Many doctors, dentists, chiropractors and other covered entities assume the Health Insurance Portability and Accountability Act (HIPAA) governs the sharing of patient health data. Originally signed into effect by Congress in 1996, HIPAA consists of the Privacy Rule, Security Rule and Breach Notification Rule. While this wide-reaching federal law does in fact cover the sharing of Protected Health Information (PHI), the FTC Act may also affect it.
The Office for Civil Rights (OCR) has published new guidance to educate covered entities on the FTC requirements affecting shared patient health data. The main takeaway from this guidance is that covered entities should ensure patient data and information disclosure statements are transparent and not deceptive in any manner under the FTC Act.
The OCR says that in order for a covered entity to use patient information beyond the manner outlined in the Privacy Rule, it must obtain the patient's written permission through a standard HIPAA authorization form. Furthermore, this form must explain what information is being disclosed, to whom the information is being disclosed, when the disclosure expires, where the information is being stored, and why the information is being disclosed or otherwise shared. Failure to include all of these elements could result in an invalid authorization form.
But the main point the OCR is trying to make with its new guidance is that covered entities should emphasize transparency when creating and using patient authorization forms. If the form contains technical jargon and lingo that the respective patient cannot understand, it could be deemed invalid. In addition, such authorization forms should not mislead the patient; otherwise, it's a violation of the FTC Act.
“Your business must consider all of your statements to consumers to make sure that, taken together, they don’t create a deceptive or misleading impression,” wrote the FTC in its newly released guidance on shared patient health data. “Even if you believe your authorization meets all the elements required by the HIPAA Privacy Rule, if the information surrounding the authorization is deceptive or misleading, that’s a violation of the FTC Act.”
Patient authorization forms are an important component in the field of healthcare. Anytime a covered entity shares patient information outside the boundaries of the Privacy Rule, it must create and use one of these forms. However, covered entities must abide by the FTC Act, as noted in the OCR's guidance, to ensure full compliance.