Do Your HIPAA Authorizations Violate the FTC Act?
The Department of Health and Human Services’ Office for Civil Rights (OCR) has been vigorously providing guidance for covered entities on HIPAA Rules. Now, the Federal Trade Commission (FTC) has issued a reminder to covered entities of the need to comply not only with HIPAA Rules, but also the FTC Act.
Under HIPAA, covered entities are permitted to share PHI with other covered entities or their business associates for treatment purposes, billing, and certain healthcare operations as detailed in the HIPAA Permitted Uses and Disclosures. Most other uses are prohibited unless prior authorization is obtained by the patient (or plan member) in writing. However, while authorizations may be compliant with HIPAA Rules, they might not satisfy the requirements of the FTC Act.
The FTC Act protects consumers by preventing organizations from “engaging in deceptive or unfair acts or practices in or affecting commerce.” It is possible for a HIPAA-covered entity to comply with HIPAA Rules regarding patient authorizations, yet still violate the FTC Act. There is some overlap between the two legislative acts and the recent guidance on HIPAA and the FTC Act is intended to clear up any confusion.
The FTC guidance reminds HIPAA-covered entities that in order to comply with the HIPAA Privacy Rule, patient authorizations must be written in plain language to ensure they can be easily understood. Authorizations must clearly state to whom PHI will be disclosed and for what purpose. All uses and disclosures must all be explained. Individuals cannot provide consent to share PHI if they are not informed of the circumstances under which their health information, the reason why their information will be shared, and what will happen to their data.
The guidance also explains that in order for a business associate of a covered entity to disclose ePHI, the business associate must have a valid, HIPAA-compliant business associate agreement in place that permits the sharing of ePHI. Business associates are not permitted to obtain an authorization from a patient or health plan member if their BAA does not permit them to share ePHI.
The FTC Act also applies to the sharing of health data, in particular to the content of HIPAA authorizations. A HIPAA-compliant authorization may detail all uses and disclosures of ePHI, yet if there are contractions, if information is not clearly presented, or even if incorrect fonts and color schemes are used, this may violate the FTC Act.
The guidance reminds organizations to “consider all of your statements to consumers to make sure that, taken together, they don’t create a deceptive or misleading impression.”
This means a review of the entire interface must be performed to ensure all key information is clearly presented in the same place. It should not be necessary for patients to click links to other documents in order to find out about certain uses of their PHI. Consideration must be given to the devices used to access electronic authorizations. If smartphones are used for example, it should not be necessary for individuals to excessively scroll to find out all the necessary information they are being asked to consent to
All relevant information must also be provided. For example, if healthcare patients are being asked to consent to their ePHI being shared with a doctor, they must also be informed if their data may be shared publicly.
Recent settlements between OCR and HIPAA-covered entities show that non-compliance with HIPAA Rules can be expensive. The FTC also takes action against organizations that violate the privacy of consumers or the security of healthcare data. The penalties for non-compliance with the FTC Act can be severe.
HIPAA-covered organizations should therefore become familiar with the requirements of the FTC Act and keep abreast of the privacy and security actions brought against healthcare organizations by the FTC.
The FTC guidance on HIPAA and the FTC Act can be viewed on this link.