With the help of innovative businesses, consumers are taking a more active role in managing their health information. How? Maybe it’s an app that monitors their exercise habits, a device that lets diabetics track glucose levels, or a site where patients with the same condition share information. In addition, people are starting to download their information into personal health records, partially because of regulatory initiatives promoting secure online access to medical data.
Much of this activity happens outside the doctor’s office. New products and services offer big benefits: increased engagement in personal health and fitness, reduced healthcare costs, and improved outcomes, to name just a few. But there are privacy and security considerations, too. That was the subject of an FTC seminar last year – and it remains an FTC focus.
Also, some industry members are asking who regulates their business and what laws apply. If your clients have questions about that topic and about privacy and security practices they should think about, here’s a snapshot from an FTC staff perspective.
Companies collecting, using, or sharing health information may think they’re covered by HIPAA, the Health Insurance Portability and Accountability Act, enforced by HHS. But HIPAA applies only to certain “covered entities” like healthcare providers, health plans, and healthcare clearinghouses. HIPAA also covers their business associates – companies that help covered entities carry out their healthcare functions.
But if your product is marketed directly to consumers and you’re not working with a HIPAA covered entity, HIPAA doesn’t apply to you.
That doesn’t mean there’s no applicable law, of course. The FTC Act gives the agency authority to take action against a wide variety of deceptive or unfair practices by app developers, device manufacturers, and others. Recent FTC law enforcement actions involving health information make that clear:
- PaymentsMD. The FTC settled allegations that a medical billing company collected consumers’ personal medical information without their consent.
- GMR Transcription Services. That settlement involved allegations that a medical transcription company outsourced services to a third party without adequately checking to make sure it could implement reasonable security measures.
- Accretive Health. According to that settlement, a company providing medical billing and revenue management services to hospitals put consumers’ personal information at risk by (among other things) transporting laptops with sensitive data in a way that made them vulnerable to theft. The FTC also said the company gave access to personal information to employees who didn’t need it do their jobs.
Regardless of which agency covers your business, sound privacy and security practices are a key component in building consumer confidence in this new marketplace. We discussed that in our recent Internet of Things report and the accompanying Careful Connections business brochure. Many of our suggestions apply to websites, apps, and other products that deal with consumer-generated health data.