This month, the Federal Trade Commission (“FTC”) and the U.S. Department of Health and Human Services (“HHS”) published updated guidance outlining privacy and security laws and rules that affect businesses’ collection, use, and sharing of consumer health data. The publication, titled “Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule,” focuses on businesses’ obligations under Health Insurance Portability and Accountability Act (“HIPAA”), the FTC Act, and the FTC Health Breach Notification Rule. This publication follows (i) a series of FTC cases involving consumer health data and alleging violations of the FTC Act and the FTC’s Health Breach Notification Rule; and (ii) a July 25, 2023 announcement by the FTC that health information privacy is “top of mind for the FTC.”
The FTC Act
Broadly, “[t]he FTC Act prohibits companies from engaging in deceptive or unfair acts or practices in or affecting commerce,” meaning “companies must not mislead consumers about … what’s happening with their health information.” Importantly, the FTC Act applies to companies that collect, use, or share health information—not just covered entities and business associates under HIPAA. To ensure compliance with the FTC Act, the updated guidance suggests that companies review all representations they are making to consumers about their use, collection, retention, or sharing of consumer health data. If a company’s representations create a “deceptive or misleading impression” about its practices with respect to health data, the company could be violating the FTC Act. For example, if a company warrants that it will delete a person’s health information upon request but fails to do so, the company is violating the FTC Act.
In complying with the FTC Act, the updated guidance also suggests that companies review their data policies, procedures, and practices to ensure (i) companies know how data is flowing; (ii) companies are implementing sufficient safeguards to protect health information; (iii) companies’ representations to consumers are clear and conspicuous; and (iv) companies’ safeguards are working effectively and are consistent with company practices and representations. To ensure this consistency, companies should review their entire user interfaces from the consumer’s point of view—paying special attention where “key facts” may be buried in a terms of use section or other places where consumers may not look.
FTC Health Breach Notification Rule
The FTC’s Health Breach Notification Rule applies to vendors of personal health records (“PHR”), PHR related entities, and third party service providers and subjects affected companies to certain notification requirements. Specifically, companies that experience a breach of consumers’ identifying health information must notify affected consumers, the FTC, and in certain circumstances, the media. The Health Breach Notification Rule defines a “breach of security” as acquisition of “unsecured PHR identifiable health information of an individual in a personal health record” without the individual’s authorization. If such a breach occurs, companies are required to report breaches to the FTC in a timely manner, which is generally no later than sixty (60) calendar days after discovery of the breach.
Significance
The updated guidance serves as a crucial reminder that HIPAA is not the only federal regulation that can apply to consumer health data, and businesses that are not subject to HIPAA but still collect, use, or share health information may need to ensure they are complying with the FTC Act and FTC Health Breach Notification Rule. If you have any questions about this legal update or how these rules could apply to your business, please contact a member of MMM’s healthcare team.