Two more court filings in FTC vs. LabMD are now available online: the FTC’s Opposition to LabMD’s Motion to Stay Proceedings and LabMD’s reply to FTC’s response opposing LabMD’s motion to dismiss the complaint with prejudice and to stay the proceedings. The latter is of more interest to me right now, but I am putting off a more careful reading until I’ve got more time and coffee. At first blush, though, I think LabMD’s counsel has mis-stated what FTC actually said when they argue:
FTC admits LabMD is and always has been a HIPAA-covered entity regulated exclusively by HHS under HIPAA/HITECH.1 It also admits LabMD is specifically exempted from FTC’s HITECH rule. Cf. Mot. 12 & n.9. It offers no explanation why HITECH, Pub. L. 111-5 §13424(b)(1), directs HHS and FTC to determine which agency is best equipped to enforce HITECH against non-HIPAA-covered entities (FTC agrees that HHS exclusively regulates HIPAA-covered entities like LabMD). It also ignores HIPAA’s directive to HHS—not FTC—to “adopt [data-]security standards” for “health information.” 42 U.S.C. §1320d-2(d)(1); 42 U.S.C. §1320d(4)(defining “health information”).
I’ll need to go back and check, but I’m pretty sure FTC never said that LabMD is regulated exclusively by HHS. Their whole argument is that both agencies have complementary authority when it comes to covered entities. But I’ll read it all again later and may have more to say later.