Comply with HIPAA, but don’t forget about the FTC Act

Covered entities (CEs) and business associates (BA) must comply with the Health Information Portability and Accountability Act (HIPAA) (P.L. 104-191) when dealing with consumer health information, but the HHS Office for Civil Rights (OCR) is reminding them to stay out of trouble with the Federal Trade Commission (FTC). In recent guidance, the OCR noted that organizations that share such information must ensure that disclosure statements are not deceptive under the FTC Act (15 U.S.C. §§ 41-58).

The FTC Act prohibits companies from engaging in deceptive or unfair acts involving commerce, including misleading advertising.  Companies that don’t comply may face stiff monetary penalties, injunctions, or restraining orders. The OCR noted that providing misleading information surrounding authorizations to share health information is violative of the FTC Act, whether it is done electronically or on paper.  The agency offered specific examples.

Regardless of whether disclosures are provided in an electronic or paper medium, organizations should present information clearly, placing the important information first and making sure that consumers don’t need to read too far to uncover the specific authorizations that are being requested.  Consumers who read that they are agreeing to permit their doctor to view health information shouldn’t have to read through several more papers, click on a link, or scroll down a page to discover that they are also agreeing to submit information to pharmaceutical companies or to make it publicly available.  Furthermore, they shouldn’t be distracted with bold-faced information stating that their information will be kept confidential and then asked, in less prominent type, to sign an authorization to share that same information. Organizations should review the information they provide to consumers and eliminate all contradictions and should ensure that consumers have access to all pertinent information before asking them to authorize the sharing of health information.

In 2013, the FTC published guidance for making effective disclosures in digital advertising, noting that they must be clear and conspicuous. The FTC encourages advertisers to take into consideration proximity and placement, prominence, distracting factors in ads, repetition, types of media used in messages and campaigns, and clarity of language in determining whether disclosures are truly clear and conspicuous.