The legal landscape of health information privacy and consumer protection is continuously evolving. This raises a pivotal question: Is simply being compliant with HIPAA sufficient for regulated entities that collect and share consumer health information for commercial purposes? Let’s break it down.
HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a U.S. federal law established to safeguard the privacy and security of individuals’ medical information. It establishes strict standards to protect the confidentiality of patients’ protected health information (PHI) while promoting the efficient exchange of information within the healthcare industry.
HIPAA applies to:
- “covered entities”, which include health plans, health care clearinghouses, and most healthcare providers; and
- “business associates”, which include persons or businesses that help a covered entity carry out its health care activities and functions, for example a collections agency or an IT consultant.
HIPAA’s Core Rules
- HIPAA Privacy Rule: Seeks to protect individuals’ medical records and other identifiable health information, collectively referred to as “PHI”. It requires appropriate safeguards to protect the privacy of PHI, sets limits and conditions on the disclosure of PHI, and gives individuals certain rights over their PHI and health records.
- HIPAA Security Rule: Seeks to protect individuals’ electronic PHI that is created, received, used, or maintained by a covered entity and includes standards for appropriate administrative, physical, and technical safeguards to ensure the security of this information.
- HIPAA Breach Notification Rule: Requires HIPAA-covered entities to notify affected individuals and the U.S. Department of Health and Human Services (HHS) when a breach of unsecured PHI occurs. This includes the unauthorized acquisition, access, use, or disclosure of PHI. If a business associate experiences a breach, it must notify the relevant covered entity.
- HIPAA Enforcement Rule: Outlines provisions relating to compliance, investigations, penalties, and procedures for hearings.
Delving into the FTC Act
The FTC Act, formally known as the Federal Trade Commission Act, is a U.S. federal law that empowers the Federal Trade Commission (FTC) to enforce regulations and policies aimed at preventing anticompetitive practices, protecting consumers from unfair and deceptive trade practices, and promoting fair competition in the marketplace. Among other things, it grants the FTC authority to:
- prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce;
- seek monetary redress and other relief for conduct injurious to consumers;
- issue rules specifying acts or practices that are unfair or deceptive and establishing requirements designed to prevent such acts or practices;
- gather and compile information and conduct investigations relating to the organization, business, practices, and management of entities engaged in commerce; and
- make reports and legislative recommendations to Congress and the public.
HIPAA and FTC Act: Where They Intersect
Does compliance with one regulation ensure compliance with the other? Unfortunately, no. Each law has its own distinct requirements which must be met.
- Entities need written permission from consumers via a HIPAA authorization to disclose PHI for commercial purposes beyond those permitted by the Privacy Rule.
- A HIPAA authorization must be in place before an entity discloses any PHI for marketing purposes (with the exception of two circumstances), and this authorization can be rescinded by the consumer at any time.
- Authorization must be transparent and detailed, specifying the involved parties, information type, expiry, location, and the reason for sharing.
- Business associates can only disclose PHI if explicitly allowed by the HIPAA business associate contract with the covered entity.
Under the FTC Act:
- It’s vital to ensure that no consumer communications, including HIPAA authorizations, are deceptive or misleading. A misleading HIPAA authorization, even one that is technically HIPAA-compliant, can lead to a violation of the FTC Act.
- Disclosures about the intended use of PHI must be clear, conspicuous, and consistent with the entity’s practices.
Practical Considerations for Compliance
The HHS identifies areas on which a business can focus to help ensure compliance with the FTC Act, with several recurring themes:
- Don’t bury key facts. Hiding disclosures or contradictory statements behind a link or in supplementary documents can be considered misleading or deceptive. If an entity claims that PHI will only be shared with one’s doctor, the entity should not require the consumer to click on a “patient authorization” link to learn that it is also going to be shared in other ways.
- Don’t use deceptive design practices. This includes using smaller fonts, low-contrast colors, or strategic placement of information to make disclosure statements less noticeable or accessible to the consumer.
- Don’t use deceptive language. Ambiguous language and hidden euphemisms meant to cloak how an entity really uses consumers’ health information are considered unfair and deceptive.
Review your entire user interface to ensure disclosure statements are clear and conspicuous. This includes evaluating the size, color, graphics, and placement of such statements.
Consider all of the devices a consumer might use to access your disclosure statements. Is key information clear and conspicuous across devices? If an entity is sharing PHI in unexpected ways, the consumer should not have to engage in excessive scrolling or hunt for disclosures buried in the “fine print” to be made aware of this.
Before consumers are asked to make a decision, they should have a complete understanding of how their PHI will be used and shared. A good rule of thumb is to say what you do, do what you say, and be mindful of what you don’t say. Failure to disclose all material information to consumers about how you use and disclose their PHI may result in enforcement action.
Paper disclosures should be just as transparent and direct as digital ones. Key facts and contradictory statements should not be buried within the document.
While the FTC does not have jurisdiction to enforce HIPAA requirements, they have made a point to crack down on HIPAA-related claims (Henry Schein 2016). Companies that provide certifications and seals (SkyMed 2020) should be aware that they may also be held liable for deceptive representation. If a company provides a health-related seal or certification to others that falsely implies that the recipient is covered by HIPAA, is complying with HIPAA, has been reviewed by a government agency, or has received government approval, both the certifier and the user of that false certification could be subject to FTC enforcement action.
The FTC is also paying close attention to the use and disclosure of PHI for any purposes that are not necessary to provide the consumer with the contracted services, including targeted advertising. Recent enforcements against GoodRX (2023), BetterHelp (2023), and Easy Healthcare (2023) are all examples of PHI being unlawfully disclosed to common third-party platforms such as Google, Facebook, and AppsFlyer.
Navigating the nuances of HIPAA and the FTC Act might seem daunting, but think of it as a simple equation:
Sharing and Disclosing PHI for Commercial Purposes = HIPAA Compliance + FTC Act Compliance
Both are integral, and together they form the backbone of responsible health information management and consumer protection.