Shared Information Compliance: After HIPAA Comes FTC Act



Businesses that collect and share an individual’s health-care information must maintain compliance with both the Health Insurance Portability and Accountability Act and the Federal Trade Commission Act, the HHS and the FTC said.

Oct. 21 guidance published by the Department of Health and Human Service’s Office of Civil Rights and the Federal Trade Commission stated that businesses must ensure that disclosure statements provided to consumers regarding the use of their health-care information isn’t deceptive under the FTC Act.

Before a business drafts a disclosure statement, or discloses protected health-care information, they must first obtain permission from the consumer through a valid HIPAA authorization and from the covered entity if they are a business associate. The HIPAA privacy rule, which applies to both covered entities and business associates, requires that covered entities must give business associates authorization through a business associate agreement before they use or disclose health information.

In many cases, businesses subject to HIPAA are also subject to the FTC Act. Under the FTC Act, businesses are prohibited from engaging in deceptive or unfair acts or practices in or affecting commerce. Prohibited practices include providing consumers with false or misleading claims related to the privacy and security of their health information, both generally and with mobile health apps.

The application of health privacy rules to health information on mobile devices, including apps and fitness trackers, has gained the attention of federal regulators and Congress as they become more mainstream. (See related story, Government Takes Steps on Privacy in Mobile Health Apps.)

The agencies offered tips to help businesses ensure that their disclosure statements are in compliance with the FTC Act: 

• Don't bury key facts in links to a privacy policy, terms of use or the HIPAA authorization. (e.g. Don't claim health information will only be provided to a participant's doctor and require they click on a patient authorization to learn information will also be viewable by the public.)

• Design user interface with various devices in mind, ensuring that participants do not have to scroll to view disclosure claims.

• Review user interface for contradictions and get rid of them.

• Ensure paper and electronic disclosure statements are consistent as the FTC Act applies to both.

  Gain access to the most reliable source for comprehensive pension and benefits and executive compensation research with a free trial to the Benefits Practice Resource Center.