There are arguments that there is a dearth of guidance by both the Office for Civil Rights (OCR) and Federal Trade Commission (FTC), so when guidance comes out, we listen. But the most recent guidance jointly issued by the OCR and the FTC is rather confusing.

The guidance titled “Sharing Consumer Health Information? Look to HIPAA and the FTC Act,” first asks whether your business collects and shares consumer health information. It goes on to state that “…if you share health information, it’s not enough to simply consider the HIPAA regulations. You also must make sure your disclosure statements are not deceptive under the FTC Act.”

Of course, if you are a covered entity, the elements of the authorization form for disclosure of protected health information (PHI) are statutorily mandated. The authorization form must contain the specific elements set forth in HIPAA. Those HIPAA requirements are only applicable to covered entities (health care providers, health plans and health care clearinghouses). The enforcement agency for HIPAA is the OCR.

But the guidance goes on to say that once a covered entity has drafted the HIPAA authorization form, “you can’t forget the FTC Act.” It further states that “[Y]our business must consider all of your statements to consumers to make sure that, taken together, they don’t create a deceptive or misleading impression.” What’s confusing is how a HIPAA authorization form, if it is statutorily compliant, can create a deceptive or misleading impression. It’s pretty hard to mislead a patient if the authorization form is HIPAA compliant.

The guidance goes on to ask “What can you do to comply with the FTC Act?” It then states, “Don’t bury facts in links to a privacy policy, terms or use, or the HIPAA authorization. For example, if you’re claiming that a consumer is providing health information only to her doctor, don’t require her to click on a “patient authorization” link to learn that it is also going to be viewable by the public.” What covered entity would dare to even attempt to get authorization from a patient to disclose PHI to the public? It is hard to imagine such a scenario.

The guidance then says “evaluate the size, color and graphics of all of your disclosure statements to ensure they are clear and conspicuous.” It appears that they are talking about the website privacy policy and terms of use. This is confusing as well, because HIPAA requires covered entities to post their Notice of Privacy Practices on their website, but the website Privacy Policy and Terms of Use only applies to the information obtained through the website. What the website Privacy Policy and Terms of Use has to do with the HIPAA authorization form for the disclosure of PHI is unclear and confusing.

Finally, there are resources listed in the guidance that are intended to assist mobile health app developers with disclosures of PHI. Again, this is confusing because mobile health app developers are not covered entities under HIPAA that are required to comply with the specific authorization requirements.

If this guidance was targeted to mobile health app developers or other businesses that are collecting and disclosing health information outside of the authorization requirements applicable to covered entities, then the guidance should be targeted to those entities, and referring to HIPAA requirements that are only applicable to covered entities is confusing.

Does this mean that the OCR and FTC are declaring that the HIPAA authorization requirements are now applicable to businesses who are not covered entities, who are not required to comply with HIPAA if there is authorization by a consumer to disclose their health information? The guidance is confusing and should be clarified, as this will have a dramatic effect on businesses who are not required by HIPAA to comply with these requirements.