The Federal Trade Commission has begun cracking down on digital health companies for allegedly sharing consumer health data for advertising purposes.
Last month, the agency said GoodRx had sharing of personal health information with third parties like Google and Facebook. The company, best known for its drug cost transparency tools, agreed to pay a $1.5 million fine to settle the case, but admitted no wrongdoing.
And just yesterday the FTC announced a planned order it would prevent online therapy company BetterHelp from releasing health data for advertising purposes, including $7.8 million in payments to consumers whose data was shared. BetterHelp also admitted no wrongdoing and noted that it addressed the alleged practices in place several years ago.
Scott Loughlin, a partner at Hogan Lovells who also leads the law firm’s global privacy and cybersecurity practice, spoke with MobiHealthNews to discuss the agency’s enforcement action against GoodRx and what digital health companies should learn from the case.
Editor’s note: This interview was conducted before the FTC announced its proposed order regarding BetterHelp.
MobiHealthNews: What were some of your big takeaways from the FTC’s action against GoodRx? In your brief, you called it “revolutionary”. What do you think are the most game-changing changes here?
Scott Loughlin: I think there were several things that came out of the proposed order that were groundbreaking. The first was that the FTC went and intentionally tried to fill a hole that was created in the HIPAA legal landscape. HIPAA applies directly to certain types of health care providers and health care plans, but it does not cover a number of organizations that operate and process sensitive health information.
And OCR [Office for Civil Rights], which is the primary regulator charged with enforcing HIPAA, does not have jurisdiction over a number of consumer-focused healthcare organizations. So when OCR published guidelines on how entities subject to HIPAA can deploy different tracking technologies on their digital platforms, this would not have applied to a number of organizations that have sensitive information from their digital properties.
And the FTC, through the GoodRx ruling, closed that gap and made it clear that, in its view, the same kinds of standards will apply whether or not you are subject to HIPAA.
So the other thing that I think was a really significant development is that in the proposed order there were a number of areas that the FTC says will be expected of GoodRx in the future , including the development and implementation of a comprehensive privacy controls program.
These are the types of obligations that have been enforced in the past with respect to security matters by the FTC. And that’s an area where they’ve deployed some of the same kinds of remedies and the same kinds of obligations that the FTC used in security cases, but now in a privacy case.
This is an important development as the obligations they demanded range from the need to maintain a comprehensive set of privacy policies that would apply to their internal uses of data to appointing a person responsible for compliance. from privacy that would have a direct reporting relationship with the CEO, to having very specific privacy controls that would support GoodRx’s ability to comply with its underlying privacy commitments.
MNH: Were you surprised to see this enforcement action by the FTC, which they claim was the first instance where they enforced the health breach notification rule? Do you think this was coming based on regulatory actions and previous news?
Loughlin: It’s no surprise that the FTC has entered this space. I think if you look at the prescription there are two notable areas that they enforced. The first is their traditional authority under Section 5 to regulate or prohibit unfair or deceptive trade practices. This is an area that the FTC has frequently enforced.
And what is remarkable here is that they have, for the first time, enforced their Article 5 authority when it comes to web tracking for healthcare organizations. It’s no surprise that this is an area they’ve been looking into, given all the media attention that has focused on the use of these technologies by healthcare organizations. .
VSConsumer Reports had published an article on GoodRx in particular, then markup [and STAT] had earlier last year identified a number of healthcare providers who had used different types of tracking on their digital properties. These are the kinds of things the FTC would be concerned about as an unfair or deceptive marketing practice, especially when comparing those practices to the public statements these companies have made.
The second part, which concerned the health damage notification rule, was never enforced by the FTC. But it’s no surprise that they do in this case. They released a public statement stating that they received very few reports of breaches under the health injury notification rule and that they suspected there was under-reporting.
So they were basically reminding the health community or the community under these rules that they wanted to receive these reports as needed. I think this particular case, even though it could only have gone forward under section 5, they took this opportunity to really get the message across that they’re serious about organizations who report under the health injury notification rule.
MNH: What do you think other digital health companies or consumer health companies should take away from this decision going forward?
Loughlin: First, be very careful about what you say to your users and especially how you use and disclose their health information. Don’t think narrowly about health information. In this case, the fact that an individual sought care or sought services from a digital health platform could itself be health-related information. So make sure your disclosures match your practices.
Second, be careful how you use tracking technology so you use it deliberately. I see a number of examples, and the GoodRx decision highlights that there are different groups within organizations that are responsible for deploying tracking technologies. And those groups are different from Legal and Compliance.
The FTC order requires GoodRx to establish a governance structure so that decisions about the use of tracking technologies go through a traditional type of legal or compliance review. And that’s something that’s going to be part of standard operating procedure now.
I think the third thing is to carefully consider your advertising and marketing practices based on sensitive information. In this case, GoodRx was accused of using sensitive information to target individuals with different types of advertising, different types of drugs and pharmaceuticals.
And the FTC said you can’t advertise or target people using sensitive information without their prior consent. And therefore, it is an important practice for digital health organizations to consider implementing into their practices.
MNH: Do you think we’ll see more FTC enforcement like this?
Loughlin: Yes, I think the FTC will continue to be really engaged in this. The FTC generally does not issue rules and regulations. Instead, they will often issue advice. And then they will support that guidance through specific types of enforcement actions, almost creating a common FTC enforcement law, which alerts the community that it’s the expectation regarding business practices that wouldn’t be not considered unfair or misleading.
So I think there will probably come a time when organizations have to pull their business practices to be more in line with the set of GoodRx expectations. But just like the FTC has done with security cases, if they continually see behavior that they believe violates the principles they’ve laid out in GoodRx, you’re likely to see additional enforcement.