In October 2016, the OCR issued a bulletin clarifying that businesses collecting and sharing consumer health information must comply with the FTC Act. The OCR specifically called out disclosure statements, declaring “You must also make sure your disclosure statements are not deceptive under the FTC Act.”

Businesses dealing with health information are likely already familiar with HIPAA’s requirements for use of a valid HIPAA authorization for disclosure, release, or sharing of patient health information. However, the OCR explained that businesses are also prohibited from misleading consumers about how their health information is handled, which could constitute a violation of Section 5 of the FTC Act that prohibits businesses from engaging in deceptive or unfair acts or practices in or affecting commerce. It is important to note that the OCR’S warning against misleading applies more broadly to consumers, not only patients.

As a whole, the OCR’s bulletin instructs businesses to consider all of their consumer-facing statements to make sure that together they do not create a deceptive impression.
In connection with the HIPAA authorization, the OCR explained that even if the authorization itself meets HIPAA requirements, if the information “surrounding the authorization” is deceptive or misleading, that could still violate the FTC Act. Some pointers the OCR provided to comply with the FTC Act include:

  • Do not bury key facts by making them accessible only in links to a privacy policy, terms of use, or HIPAA authorization.
  • Don’t make a consumer go to various locations to obtain a comprehensive understanding of how the consumer’s information will be used. For example, if a business claims that a consumer’s information will only go to a doctor, don’t require the consumer to click on a different link to learn that the consumer’s information will also be viewable by the public.
  • Do use graphics for disclosures that make the terms clear and conspicuous. Do not make favorable promises in prominent type but then request authorization to share PHI in hard-to-see font and size.
  • Do assess how consumers’ devices will impact how they view the business’s disclosures. Don’t require scrolling by users to find out if their information will be shared in an unexpected way.
  • Do give consumers “the full story” before asking them to make a significant decision such as deciding to send or post information that may be shared publicly.
  • Don’t have contradictory statements or promises in your user interface.

Additional helpful resources provided by the OCR include links to the FTC’s Disclosure report, tools for mobile health apps, and the FTC’s best practices guidance for mobile health app developers and the OCR developer portal.

While the OCR cautions businesses to comply with the FTC Act in their disclosures whenever businesses share consumer health information, businesses should also be vigilant in how they implement security practices surrounding consumer health information and describe those practices to consumers. Referred to as the “Security Rule”, HIPAA has a regulatory scheme for security of Personal Health Information as defined by HIPAA. Ongoing litigation in the FTC case against LabMD (and the prior case against Wyndham hotels) focus on whether lax data security practices around consumer health information may very well be “unfair” practices under Section 5 of the FTC Act, subjecting a business with lax data security practices to sanctions and potentially long-standing consent decrees.