HIPAA Enforcement Actions – How Not to Become a Statistic

Recent high-profile security breaches continue to make protection of consumer data a hot issue. While HIPAA guidelines have been established for the healthcare sector, there are currently no regulations in place for other types of companies. Even if you’re HIPAA-compliant, don’t let your guard down. You may have to answer to another authority.

In the absence of other regulatory agencies, the Federal Trade Commission (FTC) has stepped in to police these security issues. They’re relying on a broad interpretation of a statute in the FTC Act declaring “unfair or deceptive acts or practices in or affecting commerce” to be unlawful. 

The FTC issued data breach complaints against Wyndham Hotels and LabMD were challenged by both companies on the grounds that the agency required explicit authority granted by Congress. They also claimed due process violation, stating that it was unfair to enforce standards after the breach without notice of correct procedure.

In addition, LabMD argued that their data is protected medical information governed by HIPAA, which is administered by the Department of Health and Human Services. Therefore, they reasoned, the FTC had no standing to issue the complaint. For its part, the FTC said that HIPAA did not specifically exclude them from having authority. The LabMD motion is still pending, but in April 2024 a judge refused Wyndham Hotels’ motion to dismiss.

It’s clear that the issue consumer data security won’t have an easy solution. When you use MedConnectUSA for your medical answering and messaging service, you can have peace of mind knowing that our staff is fully trained to be HIPAA-compliant. Please contact us to learn more.