Q&A: FTC Health Data Sharing Action May Bring Digital Health Focus

The Federal Trade Commission has launched a crackdown on digital health companies for allegedly sharing consumer health data for advertising purposes.

Last month, the agency reported that GoodRx share personal health information with third parties such as Google and Facebook. The company, best known for its drug cost transparency tools, agreed to pay a $1.5 million fine to settle the case but admitted no wrongdoing.

And just yesterday FTC announced a proposed order to prevent online therapy company BetterHelp from disclosing health data for advertising, including payments of $7.8 million to consumers whose data was shared. BetterHelp also admitted no wrongdoing and noted that it settled the alleged actions several years ago.

Scott Laughlin, partner at Hogan Lovells, who also leads the law firm’s global privacy and cybersecurity practice, sat down with MobiHealthNews discuss agency enforcement actions against GoodRx and what digital health companies should learn from the case.

Editor’s Note: This interview was conducted before the FTC announced its proposal for BetterHelp.

MobiHealthNews: What important takeaways have you drawn from the FTC’s actions against GoodRx? In your brief, you called it “groundbreaking”. What do you think are the most revolutionary changes here?

Scott Laughlin: I think a few innovative things came out of the proposed order. First, the FTC went out and deliberately tried to fill the hole left in the HIPAA legal field. HIPAA applies directly to certain types of health care providers and health plans, but does not apply to certain organizations that handle and process sensitive health information.

And OKR [Office for Civil Rights], which is the primary regulatory body enforcing HIPAA compliance, does not have jurisdiction over a number of consumer-facing healthcare organizations. Therefore, when OCR published guidance on how HIPAA covered entities can deploy various tracking technologies on their digital platforms, it did not apply to a number of entities that receive sensitive information through their digital assets.

And the FTC, with the GoodRx decision, closed that gap and made it clear that from their point of view, the same types of standards will apply whether or not you qualify under HIPAA.

So the other point that I think was a really big development was that in the proposed order there were a number of areas that the FTC had indicated would be expected from GoodRx in the future, including the development and implementation of comprehensive privacy controls.

These are the types of commitments that have been made in the past in relation to security cases by the FTC. And this is an area where they’ve taken some of the same types of remedies and the same types of commitments that the FTC used in security cases, but now in a privacy case.

This is a significant development as the commitment they require comes from everything from the need to maintain a comprehensive set of privacy policies that will apply to their internal use of data, to the appointment of a privacy officer who will be directly accountable to the CEO. down to having very specific privacy controls in place that will support GoodRx’s ability to comply with its core privacy obligations.

MHN: Were you surprised to see these enforcement actions by the FTC, which they say was the first time they enforced a health care notification rule? Do you think this happened based on previous regulatory actions and news?

Laughlin: No wonder the FTC has taken up this space. I think that if you look at the order, you will see that there are two notable areas that they have strengthened. The first is their traditional powers under Section 5 to regulate or prohibit unfair or deceptive trading practices. This is an area that the FTC has often taken advantage of.

And what’s notable here is that this is the first time they’ve exercised their Section 5 authority on web tracking for healthcare organizations. It’s no surprise that this is an area they’re looking into because of all the media attention that has been focused on the use of these technologies by healthcare organizations.

WITHconsumer reports published an article specifically about GoodRx and then markup [and STAT] earlier last year identified a number of health care providers that were using various types of tracking on their digital property. These were the things that the FTC might be worried about unfair or misleading trading practices, especially when they compare those practices to public statements made by these companies.

The second part, regarding the Impairment Notification Rule, has never been enforced by the FTC. But it is not surprising that they do so in this case. They released a public statement indicating that they have received very few reports of violations under the Health Impairment Notification Rule and that they suspect an underreporting has occurred.

In this way, they effectively reminded the medical community, or the community covered by these rules, that they want to receive these reports as needed. I think this is a specific case, although it could only be dealt with under Section 5, they used this opportunity to really get the message across to people that they are serious about organizations reporting under the Health Impairment Notification Rule. .

MHN: What do you think other digital health companies or consumer healthcare companies should do about this decision going forward?

Laughlin: First, be very careful about what you tell your users and, in particular, how you use and disclose their health information. Don’t think narrowly about medical information. In this case, the fact that a person sought help or accessed services on a digital health platform could be health-related information. Therefore, make sure that your disclosures are consistent with your practices.

Second, be aware of how you use tracking technology so that you use it intentionally. I see a number of examples, and the GoodRx solution highlights that there are different groups within organizations that are responsible for deploying tracking technologies. And these groups differ from legal and compliance.

The FTC ruling requires GoodRx to put in place a governance structure so that decisions regarding the use of tracking technologies undergo traditional legal or compliance review. And this is what will now become part of the standard operating procedure.

I think thirdly, you need to carefully examine your advertising and marketing practices based on confidential information. In this case, GoodRx was accused of using sensitive information to target individuals with various types of advertisements, various types of drugs and pharmaceutical products.

And the FTC has stated that you cannot advertise or target people using sensitive information without their prior consent. And, as a result, it is important for digital health organizations to think about implementation in their practice.

MHN: Do you think we will see more FTC action like this?

Laughlin: Yes, I think that the FTC will continue to really deal with this. The FTC does not normally issue rules and regulations. Instead, they will often release a manual. And then they will support that guidance with specific types of enforcement action, almost creating a general FTC enforcement act that draws the community’s attention to the expectation of trading practices that will not be considered unfair or misleading.

So I think there will probably come a time when organizations will need to change their business practices to better fit the GoodRx set of expectations. But just like the FTC did with security cases, if they consistently see behavior that they think is against the principles outlined in GoodRx, you’re likely to see additional enforcement.