OCR and FTC Provide Joint Guidance on HIPAA Authorizations and FTC Act

The Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) recently released joint guidance related to how Section 5 of the Federal Trade Commission Act (FTC Act) applies to authorization forms required under the Health Insurance Portability and Accountability Act (HIPAA). Namely, the guidance provides insight about what entities subject to HIPAA should consider when creating authorizations for the release of protected health information (PHI) so as to ensure that the authorization and disclosures contained therein do not create a “deceptive or misleading impression,” in violation of Section 5’s prohibition on deceptive acts or practices.

In particular, the guidance highlights HIPAA’s requirements that authorizations contain plain language and clearly explain how an entity will use and share the PHI subject to the authorization. The guidance indicates the FTC Act imposes an additional layer of responsibility to refrain from misleading individuals about what will happen to their PHI, and provides suggestions about how to best ensure that authorizations meet HIPAA and FTC Act requirements. For example, the guidance recommends taking into consideration what devices an individual may use to view and sign the authorization, and designing the authorization interface to highlight any important or novel sharing practices to the individual user.

TIP: The FTC is increasingly using its Section 5 jurisdiction to establish its authority for involvement with matters involving deceptive HIPAA-related disclosures. Companies subject to HIPAA should take note of this, and would be well-served to review their consumer-facing authorization forms in light of the new guidance.