Sorting Out HIPAA vs. FTC Act RequirementsNew Guidance for For-Profit Companies Handling PHI
Federal regulators are reminding for-profit companies that if they collect and share consumer health information, they not only need to comply with HIPAA security and privacy regulations, but also the Federal Trade Commission Act.
The new guidance from the FTC and Department of Health and Human Services' Office for Civil Rights comes in the wake of several enforcement actions that the FTC has taken against healthcare sector organizations in recent years for alleged privacy and security incidents that violate the FTC's unfair or deceptive business practices regulations, including its ongoing case against LabMD.
"This guidance is an attempt to deal with some of the confusion that exists because of overlapping enforcement authority," says privacy attorney Kirk Nahra of law firm Wiley Rein. "It is useful, but also seems directed primarily at those situations where both HIPAA and the FTC Act apply."
Some privacy and security experts say the new guidance is too narrow and recommend that it be supplemented with far more advice on the issues involved.
The new FTC/OCR guidance reminds all covered entities and business associates that under HIPAA, if they use or disclose consumer health information for commercial activities besides treatment, payment or healthcare operations, the consumer must first give written permission through a valid and clearly written HIPAA authorization.
The FTC Act takes matters further, the guidance notes. "The FTC Act prohibits [for-profit] companies from engaging in deceptive or unfair acts or practices in or affecting commerce. Among other things, this means that companies must not mislead consumers about what is happening with their health information," according to the guidance.
That means businesses must consider all of their statements to consumers to make sure that, taken together, they don't create a deceptive or misleading impression, the guidance warns. "Even if you believe your [consumer] authorization meets all the elements required by the HIPAA Privacy Rule, if the information surrounding the authorization is deceptive or misleading, that's a violation of the FTC Act."
To comply with the FTC Act, companies should:
- Take into account the various devices consumers may use to view disclosure claims. "If you are sharing consumer health information in unexpected ways, design your interface so that 'scrolling' is not necessary to find that out. For example, you can't promise not to share information prominently on a webpage, only to require consumers to scroll down through several lines of a HIPAA authorization to get the full scoop."
- Keep in mind that the same requirements apply to paper disclosure statements. "Don't give consumers a stack of papers where the top page says that their health information is going to their doctor, but another page requests permission to share that health information with a pharmaceutical firm."
Some organizations that deal with health data aren't sufficiently mindful of their multiple regulatory requirements, some experts say.
"It is easy for healthcare entities to get 'HIPAA blinders' and forget that other privacy and security laws may apply, including the FTC Act. I think this guidance is a helpful reminder," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
While Greene says the guidance is valuable in that it offers some concrete examples of ways that an organization could potentially comply with HIPAA but be noncompliant with the FTC Act, he contends additional guidance is needed for further clarification.
"We would need far longer, more in-depth guidance on how the FTC Act places additional obligations on HIPAA entities," he says. "For example, an FTC settlement made clear that the FTC expects a higher level of monitoring of vendors than is required under HIPAA, but that is not reflected in this guidance.
Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, is also concerned that the guidance is too limited.
"For example, it would help consumers and vendors to be aware of how to meet FTC's expectations when a company receives protected health information [from] a healthcare organization without the authorization of the patient," he says. "If a company were to receive an email containing the PHI of many patients that was sent in error by a healthcare provider, what obligations does the company have to prevent further use or disclosure of a consumer's sensitive, personal information?"
FTC Enforcement Cases
The release of the guidance comes after the FTC has taken action in recent years against a variety of healthcare sector organizations for data privacy and security incidents in which the agency has alleged violations of the FTC Act's Section 5 regulations pertaining to unfair or deceptive business practices.
That includes the FTC's ongoing legal battle against now-shuttered cancer testing laboratory LabMD over an alleged security incident involving a peer-to-peer network in 2008, as well as the June settlement with electronic health records vendor Practice Fusion over alleged deceptive acts or practices involving consumer privacy.
In addition to those cases, "the FTC has brought privacy or security actions in the healthcare space with respect to CVS, Rite Aid, PaymentsMD, Accretive Health, Henry Schein Practice Solutions, and GMR Transcriptions," Greene notes.
"This guidance seems closest to [the] PaymentsMD [case], where the FTC asserted that the authorization process provided consumers with inadequate notice," he says. "But entities should look beyond this guidance and pay careful attention to the other cases, which have important compliance lessons, such as the FTC's expectations surrounding encryption technology or vendor management."
Holtzman says the guidance spotlights some important issues. "Healthcare organizations are partnering with companies offering patient interaction systems to increase patient portal adoption, measure patient satisfaction and improve their online reputation," he says. "Some of the vendors see opportunities to collect and share information about consumers without clearly communicating how their interaction could lead to disclosure of their sensitive personal information."
But LabMD CEO Michael Daugherty contends the guidance represents "a bunch of lawyers trying to backfill the weaknesses in their case [against the lab] now that the Senate has put the FTC on notice."
Daugherty is referring to Congressional scrutiny over the FTC's handling of its enforcement action against LabMD.