With its $1.5 million settlement with GoodRx Holdings Inc. back in February, the Federal Trade Commission (FTC) is making good on the promise from its 2021 policy statement to "bring actions to enforce the [Breach Notification] Rule.”
The Health Breach Notification Rule (HBNR) requires vendors of personal health records (PHRs), which by definition exclude covered entities and business associates subject to HIPAA, to notify consumers and the FTC in the event of a breach of unsecured identifiable heath information.
In early February 2023, the FTC and GoodRx settled to resolve several claims under the FTC Act and the HBNR Rule against GoodRx involving two of its service lines: an online platform and mobile app for obtaining discounted prescription drugs and an online and mobile telehealth platform. Through both of these services, GoodRx collected users’ health information. The FTC alleged that the company’s use of tracking tools—such as tracking pixels, to automatically log a user’s name, IP address and contact information, along with the specific medications or health conditions associated with webpages that users had visited, medications for which that user had used a GoodRx discount, and associated health conditions—amounted to collecting health information.
Further, according to the FTC, GoodRx did not adequately disclose this collection and use of health information to users. In addition to paying $1.5 million in connection with the settlement, GoodRx will be required to establish a comprehensive privacy program and submit itself to regular third-party assessments of that program.
In March, the FTC also reached a settlement with online therapy company BetterHelp, which is owned by Teladoc, over allegations that it shared consumers’ health data with companies like Facebook and Snapchat for advertising purposes. BetterHelp agreed to pay $7.8 million to consumers to settle charges that it revealed consumers’ sensitive data with third parties for advertising after promising to keep such data private.
The settlements, along with FTC’s allegations regarding the underlying conduct, signal increased enforcement around the use of monitoring technologies by digital health companies and can provide guidance regarding the terms of consent forms and privacy policies.
Usage data can constitute identifiable health information
In late 2022, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces HIPAA, issued guidance stating, in relevant part, that tracking technologies that collect usage data about how a specific user interacts with a covered entity’s website (or other platform) can constitute individually identifiable health information because the data indicate that the individual has received or will receive healthcare services or benefits from the covered entity. OCR specifically posited that using third-party tracking tools to share IP or email addresses when a user visits a page for a specific health condition is a disclosure of identifiable health information that must comply with HIPAA.
Through this settlement, FTC sends a similar message to digital health companies and other healthcare organizations not subject to HIPAA about increased scrutiny around the collection and use of consumer personal information. These companies that regularly receive personal information should review how their tracking technology tools, if used, collect and share usage data, and ensure that the use of these tools is appropriately communicated to website visitors and other users.
Inaccurate public statements can lead to “breaches” of personal health information
Notably, the FTC took the position that GoodRx’s disclosure of personal information in a way that was inconsistent with its privacy notices, as well as statements by the company’s CEO, were “breaches” requiring notification under the HBNR. In the FTC’s view, an individual only authorizes the disclosures that are described in the company’s privacy notice or other public statements, and any disclosures to third parties not specifically described may be unauthorized acquisitions of personal information subject to the HBNR.
Accordingly, misstatements in a privacy notice or other public statement regarding how personal health information is disclosed to third parties may cause some disclosures to be deemed a “breach,” and triggers a requirement to make notifications. This guidance doesn’t just apply to “official” statements such as online privacy statements and press releases; the FTC also focused on statements made by the GoodRx CEO on Twitter about how the company shared personal information. Finally, disclosure practices for which consent has not been provided via the privacy policy should be evaluated as potentially requiring disclosure under the HBNR.
Be wary of statements regarding compliance with HIPAA
For several months in 2019, the GoodRx telehealth website homepage stated “HIPAA Secure. Patient Data Protected.” The FTC alleged that GoodRx misled consumers into believing that GoodRx was a HIPAA-covered entity and would act in compliance with HIPAA, but that it did not because it shared and used health information for unauthorized purposes.
PHR vendors and other consumer-facing digital health tools may be tempted to provide assurances to users by saying that they “comply with HIPAA.” This can be problematic, because compliance with HIPAA assumes that the entity is a covered entity or business associate, and the FTC may consider these as statements leading a consumer to believe his or her information is protected by HIPAA, when it is not.
Implement privacy and data-sharing governance
Companies should expect regulator focus on internal policies and procedures in order to assess whether privacy violations resulted from a lack of proper governance.
Companies receiving, creating or transmitting personal health information should develop and implement procedures to control how personal information is collected, used, and disclosed. These procedures should include careful review of whether specific types of uses and disclosures comply with company policy and public notices. Specific decisions regarding use and disclosure should be documented and may necessitate performing a “data privacy impact assessment” that weighs the risks of a particular use or disclosure of sensitive information, as well as implementing safeguards to sufficiently mitigate such risks.
Conclusion
After years of lying dormant, the HBNR has been seized by FTC to send a warning regarding enforcement of what appear to be widely used marketing practices involving personal health information by digital health companies. The GoodRx settlement signals that PHR vendors and other digital healthcare organizations should be engaging in a regular review of their personal information collection and disclosure practices to ensure that they are not the next target of the rule’s adolescent ire.
Wesley McCulloch is an associate at Bass, Berry & Sims PLC in Nashville, Tennessee. He focuses his practice on data privacy and security matters and routinely counsels clients on compliance with international, national and state privacy laws.
Nesrin Tift is a member at Bass, Berry & Sims PLC in Nashville, Tennessee. She advises clients on compliance and operational matters associated with implementation of electronic health record systems, data privacy and information blocking, and counsels providers and vendors seeking to leverage digital health for value-based care.
Shannon Wiley is a member at Bass, Berry & Sims PLC in Memphis, Tennessee. She focuses her practice on healthcare regulatory and transactional matters with a specific emphasis on the pharmaceutical industry specializing in specialty pharmacy, digital pharmacy and infusion providers.
Roy Wyman is a member at Bass, Berry & Sims PLC in Nashville, Tennessee. For nearly 30 years, he has represented a variety of commercial entities on complex data privacy and security matters and related regulatory concerns.