Privacy of individuals health information is protected under both HIPAA and the Federal Trade Commission Act, commonly known as the FTC Act.

The HIPAA Privacy Rule requires that an individual provide signed authorization to a covered entity, before the entity may use or disclose certain protected health information (PHI). 

PHI is individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, transmitted, or maintained by a covered entity or business associate, in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations. 

To disclose consumer health information for other activities – specifically, commercial activities such as marketing and advertising – the patient must first give written permission through a valid HIPAA authorization. That authorization must comply with BOTH the FTC Act AND HIPAA.

What Must be Included in a Valid HIPAA Authorization?

A valid HIPAA authorization must be written in plain language. If the authorization cannot be understood, it is not effective. The authorization should, in plain language, explain:

• Who is disclosing and receiving the PHI
• What information is being disclosed or received
• When the permission to disclose expires (expiration date)
• Where and with whom the information is being shared
• Why the information is being shared and how it will be used

How Can I Comply with the FTC Act?

The Federal Trade Commission Act, created in 1914, outlaws unfair methods of competition and outlaws unfair acts or practices that affect commerce. Misleading consumers about what is happening with their health information is a violation of the FTC Act.

To comply with the FTC Act AND HIPAA, you must confirm that all required Privacy Rule statements are made in your HIPAA authorization, and, per the FTC Act, ensure that, taken together, these statements do not give a deceptive or misleading impression.

Specific FTC Act compliance principles include:

• Reviewing your entire user interface, to ensure that key facts are not buried in links to a privacy policy, terms of use, or the HIPAA authorization.
  • For example, if you claim that a consumer is providing health information only to her doctor, do not require the patient to click on a “patient authorization” link that informs the patient that the information is going to be viewable by the public.
  • Do not promise to keep information “confidential” in large, boldface type, only to then ask the consumer in a much less prominent manner to sign an authorization that indicates you will share the information.
  • Evaluate the size, color, and graphics of all of your disclosure statements to ensure that they are both clear and conspicuous.
• Take into account the various types of devices that consumers may use to view your disclosure claims. If you are sharing consumer health information in ways a consumer may not expect, design your interface so that “scrolling” is not necessary to find that out. 
  • For example, you cannot promise not to share information prominently on a webpage, only to require consumers to scroll down through several lines of a HIPAA authorization to read “fine print” stating that certain information will, in fact, be shared. 
• Provide full disclosure of how you use and disclose health information before asking a patient to make a material decision – for example, before a patient decides to send or post information that may be shared publicly. 
• Review your user interface for any contradictory statements, and eliminate the contradictory statements.
• If you use paper (as opposed to online) disclosure statements, stick to the above requirements. Do not, for example, give consumers a stack of papers where the top page says that their health information is going to their doctor, but another page requests permission to share that health information with a pharmaceutical firm.

Remember: When you are telling consumers about how you share consumer health information, you must comply with both the FTC Act as well as HIPAA.