You collect Personally Identifiable Information (PII) about your patients, employees and clients, which can be linked to their medical, educational, financial, and employment data. If you are an employer offering health benefits or a healthcare provider you follow all the HIPAA laws managed by Health and Human Services. So you’re good, right? Not so fast – a recent ruling by the Federal Trade Commission (FTC) now also regulates PII.
The part of HIPAA we are referencing are rights that safeguard consumers’ Protected Health Information (PHI). HIPAA law states that you must have authorization from the individual in place BEFORE you disclose any information about a consumer for marketing purposes, and this authorization can be rescinded by the individual at any time.
This authorization must be specific, in plain language, and you are required to tell the consumer exactly how this information is going to be used. If the consumer doesn’t understand what they are signing, this is not only a violation of HIPAA, but now it is also a violation of the FTC Act.
The FTC Act
Section 5 of the FTC Act protects the consumer from deceptive or unfair practices in or related to commerce by companies.1 Businesses must make sure that statements to consumers do not create a deceptive or misleading impression about what is happening to their PII. OCR states that even if a business believes their authorization complies with HIPAA Privacy Rules, if the information surrounding the authorization is unfair or misleading, then the company is in violation of the FTC Act.2
The most important part of the FTC Act is that companies are prohibited from deceiving consumers as to how their PHI is used for marketing purposes. If a business collects and wants to use consumer health information for marketing purposes, now they must comply with both HIPAA and the FTC Act.
Following FTC standards
HHS provides four areas on which a business can focus to comply with the FTC requirements as well as HIPAA.
- Review all the ways you interact with your clients. If you’re asking the right to disclose consumer information for marketing purposes, you are required to lay out important disclosure items clearly. This should not buried in the fine print. HHS and FTC are looking for businesses to evaluate the size, color and graphics of all of their disclosure statements to ensure they are clear and conspicuous.
- Take into account the various devices consumers may use to view disclosure claims. If consumer health information is shared in unexpected ways, the interface must be designed so that “scrolling” is not necessary. Organizations can’t promise not to share information prominently on a webpage, then require consumers to scroll down through multiple lines of an authorization form to get the full scoop.
- Consumers must be fully informed before being asked to make a material decision. Businesses must eliminate contradictions before consumers decide to send or post information that may be shared publicly.
- The same requirements apply to paper disclosure statements. Consumers may not be given a stack of papers where the first page explains their health information is going to their doctor, but later on another page requests permission to share that health information with a pharmaceutical company.1
HHS provided additional information at the closing of the announcement with guidance on creating effective disclosures with the FTC’s Disclosures report for digital advertising. For businesses that use or are developing a health application, FTC has created a mobile health apps interactive tool. Use this to see which federal laws apply as well as to get guidance for mobile health app developers. OCR’s developer portal lists the latest questions and concerns surrounding HIPAA.1
Recent FTC Cases
LabMD
The FTC filed a complaint against LabMD, Inc., a medical testing laboratory, in August of 2013. The FTC ruled that “the company failed to reasonably protect the security of consumers’ personal data, including medical information.” On two separate occasions, the company exposed information of approximately 10,000 people. Billing information for over 9,000 consumers was found on a peer-to-peer file-sharing network and documents containing sensitive personal information of at least 500 consumers were found in the possession of identity thieves. On July 29, 2016, the FTC found LabMD guilty for violating Section 5 of the FTC Act.3
The commission will require LabMD to establish a comprehensive information security program. The company will also be required to perform periodic independent, third-party assessments regarding the implementation of its program. Lastly, LabMD must notify the consumers about the unauthorized disclosure of their personal information and how they can protect themselves from identity theft and other possible abuses.3
This order was delayed on November 10, 2016 by the the U.S. Court of Appeals for the Eleventh District, and we are waiting to see what will happen next.4
Practice Fusion
The FTC charged Practice Fusion, Inc., a cloud-based electronic health record company, for “misleading consumers by soliciting reviews for doctors in connection with an online healthcare satisfaction survey, without disclosing that the reviews would be publicly posted on the internet.” Practice Fusion sent emails out to patients asking to review their doctor and providers so future services could be improved without disclosing that sensitive information would be posted publicly in a directory.5
Practice Fusion is now prohibited from making “deceptive statements about the extent to which it uses, maintains, and protects the privacy or confidentiality of the information it collects, and also requires the company, prior to making any consumers’ information publicly available, to clearly and conspicuously disclose this fact and obtain consumer’s affirmative express consent.” Practice Fusion will also not be able to publicly display the reviews it collected from consumers during the time period covered by the complaint from the FTC.5
PaymentsMD
PaymentsMD, LLC, a health billing company, was charged by the FTC for “altering the signup process for a consumer health billing site to include permission to collect consumers’ sensitive health information for an electronic health record portal site.” According to the FTC, PaymentsMD contacted “health insurance companies, pharmacies, medical offices and labs seeking consumers’ health information, without adequately informing consumers that the company would be seeking such information.”6
The company was required to destroy any collected information related to the electronic health record portal site. In addition, the FTC banned PaymentsMD from “deceiving consumers about the way it collects and use information, including how the information it collects might be shared with or collected from a third party, and the company must obtain consumer’s affirmative express consent before collecting health information about a consumer from a third party.”6
Conclusion
If you plan to use client health information for marketing purposes, it is very important you are clear about how this information will be used and only use the information for this purpose.
It’s important to keep both HIPAA and the FTC Act in mind when it comes to sharing consumer health information.
-
15 U.S.C. § 45(a)(1)
-
https://www.hhs.gov/hipaa/for-professionals/special-topics/HIPAA-ftc-act
-
https://www.ftc.gov/news-events/press-releases/2016/07/commission-finds-labmd-liable-unfair-data-security-practices
-
HealthcareInfoSecurity – Court Grants LabMD a ‘Stay’ of FTC Consent Order
-
https://www.ftc.gov/news-events/press-releases/2016/06/electronic-health-records-company-settles-ftc-charges-it-deceived
-
https://www.ftc.gov/news-events/press-releases/2015/02/ftc-approves-final-orders-paymentsmd-privacy-case