October 31, 2016
Health Care Alert
On October 21, 2016, the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) issued a joint guidance statement to entities that collect and share consumer health information (the Guidance). The Guidance serves as a reminder to those entities that not only must they comply with HIPAA in using and disclosing consumers’ health information, they must also ensure that their statements about and practices relating to consumer privacy do not violate the Federal Trade Commission Act (the FTC Act).
The agencies highlight basic principles of the HIPAA authorization requirements applicable to entities regulated by HIPAA. Specifically, the Guidance explains that HIPAA-regulated entities (certain providers, health plans and health care clearing houses—all “covered entities”—and covered entities’ business associates) must obtain a valid HIPAA authorization from the consumer prior to using or disclosing that consumer’s health information for most purposes unrelated to treatment, payment or health care operations. Business associates cannot approach those consumers for their authorization unless they have been given explicit permission to do so through the business associates’ contracts with the covered entity.
With respect to the form of the authorization, HIPAA requires that it be written in plain language and that it contain certain elements and statements. However, the Guidance cautions that an authorization for the use or disclosure of consumer health information by an entity that satisfies the requirements of HIPAA may nonetheless violate the prohibition on unfair acts or practices under the FTC Act if the statements made by the entity surrounding the authorization are deceptive or misleading.
Businesses that collect and share consumer health information, but that are not covered entities or business associates regulated by HIPAA, should be aware of the FTC’s authority to regulate their privacy and security practices, and should consult the numerous guidance publications and tools issued by the FTC and other regulators. Earlier this year, HHS, FTC and FDA jointly issued an interactive tool to help the mobile health app industry navigate those agencies’ intersecting regulatory requirements. The FTC has also released guidance on creating effective disclosures, as well as guidance on best practices for mobile health app developers. Similarly, OCR created a mobile health app developer portal. All of these tools are referenced in this recent Guidance and should be consulted by any entity that collects and shares consumer health information.
The Guidance can be found at https://www.ftc.gov/tips-advice/business-center/guidance/sharing-consumer-health-information-look-hipaa-ftc-act.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.