There are arguments that there is a dearth of guidance by both the Office for Civil Rights (OCR) and Federal Trade Commission (FTC), so when guidance comes out, we listen. But the most recent guidance jointly issued by the OCR and the FTC is rather confusing.
The guidance titled “Sharing Consumer Health Information? Look to HIPAA and the FTC Act,” first asks whether your business collects and shares consumer health information. It goes on to state that “…if you share health information, it’s not enough to simply consider the HIPAA regulations. You also must make sure your disclosure statements are not deceptive under the FTC Act.”
Of course, if you are a covered entity, the elements of the authorization form for disclosure of protected health information (PHI) are statutorily mandated. The authorization form must contain the specific elements set forth in HIPAA. Those HIPAA requirements are only applicable to covered entities (health care providers, health plans and health care clearinghouses). The enforcement agency for HIPAA is the OCR.
But the guidance goes on to say that once a covered entity has drafted the HIPAA authorization form, “you can’t forget the FTC Act.” It further states that “[Y]our business must consider all of your statements to consumers to make sure that, taken together, they don’t create a deceptive or misleading impression.” What’s confusing is how a HIPAA authorization form, if it is statutorily compliant, can create a deceptive or misleading impression. It’s pretty hard to mislead a patient if the authorization form is HIPAA compliant.
Finally, there are resources listed in the guidance that are intended to assist mobile health app developers with disclosures of PHI. Again, this is confusing because mobile health app developers are not covered entities under HIPAA that are required to comply with the specific authorization requirements.
If this guidance was targeted to mobile health app developers or other businesses that are collecting and disclosing health information outside of the authorization requirements applicable to covered entities, then the guidance should be targeted to those entities, and referring to HIPAA requirements that are only applicable to covered entities is confusing.
Does this mean that the OCR and FTC are declaring that the HIPAA authorization requirements are now applicable to businesses who are not covered entities, who are not required to comply with HIPAA if there is authorization by a consumer to disclose their health information? The guidance is confusing and should be clarified, as this will have a dramatic effect on businesses who are not required by HIPAA to comply with these requirements.