November 2016
Guidance issued last month represents a new concept for many businesses that are dually-regulated by the Office of Civil Rights (OCR) and Federal Trade Commission (FTC) – and serves as a reminder to consider both the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the FTC Act when drafting consumer-facing privacy documents.  

The FTC and OCR issued new guidance last month for organizations that handle consumer health information (Joint Guidance). This is one of several joint-agency guidance documents issued this year in a collaborative effort by the U.S. Department of Health and Human Services (HHS) and FTC, including best practices for mobile health app developers and a mobile health apps interactive tool.  

Looking Beyond HIPAA

Traditionally, Covered Entities and their Business Associates have focused primarily on complying with HIPAA and its implementing privacy and security regulations when using and disclosing Protected Health Information (PHI). HIPAA permits uses and disclosures of PHI without written authorization for purposes of treatment, payment or health care operations and certain other purposes. If a use or disclosure does not fit within one of those permissible exceptions, HIPAA requires Covered Entities and Business Associates to obtain written authorization from individuals in order to use or disclose their PHI for such purpose. To be valid, an authorization needs to specify a number of elements and required statements, and “must be written in plain language.”  

Up until now, if a Covered Entity or Business Associate obtained an authorization valid under HIPAA, they would often not undertake any further analysis. However, the FTC takes this one step further, stating “You need to do more than just meet the requirements for a HIPAA-compliant authorization. Your business must consider all your statements to consumers to make sure that, taken together, they don’t create a deceptive or misleading impression.  Even if you believe your authorization meets all the elements required by the HIPAA Privacy Rule, if the information surrounding the authorization is deceptive or misleading, that’s a violation of the FTC Act.”  

For more information, please click here

To learn more about our Privacy and Data Security practice, to contact 
one of our attorneys, or for more Privacy and Data Security Intelligence, click here.