breach not being reportable.
Even though LabMD won, it was likely a pyrrhic victory because the lab surely must have incurred six-figures of legal fees to defend the action.
The moral of this story is that, whenever you experience a security incident, make sure that you conduct a risk assessment of the security incident and document in writing the answers to the four-factors above. Then, keep that documentation for the six-year documentation retention period required under HIPAA. If you have my HIPAA Compliance Library, you will find sample Security Incident Report and Response policies and forms on my HIPAA Documents Resource Center CD, 6th edition, which accompanies The Complete Guide to HIPAA and the DHHS Regulations, 6th edition. You will also be able to keep your security incident risk assessment documentation in its own tab in Your Happy HIPAA Book, which is also part of the HIPAA Compliance Library, which is available online at http://www.veteranspress.com/product/hipaa-compliance-library.