If federal judge William S. Duffey, Jr. in the Northern District of Georgia decides his court has jurisdiction to hear LabMD’s challenge to the FTC’s authority to enforce data security for HIPAA-covered entities, the FTC may be in for a bumpy ride.
In a hearing on May 7, Judge Duffey noted how burdensome consent orders with 20 year monitoring can be, and he pointed out how if that was the FTC’s opening salvo or offer to LabMD, he could understand why LabMD would view it as unreasonable and how the proceedings had become so acrimonious. From a copy of the transcript, obtained by PHIprivacy.net:
And, Mr. Gorji, if you submitted to them a consent order — and I’m not going to consider that; I don’t think it’s important — but it does tell me something about your agency if you say we want twenty years’ worth of monitoring and even suggested that was reasonable concerning this company. No wonder you can’t get this resolved, because if that’s the opening salvo, even I would be outraged, or at least I wouldn’t be very receptive to it if that’s the opening bid.
I don’t think you believe that this is a company that willy-nilly allows information to be disclosed. I also believe that you don’t think, if you remove yourself from the nits and gnats of this dispute, that you would say it was a good idea to make this provider unavailable to patients.
There aren’t that many people doing this work as it is. I have another case involving cancer detection processes, and so I know just a little bit about the industry, and one of the regrets of the industry is that there are so few people providing these services. And I think in the current healthcare environment, there will be fewer.
It doesn’t serve any of us very well. Some day you are going to need one of those services. I hope it’s available.
You have been completely unreasonable about this. And even today you are not willing to accept any responsibility that whatever needs to be done, even if you can’t confirm it, that your position is going to be a litigating position, and you will drag four lawyers to a hearing like this.
But it was a subsequent statement he made that I think suggests not just some empathy for LabMD, but support for any claim that there was no fair notice. In response to a LabMD expert’s testimony disagreeing with an FTC’s expert’s statement, Judge Duffey said to DOJ lawyers:
All I hear him [Cliff Baker] saying is that he doesn’t like your expert’s report and he would have done something differently and he’s claimed that HIPAA is what should be, because there are specific standards there — I think that you will admit that there are no security standards from the FTC. You kind of take them as they come and decide whether somebody’s practices were or were not within what’s permissible from your eyes.
I too find how does any company in the United States operate when they are trying to focus on what HIPAA requires and to have some other agency parachute in and say, well, I know that’s what they require, but we require something different, and some company says, well, tell me exactly what we are supposed to do, and you say, well, all we can say is you are not supposed to do what you did.
And if you want to conform and protect people, you ought to give them some guidance as to what you do and do not expect, what is or is not required. You are a regulatory agency. I suspect you can do that.
But I think that’s what happens when you jump too quickly into something that you want to do, and whether that’s circumstances or whether that’s agency motivation, I don’t know. But it seems to me that it’s hard for a company that wants to — even a company who hires people from the outside and says what do we have to do, and they say you have to do this, but I can’t tell you what the FTC rules are because they have never told anybody.
Again, I think the public is served by guiding people beforehand rather than beating them after they — after-hand.
Of course, I realize that this is just a hearing, but there’s a lot more commentary by Judge Duffey that does not bode well for the FTC, including his incredulous response to an FTC lawyer whom he was questioning about the “day sheets” incident:
MR. SCHOSHINSKI: That evidence relates to the potential injury suffered by consumers as a result of exposure of this information.
THE COURT: Are you serious about that last response?
MR. SCHOSHINSKI: Yes, Your Honor, I am.
THE COURT: So you don’t know where the documents came from, you don’t know how these people got the possession of it, you don’t know whether they originated from LabMD or some other place, but you are going to use that to show that, because they committed identity theft, that certain individuals were damaged by documents, the source of which you don’t even know?
MR. SCHOSHINSKI: Yes, Your Honor.
THE COURT: Holy cow.
All in all, it did not appear to be a good day for the FTC, but however displeased Judge Duffey seemed with DOJ and their client, the FTC, he may still be persuaded by the government’s argument that he does not have jurisdiction to consider LabMD’s complaint.
Stay tuned…
Correction: In a previous version, Judge Duffey’s last name was spelled incorrectly.
Updates: Minutes after publishing this, I learned that Judge Duffey dismissed LabMD’s complaint. Also, I have now uploaded a copy of the May 7 transcript referenced in this post, here (pdf).