- Collecting and sharing consumer health information is fairly standard practice for covered entities and their business associates. Organizations must ensure that they remain in compliance with the HIPAA Privacy Rule throughout that entire process, and keep individuals informed on how their data is potentially being used.
However, entities must also comply with the Federal Trade Commission (FTC) Act with regard to collecting and sharing sensitive information.
“The FTC Act prohibits companies from engaging in deceptive or unfair acts or practices in or affecting commerce,” HHS explains on its website. “Among other things, this means that companies must not mislead consumers about what is happening with their health information.”
Essentially, healthcare organizations must ensure that all of their statements to consumers are HIPAA compliant and also adhere to the FTC Act.
The HIPAA Privacy Rule and FTC Act are similar, and healthcare organizations should understand how to properly follow both. HIPAA regulations are often front of mind with data privacy and security, but the FTC Act cannot be ignored.
Below, HealthITSecurity.com outlines the basics of the FTC Act and discusses what can potentially happen should an entity not adhere to it.
What is the FTC Act?
The FTC Act requires companies to be straightforward and clear in how they will use and potentially disclose personal information. With healthcare, this means the Act prohibits entities from using deceptive practices with regard to PHI.
Covered entities should take various devices patients may use to view disclosure claims into account and be straightforward with patients with how their information may be shared, FTC says on its website.
“If you are sharing consumer health information in unexpected ways, design your interface so that ‘scrolling’ is not necessary to find that out,” the agency explains. “For example, you can’t promise not to share information prominently on a webpage, only to require consumers to scroll down through several lines of a HIPAA authorization to get the full scoop.”
Organizations must also be clear and concise with paper documents, FTC states. For example, a patient should not be given a stack of papers where one page says the patient’s PHI is being sent to her doctor, while another page says the doctor can share the patient’s PHI with a pharmaceutical company.
The FTC also has data breach response requirements, which urges organizations that believe they have suffered a breach to secure physical areas, clean up their website, and provide breach notification.
“Think about your service providers,” Lisa Weintraub Schifferle, an FTC attorney in the Division of Consumer and Business Education, wrote in a 2016 blog post. “If they were involved, make sure they’ve remedied all vulnerabilities and consider whether you need to change their access privileges. Also, check your network segmentation so a breach at one server or site doesn’t lead to a breach at another.”
There is a specific FTC Health Breach Notification Rule as well, which requires healthcare organizations to notify everyone whose information was breached, notify the media (in most cases), and notify the FTC.
“The FTC’s Health Breach Notification Rule applies only to health information that is not secured through technologies specified by the Department of Health and Human Services,” the FTC states. “Also, the FTC’s Rule does not apply to businesses or organizations covered by the Health Insurance Portability & Accountability Act (HIPAA). In case of a security breach, entities covered by HIPAA must comply with HHS’ breach notification rule.”
A hospital that is a covered entity under HIPAA would likely need to only comply with the HIPAA Data Breach Notification Rule. However, if there is health information involved in a breach that occurred at a non-covered entity or business associate, then the FTC rules may be applicable.
For example, a research company could not use deceptive practices in trying to obtain health information from consumers. If health information is legally obtained through clear instructions, but then that research company suffers a data breach, it would need to adhere to FTC notification processes.
What happens when companies do not follow the FTC Act?
There are several cases where the FTC investigated complaints over alleged privacy violations.
In 2015, the FTC approved final orders resolving complaints involving billing company PaymentsMD, LLC.
The case started in 2012, where PaymentsMD operated a website where consumers could pay their medical bills. The company allegedly used a patient portal sign-up process to “deceptively seek consumers’ consent to obtain detailed medical information about the consumers.”
Collected patient information included but was not limited to the prescriptions, procedures, medical diagnoses, lab tests performed and the results of the tests.
“Under the terms of the settlements, PaymentsMD and [its former CEO] must destroy any information collected related to the Patient Health Report service,” the FTC stated in a blog post. “In addition, the respondents are banned from deceiving consumers about the way they collect and use information, including how information they collect might be shared with or collected from a third party, and they must obtain consumers’ affirmative express consent before collecting health information about a consumer from a third party.”
Another case that made headlines involved medical testing company LabMD. The FTC filed a 2013 complaint that said on two separate incidents LabMD collectively exposed the personal information of approximately 10,000 consumers.
Over 9,000 consumers’ billing information was found on a file-sharing network, the FTC said. In 2012, “sensitive personal information” of approximately 500 LabMD consumers was found with identity thieves.
LabMD failed to “reasonably protect the security of consumers’ personal data, including medical information,” the FTC claimed.
In 2017, the US Court of Appeals for the Eleventh District listened to oral arguments and will need to decide if the FTC overstepped its authority with its data security enforcement standard. LabMD filed a petition for review in 2016 after a US federal appeals court granted a stay of an FTC order.
“The Senate Report that the FTC relied on also says that ‘[e]motional impact and more subjective types of harm alone are not intended to make an injury unfair,” the court explained. “Further, LabMD points out that what the FTC here found to be harm is ‘not even ‘intangible,’’ as a true data breach of personal information to the public might be, ‘but rather is purely conceptual’ because this harm is only speculative.”
However the LabMD case is concluded, healthcare organizations should ensure that their own approach to HIPAA risk analyses is current and comprehensive. Entities will need to be clear to patients how PHI is collected and used, and then implement appropriate safeguards to keep PHI secure at all times.