The Federal Trade Commission has issued new guidance to businesses that collect and share consumer health information. This latest guidance comes about six months after the jointly-released interactive tool from FTC, HHS and FDA concerning overlapping regulatory regimes concerning health data for mobile health app developers. (In brief: Are you regulated? Yes.) Additional mobile app guidance includes FTC’s best practices guidance for mobile app developers and the OCR developer portal (where HIPAA questions can get answered). The FTC guide to crafting effective disclosures for digital advertising (aka the .com disclosures report) is not limited to health or mobile but is also worth consulting. (All four of these resources are referenced in the latest guidance, so they should be consulted by any business subject to the guidance.)
I generally advise clients whose apps or services may not be subject to HIPAA but may be subject to FTC rules that they should build as if they are subject to HIPAA in order to create a compliance program that may be presented as a good story to curious regulators should the occasion arise (e.g., in the course of a complaint investigation or random audit). Since many businesses find themselves pivoting over time, a business that begins as a direct-to-consumer service may one day find itself developing a service marketed through health care providers or payors, or simply changing the marketing strategy from B2C to B2B2C. in which case the business may be a business associate under HIPAA. While I would not change that advice in light of the newly-issued guidance, it is important to review the guidance’s key points of advice to the regulated community. This is especially important because the FTC does not have detailed regulations; it brings actions against businesses that it believes have engaged in an “unfair business practice” — a broad category which includes the failure to protect the privacy of health data. A recent case in which the FTC found a company’s health data privacy protections wanting (despite an FTC ALJ’s findings to the contrary) is the LabMD case (see linked post and comment; the LabMD story isn’t over yet, but each chapter is instructive).
So what does the FTC have to say to consumer-facing online services that may collect and share personal health information? Plenty. And it is important to note that these exhortations apply whether or not HIPAA applies. To be clear: the FTC has broader jurisdiction than OCR does under HIPAA and so its interest in protecting consumers extends even to those businesses subject to HIPAA.
Here are the helpful hints on complying with the FTC Act found in the latest guidance:
- Take into account the various devices consumers may use to view your disclosure claims. If you are sharing consumer health information in unexpected ways, design your interface so that “scrolling” is not necessary to find that out. For example, you can’t promise not to share information prominently on a webpage, only to require consumers to scroll down through several lines of a HIPAA authorization to get the full scoop.
- Tell consumers the full story before asking them to make a material decision – for example, before they decide to send or post information that may be shared publicly. Review your user interface for contradictions and get rid of them.
- The same requirements apply to paper disclosure statements. Don’t give consumers a stack of papers where the top page says that their health information is going to their doctor, but another page requests permission to share that health information with a pharmaceutical firm.
The regulated community should keep in mind that the FTC has a significant array of sanctions at its disposal. While top-tier fines for HIPAA violations may be higher than fines assessed by the FTC, the FTC can impose long-term compliance agreements that involve the agency in a business’s operations for years. It is also important to recognize that the guidance provided by the FTC is just that — guidance. It should be viewed as binding on the regulated community, but it is not binding on the agency, which is free to bring enforcement actions based on actions or omissions that would not be considered to be unfair business practices under this particular guidance. As always, businesses must tread carefully in the highly-regulated field of health data.