The Federal Trade Commission (FTC) in conjunction with the Department of Health and Human Services’ Office for Civil Rights (OCR) has issued guidance on HIPAA and the FTC Act explaining it is not sufficient to only consider HIPAA regulations when sharing health data. Organizations must also ensure they comply with the Federal Trade Commission Act (FTC Act). The guidance on HIPAA and the FTC Act was issued to ensure that organizations are aware of their responsibilities under both HIPAA and the FTC Act. The failure to comply with both legislative acts can see the organization face stiff financial penalties.
One of the primary requirements of the Health Insurance Portability and Accountability Act is to ensure health data remains private. HIPAA-covered entities – typically healthcare providers, health plans, and healthcare clearinghouses – as well as business associates of covered entities, must ensure that health data is protected at all times. Health information must not be shared with or disclosed to any individual unless for the treatment of patients, payment for medical services, for healthcare operations or other very limited purposes detailed in the HIPAA legislation.
Prior to data being shared with a business associate, a covered entity must ensure a compliant business associate agreement is entered into. The business associate agreement must explain the responsibilities of the business associate under HIPAA regulations. While certain other uses and disclosures of health data are permitted under the HIPAA Rules, authorization must first be obtained from the consumer, in writing, prior to data being shared. For example, healthcare organizations can share patient data with a third party for marketing purposes, but only if that has been authorized by the patient prior to data being shared.
The failure to enter into a business associate agreement with a business associate, or sharing patient data without authorization, is a violation of HIPAA Rules. If HIPAA violations are discovered by OCR, covered entities can face severe financial penalties.
The guidance on HIPAA and the FTC Act explains that once a HIPAA authorization – BAA or patient authorization – has been obtained, the responsibilities do not end there. Organizations that share health data must also ensure that consumers are not mislead. In the case of sharing healthcare data, consumers must not be misinformed about the uses of their data. For example, if patients are informed that their data will be used for research purposes, it would not be permissible to then use those data for marketing purposes.
The FTC Act prohibits organizations from engaging in unfair or deceptive acts or other practices affecting commerce. In short, any statements issued must not create a misleading impression. If that happens, it would be a violation of the FTC Act.
Organizations should be open about the uses of healthcare data and those uses should be clearly presented to consumers. Consumers should not be required to scroll through pages and pages of text to find out how their information will be used. Authorization should also not require patients to click links to find out about all the potential uses that they are authorizing. Misleading consumers violates the FTC Act, and like HIPAA, heavy financial penalties can be applied for doing so.
For further information on the allowable uses of healthcare data under HIPAA Rules and the requirements of the FTC Act are summarized in the new guidance on HIPAA and the FTC Act on the FTC website.