FTC Act takes HIPAA Rules a Step Further

Every organization that collects and shares consumer (personal) health information needs a HIPAA Authorization to be able to share the information with necessary parties. From spouses to health care providers, the HIPAA Authorization lets consumers control who has access to their PHI.

The FTC Act takes this a step further, or deeper. Your HIPAA-compliant authorization must not in any way inadvertently mislead the consumer as to how the PHI is used.

How to Clean Up Your Authorization Interface

  • Be transparent; be clear. If not only the physician, but also a pharma company or other party will see it, say so up front, in big friendly letters.
  • Limit scrolling. Your authorization may look completely different on a mobile device. Say exactly how their health information may be used or shared at the beginning, not buried six swipes or a lengthy scroll later.
  • Give the whole story without contradictions. Let them know if a post – or message – will be viewed by others.
  • Using paper? Keep important disclosures to the front page. Paper stacks with different statements on each page relating to health information use is confusing – and may be misleading.
  • What does your electronic – or paper – authorization say? Is it effective and compliant?

If you’re interested in the details, you can read the FTC compliance tips here.

Apgar and Associates helps you on your compliance journey, including conducting a security risk analysis and creating risk mitigation and risk management plans. Contact us for more information, or with questions and concerns about your program at 877-376-1981. Apgar and Associates is also the home of the compliance consulting subscription program for qualifying organizations. 

Source: "Sharing Consumer Health Information? Look to HIPAA and the FTC Act" from FTC.gov.