October 31, 2016
Regulators warn of FTC Act implications for
deceptive HIPAA authorizations
By JoAnna Nicholson
On October 21, 2016, the United States Department of Health and Human Services (HHS) Office
for Civil Rights (OCR) and the Federal Trade Commission (FTC) issued a joint guidance statement
to entities that collect and share consumer health information (the Guidance). The Guidance serves
as a reminder to those entities that not only must they comply with HIPAA in using and disclosing
consumers’ health information, they must also ensure that their statements about and practices
relating to consumer privacy do not violate the Federal Trade Commission Act (the FTC Act).
The agencies highlight basic principles of the HIPAA authorization requirements applicable to
entities regulated by HIPAA. Specifically, the Guidance explains that HIPAA-regulated entities
(certain providers, health plans and health care clearing houses—all “covered entities”—and
covered entities’ business associates) must obtain a valid HIPAA authorization from the consumer
prior to using or disclosing that consumer’s health information for most purposes unrelated to
treatment, payment or health care operations. Business associates cannot approach those
consumers for their authorization unless they have been given explicit permission to do so through
the business associates’ contracts with the covered entity.
With respect to the form of the authorization, HIPAA requires that it be written in plain language
and that it contain certain elements and statements. However, the Guidance cautions that an
authorization for the use or disclosure of consumer health information by an entity that satisfies
the requirements of HIPAA may nonetheless violate the prohibition on unfair acts or practices
under the FTC Act if the statements made by the entity surrounding the authorization are
deceptive or misleading.
For example, the guidance indicates that an entity is being misleading when it states on its website
that it will only share the consumer’s health care information for limited purposes (or will not
share at all), but buries additional intended uses of the information in a privacy policy or
authorization contained in a separate link. Similarly, entities should not force consumers to scroll
through lengthy HIPAA authorizations to discover that they are agreeing to unexpected uses of
their information. The agencies recommend that entities review their disclosure statements to
ensure that they are clear and conspicuous and that they are free of contradictions.
This newsletter is intended as an information source for the clients and friends of Nixon Peabody LLP. The content should not be construed
as legal advice, and readers should not act upon information in the publication without professional counsel. This material may be considered
advertising under certain rules of professional conduct. Copyright © 2016 Nixon Peabody LLP. All rights reserved.
This Guidance appears to be an acknowledgment by OCR of the FTC’s enforcement role with
respect to the privacy and security of consumer health care information, given that the FTC has
increasingly over the past year asserted its jurisdiction over the privacy and cybersecurity practices
for both health care and non-health care companies. In a landmark case in 2015, the Third Circuit
held that the FTC had the authority under its protection authority to bring claims against
Wyndham Hotels that Wyndham had violated the FTC Act by failing to adequately safeguard its
computer network and for its deceptive privacy policy. Similarly, in July 2016, the FTC reversed an
administrative law judge’s decision in an enforcement action against clinical laboratory LabMD,
stating that LabMD’s security practices were “unreasonable,” and that LabMD failed to institute
basic security measures, including implementing intrusion detection systems, monitoring traffic
across its firewalls and providing data security training to its employees. According to the
commissioners, LabMD’s failures resulted in the installation of file-sharing software by an
employee that publically exposed nearly ten thousand customers’ sensitive personal information
for nearly a year, leading to the unauthorized disclosure of the information. As a result, the FTC
found that LabMD’s data security practices constitute an unfair act or practice in violation of the
FTC Act.
Businesses that collect and share consumer health information, but that are not covered entities or
business associates regulated by HIPAA, should be aware of the FTC’s authority to regulate their
privacy and security practices, and should consult the numerous guidance publications and tools
issued by the FTC and other regulators. Earlier this year, HHS, FTC and FDA jointly issued an
interactive tool to help the mobile health app industry navigate those agencies’ intersecting
regulatory requirements. The FTC has also released guidance on creating effective disclosures, as
well as guidance on best practices for mobile health app developers. Similarly, OCR created a
mobile health app developer portal. All of these tools are referenced in this recent Guidance and
should be consulted by any entity that collects and shares consumer health information.
The Guidance can be found at https://www.ftc.gov/tips-advice/business-center/guidance/sharingconsumer-health-information-look-hipaa-ftc-act.
For more information on the content of this alert, please contact your Nixon Peabody attorney or:
— JoAnna Nicholson, 516-832-7611, [email protected]
— Laurie T. Cohen, 518-427-2708, [email protected]
— Carolyn Jacoby Gabbay, 617-345-6112, [email protected]
— Jill H. Gordon, 213-629-6175, [email protected]
— Valerie Breslin Montague, 312-977-4485, [email protected]
— Stephen D. Zubiago, 401-454-1017, [email protected]