BetterHelp & GoodRx Are a Good Lesson. The FTC Health Privacy Rule Will Come for You If You’re “Deceiving” Patients.

Health data privacy has a new enforcer in town. This year has been a year of federal crackdowns in the healthcare industry as digital health companies have faced the hammer of the Federal Trade Commission for allegedly sharing customers’ health data for advertising purposes. Last month, the FTC put GoodRx in its scopes for “failing to report its unauthorized disclosure” of personal health information with Big Tech giants Google and Facebook, landing on a $1.5 million civil penalty for the company. GoodRx is now prohibited from “sharing user health data” for advertising purposes, the first time the FTC and the Department of Justice have proposed an order like this, and one of few times the FTC’s health privacy rule, the Health Breach Notification Rule to be more precise, has been enforced in almost 15 years.

Though GoodRx admitted to no wrongdoing, the FTC is feeling eager to keep up the heat on supposed rule-breakers. At the beginning of March, the FTC announced another proposed order that would prohibit the online therapy company, BetterHelp, from “sharing consumers’ personal information with certain third parties for re-targeting.” This was after the FTC determined the company was “deceiving consumers after promising to keep sensitive personal data private.” In an even more unprecedented move, a first of its kind, the FTC is demanding BetterHelp pay its customers back to the tune of $7.8 million. The mental health company acknowledged that it had reached a settlement regarding alleged practices and denied any wrongdoing as well.

There has been quite an increase in data privacy lawsuits in the healthcare and technology sectors in recent years. So, what does the renewed enforcement of the FTC Health Breach Notification Rule mean for digital health companies that rely on consumer information for sustaining their business model?

Melanie’s Thoughts

How can companies maneuver the FTC’s new standards of enforcement while also doing their due diligence to protect customers’ health data? Melanie Musson, healthcare and insurance writer with Clearsurance, shares her thoughts on how companies can move forward to reduce the risk of being in the line of fire of the FTC.

“The public has an idea of what HIPAA is, and for the most part, they think it’s just this broad brushed medical privacy thing. And so, they think anybody that they tell medical information to is going to keep it a secret because everybody is held legally to HIPPA.

So that’s kind of where this deception has come in, where the FTC has cracked down on companies for sharing information because the consumers believe that all their medical information is a secret, so they just give it. And so even though these companies may technically be complying with HIPAA, when they say that they’re HIPAA compliant, what that means to the consumer is that they won’t share information, but that’s not actually what it means to the company. So going forward, I think companies need to pay careful attention to what the FTC is doing.

They’re making an example of the people that are sharing information, kind of misleading the public. And so, I think that the main thing is not to mislead. If you’re going to share information that you can legally share, make sure that your customers understand that and agree to that. So don’t try to pretend like you’re not sharing any information and then share it.” 

Herman’s Thoughts

How can businesses that rely on consumer information as an essential revenue stream continue without running afoul of the FTC? Herman DeBoard III, CEO & co-founder of Huvr Inc. and a former program manager for the state immunizations department for the Center of Disease Control, offer his advice to those digital health companies looking to keep on the right side of the FTC.

“If you look at that rule, it refers to vendors of personal health records, and it requires them to notify consumers following a breach involving unsecured information. There appears to be no breach here. This looks like a case where one company was sharing user information with third parties so they could provide more targeted advertising to those people.

To me, this all goes back to HIPAA. Basically, if you’re a company that collects personal health data, like what prescriptions people are taking, you can’t say that you’re not going to share personal information and then turn around and sell it. So, my advice is, if you are collecting personal health data and plan to share or sell that data, first, get your attorney to add these scenarios to your terms of service and your privacy policy.

Second, in your app, give the users a chance to say, “Do not sell my information,” and make sure your code is honoring that. And if you’re still worried that there’s a legal issue, as long as you de-identify the records, removing information like patient names, locations, and phone numbers, you can give or sell the data to partners for research as much as you want to.

You just have to follow the letter of the law. My company is currently in 50 countries, and the privacy rules around the world are very different in each one. We live in a world where no one has any privacy whatsoever, yet privacy’s a very hot topic politically. So my advice to business owners is to make sure that you take the time to understand the privacy laws in the countries where you operate.

Communicate to your users exactly how you intend to use their information, and always give them the opportunity to opt out.”