If you are in the consumer health space, you have (or at least we hope you have...) figured out by now that there are health-related privacy and security laws and regulations that apply to your business. The Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS) are the cops on the block, taking that role seriously. And, the consequences for failing to recognize compliance obligations can be severe. We've written about several important developments, for example, the FTC enforcement action against GoodRx under the Breach Notification Rule, and the joint "warning" from the FTC and HHS regarding the use of third-party tracking technologies.
The FTC and HHS have published a handy joint publication that gathers the various legal obligations into one place if you are collecting, sharing, or using consumer health information. The publication focuses on four primary sources:
- HHS' Health Insurance Portability and Accountability Act (HIPAA);
- HHS' HIPAA Privacy, Security, and Breach Notification Rules;
- the FTC Act; and
- the FTC's Health Breach Notification Rule.
It provides links to more detailed guidance on each area from the FTC and HHS, all in one place, which is helpful when your business is trying to get a handle on compliance.
Your company may not be a traditional "health care provider," but if you are in the business of collecting, using, or sharing consumer health information in any manner, this publication should be on your reading list.
What entities are covered? (The answer may surprise you.) What do you have to do to maintain the privacy and security of consumers’ health information? What steps must you take if you experience a breach?