HealthBlawg

David Harlow's Health Care Law Blog

    • Twitter
    • Facebook
    • LinkedIn
    • RSS
    • Email
  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

Sharing Consumer Health Information: Look Before You Leap

October 24, 2016

The Federal Trade Commission has issued new guidance to businesses that collect and share consumer health information. This latest guidance comes about six months after the jointly-released interactive tool from FTC, HHS and FDA concerning overlapping regulatory regimes concerning health data for mobile health app developers. (In brief: Are you regulated? Yes.) Additional mobile app guidance includes FTC’s best practices guidance for mobile app developers and the OCR developer portal (where HIPAA questions can get answered). The FTC guide to crafting effective disclosures for digital advertising (aka the .com disclosures report) is not limited to health or mobile but is also worth consulting. (All four of these resources are referenced in the latest guidance, so they should be consulted by any business subject to the guidance.)

I generally advise clients whose apps or services may not be subject to HIPAA but may be subject to FTC rules that they should build as if they are subject to HIPAA in order to create a compliance program that may be presented as a good story to curious regulators should the occasion arise (e.g., in the course of a complaint investigation or random audit). Since many businesses find themselves pivoting over time, a business that begins as a direct-to-consumer service may one day find itself developing a service marketed through health care providers or payors, or simply changing the marketing strategy from B2C to B2B2C. in which case the business may be a business associate under HIPAA. While I would not change that advice in light of the newly-issued guidance, it is important to review the guidance’s key points of advice to the regulated community. This is especially important because the FTC does not have detailed regulations; it brings actions against businesses that it believes have engaged in an “unfair business practice” — a broad category which includes the failure to protect the privacy of health data. A recent case in which the FTC found a company’s health data privacy protections wanting (despite an FTC ALJ’s findings to the contrary) is the LabMD case (see linked post and comment; the LabMD story isn’t over yet, but each chapter is instructive).

So what does the FTC have to say to consumer-facing online services that may collect and share personal health information? Plenty. And it is important to note that these exhortations apply whether or not HIPAA applies. To be clear: the FTC has broader jurisdiction than OCR does under HIPAA and so its interest in protecting consumers extends even to those businesses subject to HIPAA.

Here are the helpful hints on complying with the FTC Act found in the latest guidance:

  • Review your entire user interface. Don’t bury key facts in links to a privacy policy, terms of use, or the HIPAA authorization. For example, if you’re claiming that a consumer is providing health information only to her doctor, don’t require her to click on a “patient authorization” link to learn that it is also going to be viewable by the public. And don’t promise to keep information confidential in large, boldface type, but then ask the consumer in a much less prominent manner to sign an authorization that says you will share it. Evaluate the size, color and graphics of all of your disclosure statements to ensure they are clear and conspicuous.
  • Take into account the various devices consumers may use to view your disclosure claims. If you are sharing consumer health information in unexpected ways, design your interface so that “scrolling” is not necessary to find that out. For example, you can’t promise not to share information prominently on a webpage, only to require consumers to scroll down through several lines of a HIPAA authorization to get the full scoop.
  • Tell consumers the full story before asking them to make a material decision – for example, before they decide to send or post information that may be shared publicly. Review your user interface for contradictions and get rid of them.
  • The same requirements apply to paper disclosure statements. Don’t give consumers a stack of papers where the top page says that their health information is going to their doctor, but another page requests permission to share that health information with a pharmaceutical firm.

The regulated community should keep in mind that the FTC has a significant array of sanctions at its disposal. While top-tier fines for HIPAA violations may be higher than fines assessed by the FTC, the FTC can impose long-term compliance agreements that involve the agency in a business’s operations for years. It is also important to recognize that the guidance provided by the FTC is just that — guidance. It should be viewed as binding on the regulated community, but it is not binding on the agency, which is free to bring enforcement actions based on actions or omissions that would not be considered to be unfair business practices under this particular guidance. As always, businesses must tread carefully in the highly-regulated field of health data.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Filed Under: Compliance, FTC, Health care policy, Health Law, Healthcare Innovation, HIPAA, mHealth, Mobile health, OCR, Privacy, Security

you might also like:

  1. The FTC’s Tool for Mobile Health App Developers

  2. Privacy and Security and the Internet of Things

  3. Consumer Generated Data: Your "Data Exhaust"

« OCR Cloud Computing HIPAA Guidance
Glen Tullman: People don’t want to be more engaged with their chronic conditions »

Trackbacks

  1. HIE Answers - Sharing Consumer Health Information: Look Before You Leap says:
    November 9, 2016 at 8:43 am

    […] article was originally published on HealthBlawg and is republished here with […]

Follow me on Twitter

David Harlow 💉😷 Follow 43,244 17,535

Mastodon @healthblawg@c.im #HealthCare #MedDevice #Compliance #Privacy @MyOmnipod #HIPAA #digitalhealth #HarlowOnHC #pinksocks Tweets are tweets No more no less

healthblawg
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
47m 1641120626864799747

ICYMI> Osagie Ebekozien MD, Chief Medical Officer, T1D Exchange — Harlow on Healthcare https://healthblawg.com/2022/02/ebekozien-t1dexchange-harlowonhealthcare.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Osagie Ebekozien MD, Twitter feed image.
Reply on Twitter 1641120626864799747 Retweet on Twitter 1641120626864799747 0 Like on Twitter 1641120626864799747 0 Twitter 1641120626864799747
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
3h 1641080431243042816

The latest Harlow On Health Care Daily #HarlowOnHC #digitalhealth #healthcare #innovation #privacy #hcldr Thx: @joyclee @ClimaxBetty @_timos_ #digitalhealth #healthtech

Image for twitter card

What satisfied EHR users do differently

healthcareitnews.com A new Arch Collaborative user's guide dives into what 3,000 highly satisfied electronic health reco...

paper.li

Reply on Twitter 1641080431243042816 Retweet on Twitter 1641080431243042816 0 Like on Twitter 1641080431243042816 0 Twitter 1641080431243042816
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
8h 1641015055335432193

ICYMI> Paul Schrimpf, at Prophet Consulting, Driving Health Care Transformation — Harlow on Healthcare https://healthblawg.com/2022/12/paul-schrimpf-prophet-consulting.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Paul Schrimpf, at Twitter feed image.
Reply on Twitter 1641015055335432193 Retweet on Twitter 1641015055335432193 1 Like on Twitter 1641015055335432193 0 Twitter 1641015055335432193
Load More
Follow me on Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

Connect with David

  • Twitter
  • Facebook
  • LinkedIn
  • RSS
  • Email
  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2023
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]