What Covered Entities Should Know About the FTC Act and Their Obligations Beyond HIPAA

Kelley Drye

The Federal Trade Commission and Department of Health and Human Services Office for Civil Rights (OCR) recently announced the release of new guidance for businesses on the Health Insurance Portability and Accountability Act (HIPAA) and the FTC Act. The resource reminds businesses that their obligations to protect consumer health data do not end with HIPAA, but extend to the FTC Act, which prohibits deceptive or misleading advertising.

The guidance provides an overview of HIPAA and the FTC Act, and highlights four actions covered entities can and should take to comply with disclosure requirements under the FTC Act.

  1. Review your entire user interface. The size, color and graphics of disclosure statements should be clear and conspicuous. Therefore, avoid burying key facts in a separate disclosure or positioning disclosures such that they are distant from the underlying claim.
  2. Review the devices consumers use to view your disclosures. Covered entities who promote their services using websites, mobile app platforms and space-constrained screens, should consider and account for disclosure challenges that affect informed consent and violate the FTC Act. The FTC’s .com Disclosures report, is a helpful source for additional guidance.
  3. Provide a full disclosure before consumers make material decisions. Correct disclosure contradictions and omissions, particularly those where the consumer makes a material decision before the covered entity tells them how their information may be used.
  4. Reconcile the above actions with hard copy disclosures. The clear and conspicuous disclosure requirement applies to all mediums, so review paper disclosure statements and how these are presented to consumers.

The guidance also highlights additional FTC resources for health apps, which we’ve covered in a previous post. The moral of the story here is that covered entities and their appointed privacy officials should recognize that compliance with the FTC Act is central to their obligations to safeguard consumer health data and to ensure that disclosures give consumers the opportunity to make informed choices.