Updated 2025: Looking for a Business Associate Agreement? Download our FREE template.

Free BAA Download
Total HIPAA Logo

The FTC Act and HIPAA Protect the Same Information

You collect Personally Identifiable Information (PII) about your patients, employees and clients, which can be linked to their medical, educational, financial, and employment data. If you are an employer offering health benefits or a healthcare provider you follow all the HIPAA laws managed by Health and Human Services. So you’re good, right? Not so fast – a recent ruling by the Federal Trade Commission (FTC) now also regulates PII.

The part of HIPAA we are referencing are rights that safeguard consumers’ Protected Health Information (PHI). HIPAA law states that you must have authorization from the individual in place BEFORE you disclose any information about a consumer for marketing purposes, and this authorization can be rescinded by the individual at any time.

This authorization must be specific, in plain language, and you are required to tell the consumer exactly how this information is going to be used. If the consumer doesn’t understand what they are signing, this is not only a violation of HIPAA, but now it is also a violation of the FTC Act.

The FTC Act

Section 5 of the FTC Act protects the consumer from deceptive or unfair practices in or related to commerce by companies.1 Businesses must make sure that statements to consumers do not create a deceptive or misleading impression about what is happening to their PII. OCR states that even if a business believes their authorization complies with HIPAA Privacy Rules, if the information surrounding the authorization is unfair or misleading, then the company is in violation of the FTC Act.2

The most important part of the FTC Act is that companies are prohibited from deceiving consumers as to how their PHI is used for marketing purposes. If a business collects and wants to use consumer health information for marketing purposes, now they must comply with both HIPAA and the FTC Act.

Following  FTC standards

HHS provides four areas on which a business can focus to comply with the FTC requirements as well as HIPAA.

  1. Review all the ways you interact with your clients. If you’re asking the right to disclose consumer information for marketing purposes, you are required to lay out important disclosure items clearly. This should not buried in the fine print. HHS and FTC are looking for businesses to evaluate the size, color and graphics of all of their disclosure statements to ensure they are clear and conspicuous.
  2. Take into account the various devices consumers may use to view disclosure claims. If consumer health information is shared in unexpected ways, the interface must be designed so that “scrolling” is not necessary. Organizations can’t promise not to share information prominently on a webpage, then require consumers to scroll down through multiple lines of an authorization form to get the full scoop.
  3. Consumers must be fully informed before being asked to make a material decision. Businesses must eliminate contradictions before consumers decide to send or post information that may be shared publicly.
  4. The same requirements apply to paper disclosure statements. Consumers may not be given a stack of papers where the first page explains their health information is going to their doctor, but later on another page requests permission to share that health information with a pharmaceutical company.1       

HHS provided additional information at the closing of the announcement with guidance on creating effective disclosures with the FTC’s Disclosures report for digital advertising. For businesses that use or are developing a health application, FTC has created a mobile health apps interactive tool. Use this to see which federal laws apply as well as to get guidance for mobile health app developers. OCR’s developer portal lists the latest questions and concerns surrounding HIPAA.1

Recent FTC Cases

LabMD

The FTC filed a complaint against LabMD, Inc., a medical testing laboratory, in August of 2013. The FTC ruled that “the company failed to reasonably protect the security of consumers’ personal data, including medical information.” On two separate occasions, the company exposed information of approximately 10,000 people. Billing information for over 9,000 consumers was found on a peer-to-peer file-sharing network and documents containing sensitive personal information of at least 500 consumers were found in the possession of identity thieves. On July 29, 2016, the FTC found LabMD guilty for violating Section 5 of the FTC Act.3

The commission will require LabMD to establish a comprehensive information security program. The company will also be required to perform periodic independent, third-party assessments regarding the implementation of its program. Lastly, LabMD must notify the consumers about the unauthorized disclosure of their personal information and how they can protect themselves from identity theft and other possible abuses.3

This order was delayed on November 10, 2016 by the the U.S. Court of Appeals for the Eleventh District, and we are waiting to see what will happen next.4

Practice Fusion

The FTC charged Practice Fusion, Inc., a cloud-based electronic health record company, for “misleading consumers by soliciting reviews for doctors in connection with an online healthcare satisfaction survey, without disclosing that the reviews would be publicly posted on the internet.” Practice Fusion sent emails out to patients asking to review their doctor and providers so future services could be improved without disclosing that sensitive information would be posted publicly in a directory.5

Practice Fusion is now prohibited from making “deceptive statements about the extent to which it uses, maintains, and protects the privacy or confidentiality of the information it collects, and also requires the company, prior to making any consumers’ information publicly available, to clearly and conspicuously disclose this fact and obtain consumer’s affirmative express consent.” Practice Fusion will also not be able to publicly display the reviews it collected from consumers during the time period covered by the complaint from the FTC.5

PaymentsMD

PaymentsMD, LLC, a health billing company, was charged by the FTC for “altering the signup process for a consumer health billing site to include permission to collect consumers’ sensitive health information for an electronic health record portal site.” According to the FTC, PaymentsMD contacted “health insurance companies, pharmacies, medical offices and labs seeking consumers’ health information, without adequately informing consumers that the company would be seeking such information.”6

The company was required to destroy any collected information related to the electronic health record portal site. In addition, the FTC banned PaymentsMD from “deceiving consumers about the way it collects and use information, including how the information it collects might be shared with or collected from a third party, and the company must obtain consumer’s affirmative express consent before collecting health information about a consumer from a third party.”6

Conclusion

If you plan to use client health information for marketing purposes, it is very important you are clear about how this information will be used and only use the information for this purpose.

It’s important to keep both HIPAA and the FTC Act in mind when it comes to sharing consumer health information.

  1. 15 U.S.C. § 45(a)(1)
  2. https://www.hhs.gov/hipaa/for-professionals/special-topics/HIPAA-ftc-act
  3. https://www.ftc.gov/news-events/press-releases/2016/07/commission-finds-labmd-liable-unfair-data-security-practices
  4. HealthcareInfoSecurity – Court Grants LabMD a ‘Stay’ of FTC Consent Order
  5. https://www.ftc.gov/news-events/press-releases/2016/06/electronic-health-records-company-settles-ftc-charges-it-deceived
  6. https://www.ftc.gov/news-events/press-releases/2015/02/ftc-approves-final-orders-paymentsmd-privacy-case

Sharing is caring!

Documents

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.


Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

State of HIPAA Compliance in 2025

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!

Document
Register for Webinar

Related Posts

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records
*This process is technical and requires access to your Domain Name Server (DNS). It’s recommended to have an IT professional handle these configurations to avoid potential issues. If you proceed yourself, back up your current settings with screenshots or copies before making any changes.
Organizations rely heavily on email for marketing and communication, making it a prime target for malicious actors. Phishing, spoofing, and other email attacks can inflict significant financial and reputational damage. In response to this growing threat, email providers are tightening their security measures, and businesses that aren’t paying attention risk having their emails blocked.
A recent announcement from Microsoft, highlighted in their Tech Community blog, highlights that Outlook is implementing stricter requirements for high-volume senders to protect users from unwanted and potentially harmful messages. This move serves as a clear signal: email authentication is no longer optional – it’s required for all organizations, regardless of their sending volume.
The key to making sure your emails reach their intended recipients is all in the configuration and alignment of your Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) records. These protocols verify an organization actually sent the emails and tells receiving servers your messages are legitimate and shouldn’t be sent to spam folders or blocked.
What makes SPF, DKIM, and DMARC so crucial?
SPF (Sender Policy Framework): This record lists the authorized mail servers permitted to send emails on your behalf. When your email server receives an email, it checks it and verifies if the sending server’s IP address matches the list in your SPF record. This helps prevent attackers from spoofing your domain using unauthorized servers.
DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to your outgoing emails. This signature is cryptographically linked to your domain and verified by the receiving server using a public key published in your DNS records. DKIM ensures the integrity of the email content and confirms that it hasn’t been tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC builds upon SPF and DKIM. It tells receiving servers what to do with emails that fail SPF and/or DKIM checks. You can set policies to “none” (monitor), “quarantine” (send to spam), or “reject” (block). DMARC also enables reporting, allowing you to gain valuable insights into who sends emails using your domain and identify potential spoofing attempts.
Microsoft’s Stance: A Wake-Up Call
The stricter requirements being implemented by Outlook for high-volume senders emphasize the need for organizations to set up and review their authentication protocols. While the current focus is on high-volume senders, it is clear: email providers are looking for authenticated mail. Failing to correctly set up your DMARC, SPF, and DKIM records will lead to deliverability issues of emails.
What Your Company Needs to Do Now:
Regardless of size or email volume, every company should take the following steps to make sure its email authentication is configured correctly. Here’s a checklist:
Audit Your Existing Records: Check for existing SPF, DKIM, and DMARC configurations. Are they accurate and up-to-date?
Implement Missing Records: If you are missing any of these records, add them immediately. *Consult with your IT team or email service provider for guidance.
Check Alignment: It’s crucial to make sure there is alignment between your SPF, DKIM, and DMARC records. This means that the domain used for SPF and the signing domain in DKIM should match the “From” address domain in your emails. DMARC relies on this alignment to function effectively.
Start with a Monitoring Policy: For DMARC, it’s often best to start with a “none” policy to monitor how your emails are being handled and identify any legitimate sending sources that might not be properly authenticated.
Gradually Enforce Stronger Policies: Once you clearly understand your email flows and have addressed any authentication issues, move gradually towards stronger DMARC policies like “quarantine” or “reject” to protect your domain from spoofing actively.
Regularly Review and Update: The email landscape is constantly changing. Regularly review and update your authentication records as needed, especially when changing your emails or third-party sending services.
The Benefits of Proper Email Authentication:
Properly configuring and aligning your DMARC, SPF, and DKIM records offers significant benefits:
Improved Email Deliverability: Your legitimate emails are more likely to reach the inbox, avoiding spam folders and blocks.
Enhanced Brand Reputation: Protecting your domain from spoofing builds trust with your recipients and safeguards your brand’s reputation.
Increased Security: You significantly reduce the risk of using your domain for phishing and other malicious activities.
Compliance with Evolving Standards: By staying ahead of the curve, you ensure your email practices align with the increasingly stringent requirements of email providers.
The message is clear: email authentication is no longer optional. The recent emphasis from major providers like Microsoft underscores its critical importance in maintaining reliable and secure email communication. By taking the steps to audit and align your DMARC, SPF, and DKIM records, your organization can protect itself, customers, and reputation. Don’t wait until your emails are blocked – act now to secure your email.
Have questions or need help with your HIPAA compliance? Schedule a call with our experts today. https://www.totalhipaa.com/get-started/
To check your DMARC Records go here
https://www.totalhipaa.com/dmarc-lookup-free/
All records, a free and easy tool to use
https://easydmarc.com/

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Save Cart & Generate Link
Send Cart in an Email Done! close
Empty cart. Please add products before saving :)

Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Send Cart Email
Your cart email sent successfully :)