By Patrick O’Brien, JD

Is your website, EMR system or telehealth system “HIPAA compliant?” Or is it simply complying with HIPAA? These two questions may seem repetitive, redundant or even duplicative, but they are, in fact, asking very different things, and the U.S. Federal Trade Commission (FTC) might have something to say about how these questions are answered.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contained a number of provisions on medical insurance and health care. The main way most people encounter this law today is through its broad-ranging rules on patient privacy, generally known as the “Privacy Rule.” In short, a patient’s protected health information (PHI) must be safely stored and handled by health care providers and institutions that are subject to this law and their vendors and business associates (known as “covered entities”). PHI is only to be shared, stored or used in the ways permitted by the Privacy Rule. The details of the Privacy Rule and who qualifies as a covered entity are much too complex to cover here; the rule itself, along with guidance, are available through the U.S. Department of Health and Human Services (HHS) website. However, since the Privacy Rule is so broad-reaching and ubiquitous, it has become a sort of shorthand to use terms such as “HIPAA compliant” or “HIPAA secure” to indicate general compliance with the Privacy Rule and other state and federal patient privacy laws.

The catch is that only the HHS has been charged with enforcement of compliance with HIPAA. According to Jay Reyero, JD, a partner with health care law firm ByrdAdatto, “HHS has been very clear that there is no officially recognized third-party compliance certification. Only HHS is in a position to definitively determine if one is compliant with the HIPAA requirements. Therefore, businesses should be careful in relying on the fact they have been deemed ‘HIPAA Compliant’ but also making such claims.” The FTC is charged with protecting the public from false or misleading claims in advertising. In their view, stating practices or products are HIPAA compliant when they have not been reviewed or certified by HHS can potentially mislead consumers into believing that they have a government seal of approval or certification when they do not.

This is analogous to a car maker touting a vehicle’s “5-Star Safety Rating” when it hasn’t actually been tested by the National Highway Traffic Safety Administration (which officially issues these ratings). The vehicle may be very safe and may have been built to comply with all safety standards, but, until it is actually run through the tests and certified, it isn’t “5-Star.” The FTC is essentially warning of the same thing here. Your website, EMR system, etc., may be designed perfectly to comply with all patient privacy rules, including HIPAA, but it isn’t technically “HIPAA compliant” until HHS says so.

This seemingly technical difference matters because the FTC has taken action against some entities for this very issue. A recent FTC article covers several of these enforcement actions, including a complaint from early 2023 in which the FTC accused GoodRx of, among other things, misrepresenting its HIPAA compliance, including using an official-looking seal at the bottom of its webpage. Additional details on this are available on the FTC website. This sort of issue isn’t new, as a 2016 settlement against Schein Practice Solutions shows; it was determined that the entity was, in part, “deceptively” claiming its dental software complied with HIPAA. It also doesn’t matter if it is the business making the claim or if it is repeating a third-party certification it has obtained.

While a single claim of HIPAA compliance, on its own, is unlikely to be the sole basis for an FTC enforcement action, it does create the risk of attracting the attention of the FTC and being seen as misleading advertising, or it could highlight or compound its investigation into other patient privacy concerns.

But, if you don’t mention “HIPAA,” will consumers think their PHI isn’t safe and protected? The real trouble is that HIPAA has come to be used as industry shorthand for all patient privacy policies, laws, rules and standards. What the business is really trying to convey to the public is that their policies and systems are designed to handle private information in a safe and secure way, with the intention of meeting or exceeding the standards required by law. So, providers, vendors and other businesses in the health care industry need to find a way to describe these privacy measures to their patients and customers in a concise way that doesn’t risk misleading the public in regard to an official or government certification or support.

Do you have questions or concerns about your compliance with HIPAA, what rules apply to you, or how you are advertising to the public? Join AmSpa today to learn more about your obligations in this area.