HIPAA Rules Are Also Covered by FTC Act

HIPAA, the Health Insurance Portability and Accountability Act, provides regulation for the use of a person’s health information.

The HIPAA Privacy Rule, sets the definition of how a covered entity is to use personally identifiable health related information of an individual. In short, it prevents healthcare providers from supplying personally identifiable health information of an individual to other parties without the individuals consent.

The Federal Trade Commission ruled that in most cases, businesses that are subject to HIPAA regulations, are also subject the FTC Act.

The FTC Act prohibits businesses from acting in unfair or deceptive practices or acts in or affecting commerce. Included in the prohibited acts is giving consumers false or misleading claims related to the security and privacy of the personal health history and information, which includes the information provided via mobile health apps.

Some of the recommendations that the FTC has made for businesses to help ensure compliance are:

  • Review the user interface to make sure the information does not contain contradictions.
  • Develop and design the user interface to be compatible with multiple devices and platforms.
  • Make certain that users are not required to scroll in order to see disclosure claims.
  • Do not require the user to click on links in order to find out about key facts to the privacy policy, TOU(Terms of Use), or HIPAA authorization.
  • The FTC Act applies to both paper and electronic documents, so ensure that the electronic disclosure statements match that of the paper disclosure statements.

Linn Freedman of the firm Robinson+Cole questions what this exactly means though. “Does this mean that the OCR and FTC are declaring that the HIPAA authorization requirements are now applicable to businesses who are not covered entities, who are not required to comply with HIPAA if there is authorization by a consumer to disclose their health information,” she asks. ” The guidance is confusing and should be clarified, as this will have a dramatic effect on businesses who are not required by HIPAA to comply with these requirements.”

What's your opinion?