Two decisions from last week have provided clarity – at least regarding which tribunal will first decide whether LabMD violated Section 5 – in the ongoing battle between the FTC and LabMD. In the first decision, the Eleventh Circuit refused to stay, pending appellate review, the FTC’s administrative action against LabMD. This decision came on the heels of the district court refusing to enjoin the FTC’s administrative action due to a lack of jurisdiction to do so. In the second decision, the FTC refused to grant LabMD’s Motion for Summary Decision. The net result of these decisions is twofold. First, the trial of the FTC’s administrative proceeding against LabMD is now in progress. Second, no federal court will likely address the merits of LabMD’s arguments until after the FTC’s administrative action concludes.
The New Federal Court Action
History is important, especially given the procedural history of the FTC-LabMD dispute. Before the filing of the lawsuit discussed below, LabMD had previously filed two lawsuits against the FTC – one in the United States District Court for the District of Columbia and one in the Eleventh Circuit. The Eleventh Circuit dismissed the previous action then pending before it due to jurisdictional issues, and LabMD voluntarily dismissed its action in the District Court for the District of Columbia. Neither of these courts ultimately addressed the merits of LabMD’s arguments.
Only a month after these dismissals occurred, LabMD sued the FTC in the United States District Court for the Northern District of Georgia. The Georgia Complaint, which, as discussed below, has now led to a second trip to the Eleventh Circuit, asked for declaratory and injunctive relief based on LabMD’s allegations that:
- the FTC’s administrative action against LabMD is “arbitrary and capricious under the Administrative Procedures Act (“APA”) because the FTC does not have statutory authority to regulate PHI under” Section 5 of the FTC Act;
- the administrative action is ultra vires because the FTC is exceeding its authority;
- the FTC’s “application of Section 5 to LabMD’s data security practices violates” the Due Process Clause; and
- the FTC’s filing of the administrative action violated LabMD’s First Amendment right to free speech.
Based on these allegations, LabMD moved for a preliminary injunction to prevent the FTC’s administrative action from moving forward. The FTC countered by moving to dismiss the Complaint for lack of jurisdiction.
Sidestepping the merits of LabMD’s claims, the district court concluded that it did not have jurisdiction to hear LabMD’s claims and thus granted the FTC’s Motion to Dismiss. First, the district court concluded that the FTC had not yet taken “final agency action” under the APA. Although the FTC had denied LabMD’s motion to dismiss its administrative complaint, the court concluded that the FTC’s action could not be considered final agency action. Such an order, the court concluded, is not final because it “assures the continuation” of the agency’s action. To buttress this point, the court noted that LabMD could still ultimately prevail in the administrative action, which would moot LabMD’s federal court case “and render it unnecessary for the Court to intervene in an ongoing administrative proceeding.” Second, the district court rejected LabMD’s claim that the court could review LabMD’s constitutional claims even if there had not been final agency action. The court concluded that because no final agency action had occurred, review of LabMD’s constitutional challenges was not yet ripe. Finally, the district court rejected LabMD’s argument that the Leedom exception applied to review of its ultra vires claim. The Leedom exception, in some circumstances, allows a court to enjoin an administrative proceeding where: (i) “the agency commits an ‘egregious error’ that plainly violates an unambiguous and mandatory provision of a federal statute,” and (ii) “the aggrieved party has no adequate or meaningful opportunity to vindicate its rights.” The court found the Leedom exception did not apply because the FTC’s application of Section 5 was “not contrary to an unambiguous and mandatory provision of a federal statute” and because, even if it was, LabMD could obtain “meaningful and adequate review of its jurisdiction challenge in the Court of Appeals[.]”
After the district court’s decision, LabMD filed a Motion for Stay Pending Review and Request for Expedited Briefing Schedule with the Eleventh Circuit. That motion asked the Eleventh Circuit to “(1) rule on the merits of the FTC’s legal position, (2) to enjoin the FTC proceeding until” the Eleventh Circuit ruled “on the merits of the FTC’s legal position and (3) require expedited briefing so that these legal issues are resolved promptly.” In a one sentence decision, the Eleventh Circuit denied LabMD’s motion. The Eleventh Circuit’s decision, in conjunction with the FTC’s decision discussed below, effectively paved the way for the FTC’s administrative action to proceed.
The FTC denies LabMD’s Motion for Summary Decision
LabMD also filed a Motion for Summary Decision in the FTC’s administrative action. The FTC denied LabMD’s Motion for Summary Decision, which is the equivalent of a summary judgment motion in federal court.
The FTC found that there were genuine issue of material fact or that, where LabMD claimed there were not genuine issues of material fact, those facts were not germane to the FTC’s complaint against LabMD. For instance, LabMD argued that it complied with data security requirements for PHI under HIPAA. The FTC concluded that this claim was immaterial and unproven. First, the FTC noted that it had not brought its action for alleged HIPAA violations; it brought its actions for alleged Section 5 violations. And the FTC, earlier in in the administrative action, had already rejected LabMD’s argument that LabMD could not be held liable under Section 5 if it complied with HIPAA. Second, the FTC found that LabMD had not presented facts demonstrating that it had, in fact, complied with HIPAA’s data security requirements. The FTC also found that certain other facts raised by LabMD were either immaterial or genuinely disputed. For instance, the FTC found that there were genuine factual disputes related to the relevant data security standard.
Finally, the FTC rejected LabMD’s argument that the FTC had erroneously denied LabMD’s earlier Motion to Dismiss. The FTC, which characterized LabMD’s argument as an implicit request for reconsideration of the earlier order, noted that it had already “carefully addressed” – and rejected – LabMD’s arguments in that motion. Moreover, LabMD did not submit a Petition for Reconsideration of that order within the relevant time period. The FTC noted that LabMD could seek review of the denial of the Motion to Dismiss after the FTC issued a “final order against LabMD at the conclusion of [the] adjudicatory proceeding.”
For the health care industry participants and the organizations that support them – i.e., for HIPAA covered entities and their business associates – the FTC’s decision serves to re-emphasize an important point: Even if a covered entity or business associate has complied with the HIPAA Security Rule, the FTC can pursue a claim against such entity for allegedly inadequate data security under the FTC’s Section 5 “unfair acts/practices” authority. Thus, such entities have to be concerned not only with HHS’s requirements with respect to the protection of electronic PHI, but also with the FTC’s ability to impose data security requirements on them in an enforcement action brought under its Section 5 authority. While to date HHS and the FTC have interpreted their requirements in a consistent manner, the FTC’s reiteration of its position – that a HIPAA-regulated entity could be held liable for inadequate data security even where the entity had complied with HIPAA – suggests that the FTC could impose different and/or additional data security requirements on HIPAA regulated entities.
Written by Zach Neal, Senior Associate, Privacy & Data Security | Alston & Bird LLP