Monthly Archives: August 2016

FTC Overturns ALJ’s LabMD Decision and Reasserts its Role as a Data Security Enforcer

Posted by Gregory M. Fliszar on August 25, 2016
Federal Trade Commission, HIPAA, OCR / No Comments

On July 29, 2016, the Federal Trade Commission (“FTC” or “Commission”) reversed an FTC administrative law judge’s (“ALJ”) opinion which had ruled against the FTC, finding that the Commission had failed to show that LabMD’s conduct caused harm to consumers to satisfy requirements under Section 5 of the FTC Act. In reversing the ALJ, the FTC issued a unanimous opinion and final order that concluded, in part, that public exposure of sensitive health information was, in itself, a substantial injury.

The FTC initially filed a complaint against LabMD in 2013 under Section 5 of the FTC Act, alleging that the laboratory company failed to “provide reasonable and appropriate security for personal information on its computer networks,” which the FTC claimed lead to the data of thousands of consumers being leaked. The complaint resulted from two security incidents that occurred several years prior, which the FTC claimed were caused by insufficient data security practices.

In its opinion, the FTC concluded that the ALJ had applied the wrong legal standard for unfairness and went on to find that LabMD’s data security practices constituted an unfair act or practice under Section 5 of the FTC Act. Specifically, the Commission found LabMD’s security practices to be unreasonable – “lacking even basic precautions to protect the sensitive consumer information on its computer system.” The Commission stated that “[a]mong other things, [LabMD] failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had protected.” As a result of these alleged shortcomings in data security, medical and other sensitive information for approximately 9,300 individuals was disclosed without authorization.

Further, and perhaps more importantly, the Commission concluded that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n), and thus that LabMD’s disclosure of the [ ] file itself caused substantial injury.” Thus, contrary to the findings of the ALJ, the Commission essentially held that the mere exposure of sensitive personal and health information into the public domain may be enough to constitute a substantial injury for purposes of Section 5, without any proof that the information was ever misused.

As a result, the FTC ordered LabMD to establish a comprehensive information security program, obtain independent third party assessments of the implementation of the information security program for 20 years, and to notify the individuals who were affected by the unauthorized disclosure of their personal information and inform them about how they can protect themselves from identity theft or related harms.

Takeaway: While LabMD has announced its intention to appeal, the FTC’s decision reinforces its role as an enforcer of data security, even in the health care arena, where OCR has been the traditional enforcer of HIPAA and health care data breaches.   Thus, in addition to OCR, health care entities must continue to monitor FTC enforcement actions to see if there are any additional or conflicting data security standards mandated by both agencies.   Any companies handling PHI should, therefore, continue to ensure that their data security policies and procedures are being implemented and followed in accordance with industry standards. Inadequate security safeguards may contribute to data breaches resulting in government investigations and enforcement actions – not just by OCR, but the FTC as well.

For more information about the FTC’s opinion, contact Gregory M. Fliszar or a member of Cozen O’Connor’s Health Law team.

Gregory M. Fliszar

Gregory M. Fliszar

Greg Fliszar is member in the firm’s Health Law Group. Greg’s practice focuses on health law litigation and regulatory and compliance matters, as well as compliance with the Medicare Secondary Payer Act and HIPAA. Greg is also a licensed doctoral level clinical psychologist and was a clinical instructor of psychiatry at the MCP-Hahnemann School of Medicine.

More Posts - Website

Tags: , ,

New Grower/Processor Regulations Released

Posted by Chris Raphaely on August 22, 2016
DOH, Pennsylvania, Regulations / No Comments

On August 18, 2016, the Secretary of Pennsylvania’s Department of Health (“DOH”), Dr. Karen Murphy, announced that the DOH has posted draft temporary regulations (“Regulations”) focusing on the 25 medical marijuana grower/processor permits that will become available under Pennsylvania’s Medical Marijuana Act (“Act”) that was passed last April.

The Regulations state the general application requirements for medical marijuana organizations, which requirements include detailed information about principals and financial backers of such organizations. Medical marijuana organizations include not just grower/processors, but also clinical registrants and dispensaries. The application requirements also contain a clear commitment to foster diversity. The Regulations establish procedures for promoting and ensuring that medical organizations foster diversity through participation of diverse groups in all aspects of the medical organization’s operations. This includes but is not limited to requiring each organization to have a diversity plan. Diverse groups are defined under the Regulations as “disadvantaged business[es], minority-owned business[es], women-owned business[es], service-disabled veteran-owned small business[es] or veteran-owned small business[es] that ha[ve] been certified by a third-party certifying organization.”

The Regulations also contain specific requirements for grower/processor permits. Application forms for permits will be posted on the DOH website in the future. Among the requirements is that a grower/processor notify DOH within six months of being issued an initial permit that it is ready, willing and able to begin production.

The Regulations prohibit executive level employees of the Commonwealth and their immediate family members from being employed by or holding an interest in medical marijuana organizations while employed by the Commonwealth and for one year thereafter.

The Regulations are not final and are open for public comment until August 26, 2016.

Although Pennsylvania joins 23 other states and the District of Columbia to legalize medical marijuana, marijuana is still classified as a Schedule I controlled substance by the U.S. Drug Enforcement Agency, and as such it remains a crime under federal law to grow, sell and/or use marijuana. Any content contained herein is not intended to provide legal advice in connection with the violation of any state or federal law.  Although the Act provides for the legalization of medical marijuana in the Commonwealth of Pennsylvania, one should obtain legal advice with respect to any such compliance issues.

Stay tuned for details regarding an upcoming Cozen O’Connor webinar on these Regulations.

For more information about the Regulations or the Act, contact Chris Raphaely, J. Nicole Martin or another member of Cozen O’Connor’s Cannabis Industry Team.

Chris Raphaely

Chris Raphaely

R. Christopher Raphaely joined Cozen O'Connor's Philadelphia office in 2014 as co-chair of the Health Care Practice Group. Chris joins the firm from Jefferson Health System, where he served as deputy general counsel and general counsel to the system’s accountable care organization and captive professional liability insurance companies.

More Posts

Tags: ,