The Federal Trade Commission (FTC) and U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued new guidance last month for organizations that handle consumer health information (Joint Guidance). This is one of several joint-agency guidance documents issued this year in a collaboration effort by HHS and FTC, including best practices for mobile health app developers and a mobile health apps interactive tool.
Looking Beyond HIPAA
Traditionally, Covered Entities and their Business Associates have focused primarily on complying with the Health Insurance Portability and Accountability Act of 1996 and its implementing privacy and security regulations (HIPAA) when using and disclosing Protected Health Information (PHI). HIPAA permits uses and disclosures of PHI without written authorization for purposes of treatment, payment or health care operations and certain other purposes. If a use or disclosure does not fit within one of those permissible exceptions, HIPAA requires Covered Entities and Business Associates to obtain written authorization from individuals in order to use or disclose their PHI for such purpose. To be valid, an authorization needs to specify a number of elements and required statements, and “must be written in plain language.” 45 CFR § 164.508(b)-(c). Up until now if a Covered Entity or Business Associate obtained an authorization valid under HIPAA, they would often not undertake any further analysis.
However, the FTC takes this one step further, stating “You need to do more than just meet the requirements for a HIPAA-compliant authorization. Your business must consider all your statements to consumers to make sure that, taken together, they don’t create a deceptive or misleading impression. Even if you believe your authorization meets all the elements required by the HIPAA Privacy Rule, if the information surrounding the authorization is deceptive or misleading, that’s a violation of the FTC Act.” This is a new concept for many businesses that are dually-regulated by the OCR and FTC, and the guidance serves as a reminder to consider both HIPAA and the FTC Act and guidance when drafting consumer-facing privacy documents.
Complying with HIPAA and the FTC Act
The following summarizes how the joint guidance advises dually-regulated companies to examine their authorizations to ensure compliance with both HIPAA and the FTC Act. Note that it is also important to consider applicable state privacy laws, especially those governing sensitive information, which may impact a state’s authorization requirements.
First, HIPPA |
Now, Address FTC |
---|---|
Written in plain language | Clear and conspicuous.
The Joint Guidance says dually regulated entities must also: “Review your entire user interface. Don’t bury key facts in links to a privacy policy, terms of use, or the HIPAA authorization. For example, if you’re claiming that a consumer is providing health information only to her doctor, don’t require her to click on a “patient authorization” link to learn that it is also going to be viewable by the public. And don’t promise to keep information confidential in large, boldface type, but then ask the consumer in a much less prominent manner to sign an authorization that says you will share it. Evaluate the size, color and graphics of all of your disclosure statements to ensure they are clear and conspicuous.” |
Core Elements (45 CFR § 164.508(c)(1)):
|
The Joint Guidance says dually regulated entities must also:“Take into account the various devices consumers may use to view your disclosure claims. If you are sharing consumer health information in unexpected ways, design your interface so that “scrolling” is not necessary to find that out. For example, you can’t promise not to share information prominently on a webpage, only to require consumers to scroll down through several lines of a HIPAA authorization to get the full scoop.” |
Required Statements (45 CFR § 164.508(c)(2)):
|
The Joint Guidance says dually regulated entities must also:“Tell consumers the full story before asking them to make a material decision – for example, before they decide to send or post information that may be shared publicly. Review your user interface for contradictions and get rid of them.” |
OCR FAQ states that an authorization can be used together with other written instructions, as follows: “A transmittal or cover letter can be used to narrow or provide specifics about a request for protected health information as described in an Authorization, but it cannot expand the scope of the Authorization. For example, if an individual has authorized the disclosure of "all medical records" to an insurance company, the insurance company could by cover letter narrow the request to the medical records for the last 12 months. The cover letter could also specify a particular employee or address for the "class of persons" designated in the Authorization to receive the information. By contrast, an insurance company could not by cover letter extend the expiration date of an Authorization, or expand the scope of information set forth in the Authorization.” | The Joint Guidance says dually regulated entities must also consider the following: “The same requirements [noted above] apply to paper disclosure statements. Don’t give consumers a stack of papers where the top page says that their health information is going to their doctor, but another page requests permission to share that health information with a pharmaceutical firm.” |
For additional guidance on creating effective disclosures, see the FTC’s online Disclosures report.
Increased OCR and FTC Scrutiny
In recent years, both OCR and FTC have pushed the limits of their enforcement authority in both the number of enforcement actions and the scope of what they have traditionally regulated. For example, in 2016, OCR pursued its first enforcement action against a business associate (read about it here, and see the resolution agreement and corrective action plan here) and OCR also commenced its Phase 2 audits against both covered entities and business associates (read about it here). The FTC has also been exercising its enforcement authority against health care organizations for violations of Section 5 of the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce. This comes after the US Third Circuit Court of Appeals held in August of 2015 that the FTC has the authority to regulate cybersecurity, and that a company’s failure to take proper measures to protect the security of consumer data can rise to the level of an unfair trade practice under the FTC Act (read more here and here). The FTC has taken this finding and run with it, and is enforcing violations of consumers’ privacy rights through misleading or deceptive trade practices or by unfairly failing to maintain security for sensitive consumer information (see a list of recent FTC enforcement action in this area here).
Read the full guidance here.