OCR Releases Guidance on Collecting and Sharing Health Information

Organizations that collect and share consumer health information must comply with the Federal Trade Commission Act (FTC Act), the Office for Civil Rights (OCR) said in an email released October 21. OCR’s email directed organizations engaged in sharing and collecting health information to the FTC’s updated guidance.

The FTC Act prohibits organizations from engaging in deceptive or unfair practices, the updated guidance says. Organizations that collect and share health information must ensure that disclosure statements are not deceptive and, in combination with other statements, do not mislead consumers about how their health information is handled and what the organization does with it. The organization will be in violation of the FTC Act if disclosure and authorization forms are misleading or deceptive, even if they comply with HIPAA

The FTC’s guidance offers examples of transparent disclosure and authorization forms. For example, if the authorization states the information will only be shared with the consumer’s physician and requires the consumer to click on another link to learn that the information will be viewable by the public, that may be a violation of the FTC Act.

Organizations that use or develop mobile health apps can find additional guidance at the FTC’s mobile health app tool and best practices guidance, as well as OCR’s health app developer portal.