Sharing patient data subject to FTC regulations, not just HIPAA

When HIPAA-covered entities are sharing consumer health information, it isn’t just HIPAA rules that must be followed. If the health information is being used or disclosed for commercial activities beyond treatment, payment, healthcare operations and other uses and disclosures authorized under the HIPAA privacy rule, entities also need to follow Federal Trade Commission regulations.

New guidance from the HHS Office for Civil Rights walks through the FTC requirements. In short, entities should make sure their information disclosure statements are not deceptive under the FTC Act, according to OCR.

HIPAA covered entities include most healthcare providers, insurers, claims clearinghouses and business associates. For a covered entity to use or disclose information beyond what is permitted in the privacy rule, it must get written permission from the consumer through a valid HIPAA authorization written in plain English with explanations on who is disclosing and receiving the information, what information is being received, when the disclosure expires, where information is being shared and why it is being shared, the OCR guidance notes.


“The authorization must include specific terms and descriptions,” according to the guidance. “For example, if you want consumers to authorize you to share their health information, you need to tell them specifically how it will be used.”

Also See: FTC steps up privacy, security protection of consumer health data

In addition, business associates must have explicit permission from the covered entity through a business associate contract to use or disclose information. The FTC provisions are important because they cover engagement in deceptive or unfair practices—in the healthcare industry this means not misleading consumers on what their information is used for.

“Your business must consider all of your statements to consumers to make sure that, taken together, they don’t create a deceptive or misleading impression,” the guidance states. “Even if you believe your authorization meets all the elements required by the HIPAA Privacy Rule, if the information surrounding the authorization is deceptive or misleading, that’s a violation of the FTC Act.”

The FTC ends the guidance with a series of tips, including: “Don’t promise to keep information confidential in large, boldface type, but then ask the consumer in a much less prominent manner to sign an authorization that says you will share it.”

The guidance is available here.

For reprint and licensing requests for this article, click here.