Regulators warn of FTC Act implications for deceptive HIPAA authorizations

October 31, 2016

Health Care Alert

On October 21, 2016, the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) issued a joint guidance statement to entities that collect and share consumer health information (the Guidance). The Guidance serves as a reminder to those entities that not only must they comply with HIPAA in using and disclosing consumers’ health information, they must also ensure that their statements about and practices relating to consumer privacy do not violate the Federal Trade Commission Act (the FTC Act).

The agencies highlight basic principles of the HIPAA authorization requirements applicable to entities regulated by HIPAA. Specifically, the Guidance explains that HIPAA-regulated entities (certain providers, health plans and health care clearing houses—all “covered entities”—and covered entities’ business associates) must obtain a valid HIPAA authorization from the consumer prior to using or disclosing that consumer’s health information for most purposes unrelated to treatment, payment or health care operations. Business associates cannot approach those consumers for their authorization unless they have been given explicit permission to do so through the business associates’ contracts with the covered entity.

With respect to the form of the authorization, HIPAA requires that it be written in plain language and that it contain certain elements and statements. However, the Guidance cautions that an authorization for the use or disclosure of consumer health information by an entity that satisfies the requirements of HIPAA may nonetheless violate the prohibition on unfair acts or practices under the FTC Act if the statements made by the entity surrounding the authorization are deceptive or misleading.

For example, the guidance indicates that an entity is being misleading when it states on its website that it will only share the consumer’s health care information for limited purposes (or will not share at all), but buries additional intended uses of the information in a privacy policy or authorization contained in a separate link. Similarly, entities should not force consumers to scroll through lengthy HIPAA authorizations to discover that they are agreeing to unexpected uses of their information. The agencies recommend that entities review their disclosure statements to ensure that they are clear and conspicuous and that they are free of contradictions.

This Guidance appears to be an acknowledgment by OCR of the FTC’s enforcement role with respect to the privacy and security of consumer health care information, given that the FTC has increasingly over the past year asserted its jurisdiction over the privacy and cybersecurity practices for both health care and non-health care companies. In a landmark case in 2015, the Third Circuit held that the FTC had the authority under its protection authority to bring claims against Wyndham Hotels that Wyndham had violated the FTC Act by failing to adequately safeguard its computer network and for its deceptive privacy policy. Similarly, in July 2016, the FTC reversed an administrative law judge’s decision in an enforcement action against clinical laboratory LabMD, stating that LabMD’s security practices were “unreasonable,” and that LabMD failed to institute basic security measures, including implementing intrusion detection systems, monitoring traffic across its firewalls and providing data security training to its employees. According to the commissioners, LabMD’s failures resulted in the installation of file-sharing software by an employee that publically exposed nearly ten thousand customers’ sensitive personal information for nearly a year, leading to the unauthorized disclosure of the information. As a result, the FTC found that LabMD’s data security practices constitute an unfair act or practice in violation of the FTC Act.

Businesses that collect and share consumer health information, but that are not covered entities or business associates regulated by HIPAA, should be aware of the FTC’s authority to regulate their privacy and security practices, and should consult the numerous guidance publications and tools issued by the FTC and other regulators. Earlier this year, HHS, FTC and FDA jointly issued an interactive tool to help the mobile health app industry navigate those agencies’ intersecting regulatory requirements. The FTC has also released guidance on creating effective disclosures, as well as guidance on best practices for mobile health app developers. Similarly, OCR created a mobile health app developer portal. All of these tools are referenced in this recent Guidance and should be consulted by any entity that collects and shares consumer health information.

The Guidance can be found at

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Back to top