HIPAA and the FTC Act

The FTC Act and HIPAA work together to create a comprehensive framework for protecting consumer health information, promoting fair practices, and holding businesses accountable for safeguarding sensitive health data. 

The combination of the two sets of regulations ensures a more robust and holistic approach to healthcare data privacy and security.

See also: HIPAA Compliant Email: The Definitive Guide

What is the Federal Trade Commission Act?

The Federal Trade Commission Act (FTC Act) is a U.S. federal law enacted in 1914 that established the Federal Trade Commission (FTC) as an independent agency. The primary purpose of the FTC Act is to protect consumers and promote fair competition in the marketplace. 

The law prohibits unfair methods of competition and deceptive acts or practices that may harm consumers or hinder healthy competition. Under the FTC Act, the FTC has the authority to investigate and take action against businesses and individuals engaged in deceptive advertising, fraudulent practices, and other unfair business behaviors. 

The FTC Act grants the commission broad jurisdiction over various sectors of the economy, giving it the power to enforce consumer protection laws, issue rules, and collaborate with other agencies to safeguard consumers' interests and maintain a level playing field for businesses.

In the news: HHS and FTC issue stern warning on online tracking in healthcare

How does the FTC Act apply to healthcare organizations?

While the FTC Act's primary goal is to safeguard consumers and promote fair competition, it also extends to healthcare entities due to their involvement in commerce and interactions with patients and consumers.

Healthcare organizations, including covered entities and business associates governed by HIPAA, may come under the purview of the FTC Act when they handle consumer health information in ways that may impact competition, privacy, or consumer protection.

The FTC Act may also apply when healthcare organizations engage in business-to-business transactions and interactions with other entities.

How do the FTC Act and HIPAA complement each other?

1. Overlapping jurisdiction: Both the FTC Act and HIPAA have jurisdiction over certain aspects of consumer health information. While HIPAA applies to covered entities (health plans, healthcare providers, and healthcare clearinghouses) and their business associates, the FTC Act extends to businesses, like BetterHelp, not covered by HIPAA but still handle health information, such as health app developers or consumer health devices.
2. Data security: HIPAA's Security Rule requires covered entities and business associates to implement safeguards to protect health information from unauthorized access, use, and disclosure. The FTC Act complements this requirement by addressing businesses' data security practices beyond the scope of HIPAA, ensuring that even entities not directly governed by HIPAA but integrated with healthcare providers take adequate measures to safeguard sensitive health data.
3. Deceptive practices: The FTC Act's prohibition against deceptive practices complements HIPAA's Privacy Rule requirements. While HIPAA focuses on informing individuals about the use and disclosure of their health information, the FTC Act addresses deceptive statements made by these businesses regarding the handling of health data, ensuring that consumers are not misled or harmed by false advertising or misleading claims.
4. Breach response: HIPAA requires covered entities and business associates to notify affected individuals and the Department of Health and Human Services (HHS) in case of a breach of unsecured health information. The FTC Act complements this requirement by addressing the broader implications of breaches, such as potential harm to affected parties beyond consumers, and may require additional disclosures or notifications to protect consumers and businesses.
5. Consumer redress: Both the FTC Act and HIPAA allow for consumer redress in case of violations. HIPAA's Enforcement Rule provides for penalties and corrective actions against covered entities and business associates found in violation. At the same time, the FTC Act may impose fines and require businesses to provide redress to affected consumers for deceptive or unfair practices related to health information.
6. Coordinated enforcement: The FTC and HHS's Office for Civil Rights (OCR) have collaborated on enforcement efforts to ensure consistency in protecting consumer health information. In some instances, the FTC and OCR jointly investigate and take action against entities violating both the FTC Act and HIPAA regulations.