Anyone who’s had a doctor’s appointment in the past 20 years is familiar with the Health Insurance Portability and Accountability Act (known affectionately—or not—as HIPAA).  Undoubtedly, if your business collects and shares protected health information, you and HIPAA are old friends.  However, many healthcare providers don’t realize that HIPAA isn’t the only game in town.  It’s also critical to analyze all of your statements to consumers together and ensure that your disclosures are not deceptive under the Federal Trade Commission (FTC) Act.

As a refresher, the HIPAA Privacy Rule empowers patients and consumers with certain rights with respect to their health information (for example, the right to access, copy, and inspect their information and obtain an accounting of certain disclosures).  The Privacy Rule also requires certain parties, including covered entities (such as healthcare providers or insurance companies) and their business associates (an organization or individual that helps covered entities carry out their healthcare functions), to take steps to protect the privacy and security of an individual’s health information.

Before a covered entity or business associate can disclose protected health information for any commercial activity other than treatment, payment, and other uses and disclosures as set forth in the Privacy Rule, a valid HIPAA authorization, signed by the patient, is required.  In today’s global and tech-driven environment, consumers are more aware than ever of their rights under HIPAA and the importance of keeping their private information private.  But that doesn’t mean that covered entities and business associates can hide behind heightened public awareness and present patients with authorizations so confusing they may as well be in hieroglyphics.  The purpose of a HIPAA authorization is not only to authorize the release of information, but also to give consumers an understanding of and control over their protected information.  The document must indicate, plainly and clearly, who is doing the sending and receiving of information, what information is covered, how long the authorization is valid, and the reason the authorization is needed in the first place.  When it comes to HIPAA authorizations, the more specific, the better.

Once you’ve drafted a HIPAA-compliant authorization based upon these guidelines, it’s important to consider the FTC Act before you hit print.  The Act empowers the FTC to prevent unfair methods of competition and deceptive acts or practices in or affecting commerce.  People often think of the FTC Act in terms of retail advertising or signs in brick-and-mortar stores, but it applies to the protection of health information as well.  Just as retailers cannot mislead consumers about prices and products, healthcare providers and related entities must actively ensure that they are not misleading patients about where their personal information is going.

Covered entities and business associates are cautioned to go beyond the HIPAA authorization and consider all of their disclosures to consumers in context.  Does the authorization refer to the disclosure of protected health information to an insurance company, while a page of a new patient packet says the information is going to the referring physician?

Another recommended practice is to put all key information up front.  Be mindful that consumers may view your disclosures on devices including cell phones and iPads.  A patient shouldn’t have to scroll through 25 paragraphs on a small screen or navigate through five windows to find out where you’re proposing to send their health information.

Covered entities and business associates should also conduct a review of their marketing materials to be sure that certain disclosures aren’t being confusingly conveyed more prominently than others.  Font choices, colors, images, and size all matter.

When it comes to advising consumers about disclosure of their protected health information, being crystal clear should always be the game plan.