FTC Makes it Official: It’s a Player in Health Privacy Enforcement Beyond HIPAA

“If you share health information, it’s not enough to simply consider HIPAA. You must also make sure your statements are not deceptive under the FTC Act.” By issuing these statements in a press release on October 21, 2016 a partnership of sorts between the HIPAA enforcement agency, the Office for Civil Rights and the Federal Trade Commission (FTC) has been formed between two well-funded federal agencies that pursue enforcement aggressively. Risk and compliance personnel should take notice and study the provisions carefully.

To put a fine point on the practical import of this partnership, OCR adopted the FTC initiative as a “guidance” in its press release also issued October 21 which states, “Does your organization collect and share consumer health information? When it comes to privacy, you’ve probably thought about the Health Insurance Portability and Accountability Act (HIPAA). But did you know that you also need to comply with the Federal Trade Commission (FTC) Act? This means if you share health information, it’s not enough to simply consider the HIPAA Privacy Rule. You also must make sure your disclosure statements are not deceptive under the FTC Act.”

The practical significance is that in the event of a breach of health information, the affected organization may be required to fight a time-consuming and expensive regulatory battle on two fronts: an investigation by OCR into violation of the HIPAA regulations, and a parallel investigation by the FTC into the accuracy and veracity of the organizations public statements about how it shares medical information. The FTC is not new to this area, having proceeded against LabMD earlier this year with regard to a file-sharing application that resulted in the disclosure of health information of thousands of patients in an August decision that overruled and FTC trial judge an allowed an action against the company to proceed.

Risk management personnel should, in light of the official entry of the FTC into the health privacy enforcement space, review its public-facing disclosures about how it shares health information, to avoid the potential for a double-barreled enforcement proceeding that could result in penalties levied by both agencies.

If you have questions regarding FTC standards for statements regarding uses and disclosures of health information, or with regard to a pending FTC complaint or proceeding, please contact Kenneth N. Rashbaum.