- Businesses that collect and share consumer health information need to not only be mindful of the HIPAA Privacy Rule, but must also adhere to the FTC Act.
The Federal Trade Commission (FTC) released new guidance on key privacy and security considerations for organizations that handle consumer health data. While businesses must follow HIPAA regulations, they must also ensure that their disclosure statements are not deceptive under the FTC Act.
Only covered entities and business associates are required under the HIPAA Privacy Rule “to protect the privacy and security of health information,” while also providing “consumers with certain rights to their information.”
These organizations must also ensure that they have a valid HIPAA authorization before they use or disclose consumer health information for commercial activities other than treatment, payment, or healthcare operations, the FTC warned.
“HIPAA authorizations provide consumers a way to understand and control their health information. The authorization must be in plain language,” the guidance explains. “If people can’t understand it, then it isn’t effective. Think about who, what, when, where and why. Explain who is disclosing and receiving the information, what they are receiving, when the disclosure permission expires, where information is being shared, and why you are sharing it.”
Business associates must also be given explicit permission from their covered entity in their business associate to use or disclose health information. Consumers cannot sign a HIPAA authorization unless the covered entity allowed it in the business associate agreement.
In terms of the FTC Act, covered entities and business associates need to be clear and straightforward in their processes.
“Your business must consider all of your statements to consumers to make sure that, taken together, they don’t create a deceptive or misleading impression,” the FTC states in the guidance. “Even if you believe your authorization meets all the elements required by the HIPAA Privacy Rule, if the information surrounding the authorization is deceptive or misleading, that’s a violation of the FTC Act.”
“Tell consumers the full story before asking them to make a material decision – for example, before they decide to send or post information that may be shared publicly,” the FTC suggests. “Review your user interface for contradictions and get rid of them.”
These considerations should be taken whether in electronic form or in physical papers that consumers need to read through and sign.
“Don’t give consumers a stack of papers where the top page says that their health information is going to their doctor, but another page requests permission to share that health information with a pharmaceutical firm.”
Earlier this year, the FTC settled a case involving alleged misleading information about how a dental practice software company handled patient data encryption.
In that case, the FTC claimed that Henry Schein Practice Solutions, Inc. (Schein) used deceptive marketing claims on its Dentrix G5 software. Schein allegedly stated “that the software provided industry-standard encryption of sensitive patient information,” and assured dental practices that using the software would keep them HIPAA compliant.
“In its complaint, the FTC alleges that Schein was aware that Dentrix G5 used a less complex method of data masking to protect patient data than Advanced Encryption Standard (AES), which is recommended as an industry standard by the National Institute of Standards and Technology (NIST) and provides the appropriate protection to meet certain regulatory obligations under HIPAA,” the FTC stated.
Schein was required to pay a $250,000 fine as part of its settlement.