02 Dec Can the FTC regulate digital health privacy?
Quote from Government Health IT
“From the outset of the FTC’s investigation, the Commission has exerted authority it does not have to punish a business that has done nothing wrong,” said Dan Epstein, executive director of Cause of Action, a nonprofit representing LabMD that “fights to protect economic opportunity when federal regulations, spending and cronyism threaten it.”
Cause of Action and LabMD argue that Congress authorized only one agency to regulate personal health information, the Department of Health and Human Services, and that Section 5 of FTC Act, covering “unfair acts and practices,” does not apply to patient health data.
“No court has ever said that Section 5 authorizes the FTC to regulate patient information data-security practices, or any other data-security practices, for that matter,” said Reed Rubinstein, Cause of Action’s litigation VP and a lawyer with the firm Dinsmore & Shohl. “Despite the Commission’s repeated requests, Congress has refused to confer upon the FTC jurisdiction over such data-security cases,” Rubinstein said.
In response, FTC lawyers argue that the issue of LabMD’s apparent breach “fits squarely within” the agency’s “broad mandate.” They also noted that the FTC has brought close to 50 data security cases against companies since 2000, with 18 of them alleging unreasonable security practices as unfair under the FTC Act’s Section 5.
“It is true that the statute does not specifically mention data security,” but it also
does not specifically mention other consumer issues that the agency has long pursued under Section 5, including online check drafting, the sale of telephone records, breach of contracts and telephone billing, FTC lawyers wrote.