Is your website, EMR system or telehealth system “HIPAA compliant?” Or is it simply complying with HIPAA? These two questions may seem repetitive, redundant or even duplicative, but they are, in fact, asking very different things, and the U.S. Federal Trade Commission (FTC) might have something to say about how these questions are answered.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law containing a number of provisions related to medical insurance and health care. The main way most people encounter this law today is through its broad-ranging rules on patient privacy, generally known as the “Privacy Rule” and “Security Rule.” In short, a patient’s protected health information (PHI) must be safely stored and handled by certain health care providers and institutions (known as “covered entities”) and certain vendors of theirs (known as “business associates”). PHI is only to be shared, stored or used in the ways permitted by the Privacy Rule and Security Rule. The details of the rules and who qualifies as a covered entity are much too complex to cover here but are available through the U.S. Department of Health and Human Services (HHS) website. However, since HIPAA is broad-reaching and ubiquitous, it has become a sort of shorthand to use terms such as “HIPAA compliant” or “HIPAA secure” to indicate general compliance with it and other state and federal patient privacy laws.
HHS Enforcement and FTC Oversight
The catch is that only the HHS has been charged with enforcement of compliance with HIPAA. “HHS has been very clear that there is no officially recognized third-party compliance certification,” says partner Jay Reyero. “Only HHS is in a position to definitively determine if one is compliant with the HIPAA requirements. Therefore, businesses should be careful in relying on the fact they have been deemed ‘HIPAA Compliant’ but also making such claims.”
The FTC is charged with protecting the public from false or misleading claims in advertising. In their view, stating practices or products are HIPAA compliant when they have not been reviewed or certified by HHS can potentially mislead consumers into believing that they have a government seal of approval or certification when they do not.
This is analogous to a car maker touting a vehicle’s “5-Star Safety Rating” when it hasn’t actually been tested by the National Highway Traffic Safety Administration (which officially issues these ratings). The vehicle may be very safe and may have been built to comply with all safety standards, but, until it is actually run through the tests and certified, it isn’t “5-Star.” The FTC is essentially warning of the same thing here. A website, EMR system, etc., may be designed perfectly to comply with all patient privacy rules, including HIPAA, but it isn’t technically “HIPAA compliant” unless HHS says so.
This seemingly technical difference matters because the FTC has taken action against some entities for this very issue. A recent FTC article covers several of these enforcement actions, including a complaint from early 2023 in which the FTC accused GoodRx of, among other things, misrepresenting its HIPAA compliance, including using an official-looking seal at the bottom of its webpage. Additional details on this are available on the FTC website. This sort of issue isn’t new, as a 2016 settlement against Schein Practice Solutions shows where it was determined that the entity was, in part, “deceptively” claiming its dental software complied with HIPAA. It also doesn’t matter if it is the business making the claim or if it is repeating a third-party certification it has obtained. While a single claim of HIPAA compliance, on its own, is unlikely to be the sole basis for an FTC enforcement action, it does create the risk of attracting the attention of the FTC and being seen as misleading advertising, or it could highlight or compound its investigation into other patient privacy concerns.
But, if you don’t mention “HIPAA,” will consumers think their PHI isn’t safe and protected? The real trouble is that HIPAA has come to be used as an industry shorthand for all patient privacy policies, laws, rules and standards. What the business is really trying to convey to the public is that their policies and systems are designed to handle private information in a safe and secure way, with the intention of meeting or exceeding the standards required by law. So, providers, vendors and other businesses in the health care industry need to find a way to describe these privacy measures to their patients and customers in a concise way that doesn’t risk misleading the public in regard to an official or government certification or support.
Contact ByrdAdatto for Help with Health Care Compliance
If you have any questions about health care compliance, please contact ByrdAdatto or email us at info@byrdadatto.com.
This article was originally published on the American Med Spa Association’s website. You can find the original article here.