When it comes to health privacy, HIPAA is not the only law that matters. To avoid investigations and fines, all organizations handling personal health information need to know about Federal Trade Commission (FTC) rules. The FTC’s broad mandate is to protect consumers and protect competition and it can enforce laws against both HIPAA regulated entities and non-HIPAA regulated entities.
By contrast, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) enforces HIPAA, but only against covered entities and business associates, as defined by HIPAA.
The FTC has stepped up enforcement over the past year, and has become much more vocal about it. For example, health apps that collect personal information but are not HIPAA covered entities or business associates are under fire – see GoodRx in the Crosshairs. The FTC has also gone after BetterHelp ($7.8M settlement), a therapy app, and Premom ($100K settlement), an ovulation tracker.
FTC and HHS Issue New Publication on Health Privacy Enforcement
In mid-September the FTC issued more guidance on its health privacy enforcement. To help businesses learn more about how HIPAA intersects with FTC law, HHS and FTC jointly published Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule.
A big reason that FTC has stepped in is the explosive growth of web tracking technology used by all businesses on the internet, including healthcare. Consumers tend to be unaware of how their private information is used, reused, and sold to other advertisers, often without adequate security protections. Not only are regulators looking at web tracking as privacy breaches, but class action lawsuits against companies using web trackers are gaining ground. See Advocate Aurora Health.
The new Collecting, Using, or Sharing Consumer Health Information publication focuses on:
- HHS’ Health Insurance Portability and Accountability Act (HIPAA);
- HHS’ HIPAA Privacy, Security, and Breach Notification Rules;
- the FTC Act; and
- the FTC’s Health Breach Notification Rule.
HIPAA Review
HIPAA applies to covered entities and business associates and sets limits and conditions on the uses and disclosures of protected health information (PHI) that CEs and BAs may make without an individual’s authorization and provides individuals with rights with respect to their health information. Under the Privacy Rule, for example, a covered entity or business associate must obtain an individual’s valid HIPAA authorization to use or disclose the individual’s PHI for marketing purposes.
The HIPAA Breach Notification Rule requires covered entities to provide notification to affected individuals, the Secretary of HHS, and, in some cases, the media, following a breach of unsecured PHI. The Breach Notification Rule also requires business associates to notify the covered entity if the business associate experiences such a breach.
FTC Protects Consumers
The FTC Act – includes HIPAA regulated entities
The FTC Act applies to the vast majority of businesses engaging in commerce in the U.S., including HIPAA regulated entities. (Exceptions to FTC oversight include banks, insurance companies, non-profits, transportation and communications common carriers, air carriers, and some other entities.)
The FTC-HHS publication explains:
The FTC Act prohibits companies from engaging in deceptive or unfair acts or practices in or affecting commerce. This means that companies must not mislead consumers about – among other things – what’s happening with their health information. It also means you must ensure your health data practices aren’t causing more harm than good. The FTC Act’s obligations apply to HIPAA-covered entities and business associates, as well as to companies that collect, use, or share health information that aren’t required to comply with HIPAA. (italics added for emphasis)
Organizations must consider everything they say or imply to consumers about the use, collection, retention, or sharing of their health data – and anything material they fail to say – to make sure they don’t create a deceptive or misleading impression.
For example, if an organization is covered by HIPAA and the information surrounding its HIPAA authorization is deceptive or misleading (such as by implying that to receive treatment, the consumer must agree to have their data used for advertising purposes), that’s a violation of the FTC Act. If an organization claims it will delete personal information upon request, but in fact fail to deliver on that promise, that’s a violation of the FTC Act.
The FTC goes further when it recommends that organizations review their entire user interface, including any claims made, from the consumer’s point of view, noting specifically:
Don’t make false or misleading claims that you are “HIPAA Compliant,” “HIPAA Secure,” “HIPAA Certified” or the like. Also, don’t bury key facts in a privacy policy, a Terms of Use section, or other places where consumers aren’t likely to read and understand them. Keep it simple for consumers so that where you ask for consent, that consent is meaningful.
The FTC Health Breach Notification Rule – only applies to non-HIPAA regulated entities
The FTC Health Breach Notification Rule applies to certain businesses that aren’t covered by HIPAA – specifically, vendors of personal health records (PHR), PHR related entities, and third party service providers. For example the following types of organizations may need to follow the rule:
- an organization with a mobile app, website, Internet-connected device, or similar technology that holds consumers’ electronic health information in a personal health record
- an organization that provides products or services or sends or receives data to or from that kind of product
- an organization that deals with health information while providing services to companies that offer those products
Similar to HIPAA, the FTC Health Breach Notification Rule requires companies that experience a breach of health information to notify affected consumers, the FTC, and, in some cases, the media.
HIPAA is the Gold Standard
For HIPAA regulated entities, following HIPAA is the surest way to stay clear of FTC investigations and avoid costly lawsuits.
Non-HIPAA regulated entities should borrow guidance from HIPAA. Use the highest industry standards and safeguards to maintain the privacy and security of individuals’ personal identifiable information (PII) and protected health information (PHI).
All organizations should be sure their patient and customer communications are clear, easy to understand and not misleading.