The Federal Trade Commission (FTC) recently issued guidance entitled “Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule.” The guidance points out that while businesses that collect, use, or share consumer health information are (or should be) accustomed to complying with HIPAA and its Privacy, Security, and Breach Notification Rules, the Federal Trade Commission Act (FTC Act) and the FTC’s Health Breach Notification Rule are not as widely understood.

The FTC Act prohibits companies from engaging in deceptive or unfair acts or practices in or affecting commerce, and it is broader than HIPAA in that it doesn’t apply only to HIPAA covered entities and business associates. For example, a personal health records app company that shares a consumer’s health information without proper disclosure would likely violate the FTC Act, even though it is probably not subject to HIPAA. And the FTC’s Health Breach Notification Rule would require that company to notify affected consumers, the FTC, and perhaps the media if it suffers a data breach.

The new FTC guidance also includes a helpful refresher on the basic HIPAA rules, for context and comparison.