Privacy and Direct to Consumer

By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure#HCdeJure

What is the state of privacy in direct to consumer solutions in healthcare? It is an important question to ask because expectations and reality do not necessarily align. For example, users (patients to a degree) will see a healthcare solution and expect that standard protections will apply. Standard protections typically translate to HIPAA. By contrast, the company side could fall across a spectrum, though compliance with healthcare regulations may often just be voluntary, which would not be very clear to users.

Lay of the HIPAA Land

Laying out the basics of when HIPAA applies has been a frequent topic of conversation, but a refresher is always helpful. When thinking about direct to consumer (DTC) solutions, the companies will most often offer some form of healthcare service. In providing a service, the DTC company would most likely be a healthcare provider. That designation is important because of what types of entities HIPAA applies to. As a reminder, HIPAA applies to covered entities( health plans, healthcare providers, and healthcare clearinghouses), business associates, and subcontractors. There is a very important distinction when looking at the healthcare provider category of covered entities though. To be a covered entity healthcare provider, it’s not enough to just be a healthcare provider. It is also necessary to electronically transmit health information in connection with a transaction covered by HIPAA. That translates most basically to electronically submitting a claim for insurance reimbursement along with certain other related transactions.

The additional requirement on providers to engage in electronic transmission of information for a covered transaction results in not all healthcare providers actually meeting the covered entity definition. The nuance is a surprising one and one that not even the DTC companies may fully appreciate.

Other Privacy Laws?

If a DTC company is not subject to HIPAA, is there any hope for privacy? Increasingly the answer is yes. On the federal level, the Federal Trade Commission Act gives the Federal Trade Commission (FTC) the ability to step in and enforce privacy requirements where HIPAA does not apply (or even in some instances where it does apply, but that is a different discussion). The FTC requires companies to live up to assertions made around privacy. That presupposes that the company is making representations around privacy, which is where the picture can become a little complicated. In some instances, DTC companies will affirmatively and voluntarily claim to comply with the obligations contained in HIPAA. If that position is advertised or otherwise put out to the public, then the FTC can hold the company to that standard even when the regulations do not necessarily apply.

The other primary area imposing privacy protections is the growing body of state privacy laws. The state laws will not apply from the start as many of them have revenue or data amount thresholds, but compliance will likely become an issue as companies grow. The drawback of the state laws are that they do not protect everyone. As a state law, the law is really limited to protecting individuals from the state that enacted the law. While that may be the exact legal case, some DTC companies may choose to just follow the requirements of the most restrictive or proscriptive law and give those rights to everyone. In that case, the FTC may then be able to step in again if distinctions are drawn that are inconsistent with outward facing assertions.

Industry Driven Standards

In the absence of laws or regulations setting clear requirements, some industry groups are calling for the industry itself to craft recommendations and guidelines for protecting privacy. It may be all well and good for the industry come out with policy statements and positions that aim to protect privacy, but the big drawback is that compliance would be wholly voluntary and without any ability to enforce (leaving aside the discussion about unfair business practices).

Relying on voluntary, self-governed protections is arguably a circumstance ripe for problems. The voluntary component means that positions can change without notice or warning. The recommendations could also shift at any time. All of that means users may not fully appreciate that privacy is not established by a more set in stone standard.

Where to Go?

What can be done to improve privacy? The easiest answer is to pass new legislation to begins to fill in the gaps of current privacy laws. In this instance, HIPAA has well publicized limitations because so many new developments are not squarely in the “traditional” healthcare system. In falling out of the traditional system, a lot of the new solutions (as discussed) don’t need to comply with existing laws (namely HIPAA). A new law could be drafted to cover healthcare information in all circumstances, if a bill is focused solely on healthcare. It may be preferable to just get a comprehensive privacy law that connects to and incorporates HIPAA. That would mean an approach that would (at least in my opinion) hopefully supersede and replace the currently expanding state by state approach to privacy.

In the absence of clear legal or regulatory requirements, the best step to take right now is to be open and honest about what obligations apply. Even if no teeth exist behind a privacy statement, being clear to users can be a step in the right direction. The path will still be full of stumbles, hurdles, and more, but at least a better course can hopefully begin to be charted.

This article was originally published on The Pulse blog and is republished here with permission.