OCR Releases Guidance for HIPAA-Covered Entities to Follow FTC Regulations When Sharing Patient Data
HIPAA-covered entities that share consumer health information also need to comply with regulations under the Federal Trade Commission (FTC) Act when sharing information for commercial, non-treatment-related purposes, according to newly released guidance from the Department of Health and Human Services’ Office for Civil Rights (OCR). Circumstances where the FTC regulations should be applied include any instance where patient health information is being shared in a way that is not related to healthcare operations, treatment, or payment. According to the guidance, entities must also ensure disclosure statements regarding information sharing are not deceptive, per the FTC Act.
“The FTC Act prohibits companies from engaging in deceptive or unfair acts or practices in or affecting commerce,” according to the guidance, posted on the FTC website. “Among other things, this means that companies must not mislead consumers about what is happening with their health information.” Essentially, this means that it isn’t enough for healthcare providers that share information to mean the requirements for HIPAA compliance, but they must review all statements to consumers to ensure they don’t create any deceptive messaging.
In order to ensure compliance, the guidance recommends:
- Review your entire user interface for any instances of deceptive or misleading information.
- Take into account the various devices consumers may use to view your disclosure claims.
- Tell consumers the full story before asking for a material decision.
- Remember the same requirements apply to paper disclosure statements.
For more details, view the guidance at http://www.hhs.gov/hipaa/for-professionals/special-topics/HIPAA-ftc-act or https://www.ftc.gov/tips-advice/business-center/guidance/sharing-consumer-health-information-look-hipaa-ftc-act.