- The Federal Trade Commission (FTC) and Office for Civil Rights (OCR) have teamed up to help educate healthcare organizations about two laws regulating health data exchange — the FTC Act and HIPAA.
While most healthcare organizations are familiar with the latter, a lack of familiarity with the former could lead covered entities into trouble.
In recent comments, National Coordinator Vindell Washington, MD, MHCM, shared insight into how a law intended to safeguard health data has led to unintended consequences for how this information is shared.
“I hear confusion about HIPAA almost everywhere I go in this job,” he said. “People insist that HIPAA makes it difficult, if not impossible, to move electronic health data when and where it is needed for patient care and health. I wish I could talk to every doc and patient in the country to tell them, ‘This just isn’t true.’ But unfortunately, this misconception is widespread.”
"These misunderstandings of HIPAA and other business practices are inhibiting us from realizing the true potential for technology in supporting patients and clinicians," Washington continued. "Providing an individual with easy access to their health information empowers them, it helps put them in control of decisions regarding their health and well-being, and it helps them actively partner with their care teams as well."
So then what effect does HIPAA have on health data exchange.
An FTC/OCR document on HIPAA and the FTC Act highlights three areas of the HIPAA Privacy Rule with implications for sharing consumer health information:
- In order for you to use or disclose consumer health information for commercial activities besides treatment, payment, health care operations, or other uses and disclosures permitted or required by the Privacy Rule, the consumer must first give you written permission through a valid HIPAA authorization.
- HIPAA authorizations provide consumers a way to understand and control their health information. The authorization must be in plain language. If people can’t understand it, then it isn’t effective. Think about who, what, when, where and why. Explain who is disclosing and receiving the information, what they are receiving, when the disclosure permission expires, where information is being shared, and why you are sharing it.
- The authorization must include specific terms and descriptions. For example, if you want consumers to authorize you to share their health information, you need to tell them specifically how it will be used – for example, by a pharmaceutical company for marketing purposes, a life insurer for coverage purposes, or an employer for screening purposes.
Meanwhile, the FTC Act takes these matters of authorizations a step further.
“Your business must consider all of your statements to consumers to make sure that, taken together, they don’t create a deceptive or misleading impression,” the document states. “Even if you believe your authorization meets all the elements required by the HIPAA Privacy Rule, if the information surrounding the authorization is deceptive or misleading, that’s a violation of the FTC Act.”
General guidelines provided by the FTC and OCR include how clearly a user interface presents details about information sharing with consumers, which devices consumers are using to access this information, how transparent an organization is in spelling out how consumer information will be used, and why inconsistencies in displaying this information across all medium (e.g., digital, paper) are problematic.
Earlier this year, cloud-based EHR vendor Practice Fusion settled a lawsuit with FTC over charges that the company misled consumers about the use of their doctor reviews of doctors, which were publicly posted without properly informing them of plans for disclosing this information.
As part of the settlement, Practice Fusion was required to disclose plans for making consumer information publicly available and receive consumer consent prior to doing so. The data collected is also restricted from being used publicly.
The type of health data exchange described differs from the sharing of clinical health data that typifies health information exchange. However, it does have consequences for secondary and tertiary uses which are integral to research and population health initiatives.