Patient privacy and medical data protection are hot-button issues in the healthcare industry.  Though the Bankruptcy Code contains provisions that address privacy protection for individuals, the Bankruptcy Code does not contain an operative provision detailing a process for the protection of healthcare data.

Lack of such a provision, however, has not precluded the federal government from independently stepping in to protect patient data.  This article discusses (i) a recent case in which the U.S. Secretary of Health and Human Services (“HHS”) intervened in a bankruptcy proceeding to enforce healthcare privacy law; (ii) a recent case in which the Federal Trade Commission (“FTC”) commenced an action to ensure patients' privacy was protected with respect to a healthcare business; and (iii) the key takeaways of the recent actions.

The Health Information Portability and Accountability Act of 1996 (“HIPAA”)

HIPAA is the main federal law covering protection of patient healthcare information.  Pursuant to HIPAA, patients may access and restrict access to healthcare data held by healthcare providers, health plans, healthcare clearinghouses, and health insurers (collectively, the “Covered Entities”) and “business associates” who have contracted with the Covered Entities.

Because there is not a private right of action under HIPAA, only the federal government may enforce the provisions of HIPAA.  Further, although HHS is specifically tasked with enforcing HIPAA, as discussed below, the FTC has also recently sought, under section 5 of the Federal Trade Commission Act (the “FTC Act”), to protect consumers with respect to health information privacy.

HHS Intervenes in the Laboratory Partners, Inc. Bankruptcy

Recently, in the bankruptcy case of In re Laboratory Partners, Inc., et al., Case No. 13-12769-PJW (Bankr. D. Del. 2013), the debtors sought to sell substantially all of the assets of the debtors' laboratory testing services businesses, including customer lists.  In light of the fact that a number of the debtors in the case are covered entities under HIPAA, on December 18, 2013, HHS objected to the proposed sale on the grounds that HIPAA requires Covered Entities to obtain customer authorization to sell protected health information.

HHS's action in the case indicates it is aggressively monitoring bankruptcy proceedings to ensure privacy of patients' protected health information.

FTC's Recent Healthcare Privacy Enforcement Action Against LabMD

The FTC Act provides the FTC with authority to enforce, among other things, unfair and deceptive practices or acts and seek appropriate relief for “conduct injurious to consumers.”[1] The FTC seeks to protect consumers from practices in the marketplace that may lead to unlawful or unauthorized access and use of the consumers' personal information, including health information. Recently, the FTC commenced an action against LabMD, Inc., a medical testing laboratory.  In the action, the FTC alleged LabMD violated the FTC Act by failing to employ reasonable and appropriate measures to prevent unauthorized access to personal information and health information.

On November 12, 2013, LabMD sought to dismiss the action on the grounds, among others, that it was “Congress's intent to give HHS regulatory authority over patient-information data-security and to displace whatever Section 5 authority the FTC might have to regulate LabMD's data-security practices as unfair acts or practices.”[2]  On January 16, 2014, the FTC denied the motion to dismiss noting that it has broad enforcement powers under the FTC Act which allows it to police even HIPAA-regulated entities.

Although the FTC's LabMD enforcement action is outside of bankruptcy, the FTC in the past has aggressively intervened in bankruptcy court to enforce privacy protections.  For instance, the FTC intervened in the bankruptcy case of Toysmart.com, LLC (Toysmart).  In that case, Toysmart requested authority to sell its assets, which included customers' personally identifiable information (“PII”).  Toysmart's privacy policy provided that personal information submitted by visitors to its website would not be shared with third parties.

The FTC filed a complaint against Toysmart in federal district court asserting that the sale of the PII constituted a deceptive practice because the sale contradicted Toysmart's privacy policy.  The FTC sought a permanent injunction prohibiting Toysmart from selling the PII.

Toysmart and the FTC ultimately settled the matter.  The Toysmart case was an impetus to Congress's later addition of consumer privacy protection provisions under the Bankruptcy Code.

Key Takeaways

The key takeaways from the recent government actions are (i) the federal government is closely monitoring bankruptcy cases and, if necessary, will aggressively step in to address healthcare privacy concerns; and (ii) it is not clear whether the FTC will defer to the HHS and allow it to proceed solely in bankruptcy proceedings to address healthcare privacy protections under HIPAA or the FTC will independently step in to enforce privacy under the FTC Act.  One thing is clear, however, that is, two major federal watchdogs are ready, willing and able to protect patients' privacy in bankruptcy proceedings.

Disclaimer.  This article represents the views of the author and such views should not necessarily be imputed to Norton Rose Fulbright, Fulbright & Jaworski LLP, or their respective affiliates and clients.  This publication should not be considered legal advice and receipt of this publication does not establish an attorney-client relationship.

About the Author.  Ms. Simmons focuses her practice on the representation of debtors, creditors and other parties in complex restructuring, finance, bankruptcy and litigation matters.  She can be reached at [email protected].

[1] See 15 U.S.C. §§ 41-58; FTC, Legal Resources – Statutes Relating to Both Missions, http://www.ftc.gov/ogc/stat1.shtm (last visited March 31, 2014).