Don’t Stop At HIPAA: Why For-Profit Covered Entities and Business Associates that Collect and Share Consumer Health Data Must Consider Both HIPAA and the FTC Act

By Lisa AcevedoLindsay R. Dailey, Erin Fleming Dunlap, and Daniel L. Farris

The Federal Trade Commission (FTC) and U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued new guidance last month for organizations that handle consumer health information (Joint Guidance).  This is one of several joint-agency guidance documents issued this year in a collaboration effort by HHS and FTC, including best practices for mobile health app developers and a mobile health apps interactive tool.  

Looking Beyond HIPAA

Traditionally, Covered Entities and their Business Associates have focused primarily on complying with the Health Insurance Portability and Accountability Act of 1996 and its implementing privacy and security regulations (HIPAA) when using and disclosing Protected Health Information (PHI). HIPAA permits uses and disclosures of PHI without written authorization for purposes of treatment, payment or health care operations and certain other purposes.  If a use or disclosure does not fit within one of those permissible exceptions, HIPAA requires Covered Entities and Business Associates to obtain written authorization from individuals in order to use or disclose their PHI for such purpose.  To be valid, an authorization needs to specify a number of elements and required statements, and “must be written in plain language.”  45 CFR § 164.508(b)-(c).   Up until now if a Covered Entity or Business Associate obtained an authorization valid under HIPAA, they would often not undertake any further analysis.

However, the FTC takes this one step further, stating “You need to do more than just meet the requirements for a HIPAA-compliant authorization.  Your business must consider all your statements to consumers to make sure that, taken together, they don’t create a deceptive or misleading impression.  Even if you believe your authorization meets all the elements required by the HIPAA Privacy Rule, if the information surrounding the authorization is deceptive or misleading, that’s a violation of the FTC Act.”  This is a new concept for many businesses that are dually-regulated by the OCR and FTC, and the guidance serves as a reminder to consider both HIPAA and the FTC Act and guidance when drafting consumer-facing privacy documents. 

Complying with HIPAA and the FTC Act

The following summarizes how the joint guidance advises dually-regulated companies to examine their authorizations to ensure compliance with both HIPAA and the FTC Act.  Note that it is also important to consider applicable state privacy laws, especially those governing sensitive information, which may impact a state’s authorization requirements.

First, HIPPA

Now, Address FTC

Written in plain languageClear and conspicuous.

The Joint Guidance says dually regulated entities must also:
“Review your entire user interface. Don’t bury key facts in links to a privacy policy, terms of use, or the HIPAA authorization. For example, if you’re claiming that a consumer is providing health information only to her doctor, don’t require her to click on a “patient authorization” link to learn that it is also going to be viewable by the public. And don’t promise to keep information confidential in large, boldface type, but then ask the consumer in a much less prominent manner to sign an authorization that says you will share it. Evaluate the size, color and graphics of all of your disclosure statements to ensure they are clear and conspicuous.”
Core Elements (45 CFR § 164.508(c)(1)):
  • A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
  • The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;
  • The name or other specific identification of the person(s), or class of persons, to whom the Covered Entity may make the requested use or disclosure;
  • A description of each purpose of the requested use or disclosure. The statement "at the request of the individual" is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
  • An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement "end of research study", "none", or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.
  • Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided.
The Joint Guidance says dually regulated entities must also: “Take into account the various devices consumers may use to view your disclosure claims. If you are sharing consumer health information in unexpected ways, design your interface so that “scrolling” is not necessary to find that out. For example, you can’t promise not to share information prominently on a webpage, only to require consumers to scroll down through several lines of a HIPAA authorization to get the full scoop.”
Required Statements (45 CFR § 164.508(c)(2)):
  • The individual's right to revoke the authorization in writing, and either:
    • The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or
    • To the extent that the information related to revocation as described above is included in the Notice of Privacy Practices (“Notice”) required by HIPAA, reference to the Covered Entity's Notice.
  • The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization.
  • The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this rule.
  • If the disclosure of PHI is a sale of PHI, then “such authorization must state that the disclosure will result in remuneration to the Covered Entity.” 45 CFR § 164.508(a)(4).
The Joint Guidance says dually regulated entities must also: “Tell consumers the full story before asking them to make a material decision – for example, before they decide to send or post information that may be shared publicly. Review your user interface for contradictions and get rid of them.”
OCR FAQ states that an authorization can be used together with other written instructions, as follows: “A transmittal or cover letter can be used to narrow or provide specifics about a request for protected health information as described in an Authorization, but it cannot expand the scope of the Authorization. For example, if an individual has authorized the disclosure of "all medical records" to an insurance company, the insurance company could by cover letter narrow the request to the medical records for the last 12 months. The cover letter could also specify a particular employee or address for the "class of persons" designated in the Authorization to receive the information. By contrast, an insurance company could not by cover letter extend the expiration date of an Authorization, or expand the scope of information set forth in the Authorization.” The Joint Guidance says dually regulated entities must also consider the following: “The same requirements [noted above] apply to paper disclosure statements. Don’t give consumers a stack of papers where the top page says that their health information is going to their doctor, but another page requests permission to share that health information with a pharmaceutical firm.”

For additional guidance on creating effective disclosures, see the FTC’s online Disclosures report.

Increased OCR and FTC Scrutiny

In recent years, both OCR and FTC have pushed the limits of their enforcement authority in both the number of enforcement actions and the scope of what they have traditionally regulated.  For example, in 2016, OCR pursued its first enforcement action against a business associate (read about it here, and see the resolution agreement and corrective action plan here) and OCR also commenced its Phase 2 audits against both covered entities and business associates (read about it here).  The FTC has also been exercising its enforcement authority against health care organizations for violations of Section 5 of the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce.  This comes after the US Third Circuit Court of Appeals held in August of 2015 that the FTC has the authority to regulate cybersecurity, and that a company’s failure to take proper measures to protect the security of consumer data can rise to the level of an unfair trade practice under the FTC Act (read more here and here).  The FTC has taken this finding and run with it, and is enforcing violations of consumers’ privacy rights through misleading or deceptive trade practices or by unfairly failing to maintain security for sensitive consumer information (see a list of recent FTC enforcement action in this area here).

Read the full guidance here.

For More Information

For questions regarding the content of this alert, please contact the authors, a member of Polsinelli's Health Care practice, or your Polsinelli attorney:

  • Lisa Acevedo | 312.463.6322 | lacevedo@polsinelli.com
  • Lindsay Daily | 312.873.2984 | ldailey@polsinelli.com 
  • Daniel Farris | 312.463.6323 | dfarris@polsinelli.com
  • Erin Fleming Dunlap | 314.622.6661 | edunlap@polsinelli.com