Editor's Note: The Federal Trade Commission (FTC) and Department of Health and Human Services Office for Civil Rights (OCR) have announced new guidance on the Health Insurance Portability and Accountability Act (HIPAA) and the FTC Act. Key points are summarized below. Manatt Health explored the latest social media advances in the context of HIPAA and other consumer protection and privacy statutes in a recent webinar. If you missed the program, click hereto view it free, on demand—and here to download a free copy of the presentation. You also can read part 1 of our webinar summary in our October issue of "Health Update" and part 2 in the previous article.
The new guidance from the FTC and OCR reminds businesses that their obligations to protect consumer health data do not stop with HIPAA but extend to the FTC Act, which prohibits false or misleading advertising. Organizations collecting and sharing consumer health information not only need to be sure they are complying with HIPAA, but they also must be careful that their disclosure statements are not deceptive under the FTC Act.
HIPAA: Protecting Privacy and Security
The HIPAA Privacy Rule requires both covered entities and their business associates to protect the privacy and security of health information. It is critical to remember that consumers must give written permission through a valid HIPAA authorization before their health information can be used or disclosed for commercial activities besides treatment, payment, healthcare operations or other uses and disclosures permitted by the Privacy Rule.
An authorization is a detailed document that gives covered entities permission to use protected health information (PHI) for specified purposes or to disclose PHI to a third party that the individual specifies. The authorization must contain a number of elements, including a description of the PHI, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, the expiration date, and the purpose for which the information may be used or disclosed.
The authorization must be in plain, understandable language—and it must include specific terms and descriptions. For example, to gain authorization to share consumers' health information, organizations must tell them specifically how that information will be used.
Business associates have an important extra step. They must first gain explicit permission through a HIPAA business associate contract to use or disclose health information. A business associate cannot ask a consumer to sign a HIPAA authorization unless its contract includes express permission to do so.
The FTC Act: Prohibiting Deceptive or Misleading Information
Covered entities and their business associates must go beyond meeting the requirements of a HIPAA-compliant authorization. They also must ensure that the information surrounding the authorization is not deceptive or misleading or they will violate the FTC Act. To comply with the FTC Act:
- Review the entire user interface. Evaluate the size, color and graphics of disclosure statements to be sure they are clear and conspicuous. Don't bury key facts in links or require consumers to "click" to access pertinent information, such as who will be able to access his or her PHI.
- Consider the different devices consumers may use to view disclosure claims. Consumers should not have to scroll to find information that is relevant to providing informed consent.
- Tell consumers the full story before asking them to make a material decision. Eliminate contradictions and omissions to ensure clarity and consistency.
- The same requirements apply to paper disclosures. Whatever medium is being used, information should be easy to find and to understand.
For additional guidance on creating effective disclosures, reference the FTC's .com Disclosures document.