FTC Issues Guidance for Businesses that Handle Private Medical Information

penguinDigital technology enables businesses to store information electronically, without the need for expansive file cabinets and storage facilities, and to transmit data quickly and efficiently. It also exposes businesses to the risk of data breaches, which expose consumers to risks like identity theft. The Federal Trade Commission (FTC) recently issued guidelines regarding compliance with two major federal statutes that protect consumers and their privacy:  the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Pub. L. 104-191, 110 Stat. 1936 (Aug. 21, 1996); and the Federal Trade Commission Act (FTC Act) of 1914, 15 U.S.C. § 41 et seq.

HIPAA is a comprehensive law dealing with various aspects of health insurance, but it is perhaps best known to the public for its provisions regarding medical information privacy. The statute directed the Department of Health and Human Services (HHS) to present “detailed recommendations on standards with respect to the privacy of individually identifiable health information” to several Congressional committees. Pub. L. 104-191 § 264, 110 Stat. 2033. HHS developed a set of standards and procedures from this, commonly known as the Privacy Rule, found at 45 C.F.R. Part 164.

In a very general sense, the Privacy Rule only applies to health care providers, insurers, and related businesses, described as “covered entities.” 45 C.F.R. 160.103. The Rule also applies, however, to “business associates,” defined to include any “subcontractor that creates, receives, maintains, or transmits” PHI. Id. This definition can apply to many types of businesses besides medical professionals and health care providers.

The Privacy Rule defines “individually identifiable health information” (IIHI) as information about an individual created by a medical service provider or insurer, which relates in any way to medical care or payment for medical care, and which either identifies the individual or provides a “reasonable basis to believe the information can be used to identify the individual.” Id. “Protected health information” (PHI) refers, quite broadly, to IIHI that is maintained or transmitted, either electronically or “in any other form or medium.” Id.

Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), prohibits “unfair or deceptive acts or practices” by businesses. It defines an unfair practice as one that “cause[s] or [is] likely to cause reasonably foreseeable injury.” Id. at § 45(a)(4)(A)(i). An official FTC policy statement identifies three key elements of unlawful deception:  (1) the statement or practice is “likely to mislead the consumer,” (2) a reasonable consumer is likely to believe it, and (3) the statement or practice is likely to materially affect the consumer’s decision.

These two rules can intersect in unexpected ways for some businesses. The FTC’s new guidelines address not only how businesses safeguard their customers’ PHI but also how they can avoid unfair or deceptive practices associated with collecting and maintaining such data. For example, a business must obtain a consumer’s consent under HIPAA for most uses of PHI, and the Privacy Rule requires multiple disclosures to the consumer before they sign an authorization. A failure to disclose intended uses of PHI in a clear and unambiguous way could be construed as unfair or deceptive. The FTC recommends “design[ing] your interface so that “scrolling” is not necessary to” find out about those intended uses.

Business attorney Samuel C. Berger represents businesses, business owners, and entrepreneurs in New York and Northern New Jersey. We offer fixed-fee packages of legal services that cover a wide range of legal matters and needs. To schedule a confidential consultation, contact us today online, at (201) 587-1500, or at (212) 380-8117.

More Blog Posts:

Cybersecurity Breaches May Result in Liability for “Unfair or Deceptive Acts or Practices” Under the FTC Act, New York & New Jersey Business Lawyer Blog, September 17, 2015

Protecting Your New York or New Jersey Business from Data Breaches, and the Liability Associated with Data Breaches, New York & New Jersey Business Lawyer Blog, June 4, 2015

After Employer Accesses Employee’s Facebook Posts, New Jersey Court Allows Invasion of Privacy Claim to Proceed, New York & New Jersey Business Lawyer Blog, August 16, 2012

Photo credit: Christopher Michel [CC BY 2.0], via Wikimedia Commons.