Protecting the privacy of health information: A baker’s dozen takeaways from FTC cases

In the past few months, the FTC has announced case after case involving consumers’ sensitive health data, alleging violations of both Section 5 of the FTC Act and the FTC’s Health Breach Notification Rule. The privacy of health information is top of mind for consumers – and so it’s top of mind for the FTC. Companies collecting or using health data, listen up. There are a number of key messages from BetterHelp, GoodRx, Premom, Vitagene, and other FTC matters that you need to hear.

Health Privacy: The Basics

Understand the breadth of “health information.”  Health information isn’t just about medications, procedures, and diagnoses. Rather, it’s anything that conveys information – or enables an inference – about a consumer’s health. Indeed, Premom, BetterHelp, GoodRx, and Flo Health make clear that the fact that a consumer is using a particular health-related app or website – one related to mental health or fertility, for example – or how they interact with that app (say, turning “pregnancy mode” on or off) may itself be health information. Our guidance on health and location highlights the fact that location data can convey health information. For example, repeated trips to a cancer treatment facility may convey highly sensitive information about an individual’s health. To stay on the right side of the FTC Act, take a broad view of what constitutes health data and protect it accordingly.

Your obligation to protect the privacy of health information is a given.  The need for privacy-by-design is (or should be!) axiomatic at this point, especially when it comes to sensitive personal information. If you’re collecting or using consumers’ health data, assess and document the risks to that data and implement robust safeguards to protect it, such as a written privacy program, privacy training and supervision, and data retention, purpose, and use limitations. Even if you don’t think that’s necessary, the FTC may say otherwise, as the complaints in BetterHelp and GoodRx show. In those actions, the FTC specifically alleged that the companies’ failure to have appropriate privacy policies and procedures contributed to the alleged unfair privacy practices. To comply with the law, interweave your tech decisions with privacy considerations.

Don’t use behind-the-scenes tracking technologies that contradict your privacy promises or otherwise harm consumers.  In today’s surveillance economy, the consumer is often the product. Consumer data powers the advertising machine that goes right back to the consumer. But when companies use consumers’ sensitive health data for marketing and advertising purposes, such as by sending that data to marketing firms via tracking pixels on websites or software development kits on apps, watch out. BetterHelp, GoodRx, Premom, and Flo make clear that practices like that may run afoul the FTC Act if they violate privacy promises or if the company fails to get consumers’ affirmative express consent for the disclosure of sensitive health information. GoodRx and Premom underscore that this conduct may also violate the Health Breach Notification Rule, which requires notification to consumers, the FTC, and, in some cases, the media, of disclosures of health information without consumers’ authorization. Need to understand more about the implications of tracking? Check out FTC guidance on pixel tracking and FTC-HHS joint letters to hospitals and telehealth providers for more information on tracking-related privacy concerns.

Image

Don’t share consumers’ health information improperly – and don’t receive it either.  After cases like BetterHelp, GoodRx, Premom, and Flo, it’s pretty clear that unauthorized disclosure of consumers’ health information to other companies can land the sender of that data in hot water. But, depending on the facts, the recipient of that data could also face liability under Section 5. If you receive information from other companies for advertising or marketing purposes (for example), you may have a responsibility under Section 5 to take steps (such as procedural and technical measures) to ensure you don’t engage in the unauthorized receipt, use, or onward disclosure of sensitive information. Merely using a standard, out-of-the-box contract or terms of use to prohibit sending certain information may not be enough.

Insist your technology people and compliance staff communicate about your company’s privacy practices.  Does the right hand know what the left hand is doing? Companies using tracking technologies sometimes protest that their technical staff used pixels or software development kits without letting their compliance folks know. A key to compliance is to understand all of your data flows, regardless of which department or staff is in charge of the data. Start by mapping how data comes into your company and how it moves once it’s there. What are all of the sources of the personal information in your company’s possession? How are you using and disclosing it? Are your privacy safeguards keeping up with the data flows? Are your promises to consumers consistent with how your business actually uses their information?

HIPAA-related claims

“HIPAA Compliant,” “HIPAA Secure,” and similar claims may deceive consumers.  Compliance with HIPAA, the national law protecting the privacy of certain health information, has become a shorthand among patients and providers alike for health privacy protection. (Of course, businesses should keep in mind that Section 5 of the FTC Act also applies to most entities covered by HIPAA and requires companies to protect the privacy and security of consumers’ health information.) Not surprisingly, companies offering health-related products and services often want to tout HIPAA compliance to give consumers comfort – even if these companies aren’t actually covered by HIPAA or aren’t actually complying with HIPAA. FTC enforcement actions like GoodRx, BetterHelp, Henry Schein, and SkyMed make clear that HIPAA claims like that may deceive consumers, whether those consumers are health care providers (like the dentists in Henry Schein) or regular people (like the therapy patients in BetterHelp). Also, keep in mind that only one government agency – the Department of Health & Human Services’ Office for Civil Rights (OCR) – can determine if a company is compliant with HIPAA. Be careful about loose language suggesting some government imprimatur that doesn’t exist. Falsely conveying that kind of approval expressly or by implication violates the FTC Act.

Companies that provide HIPAA seals and certifications also may be liable for deceptive claims. Companies that provide certifications and seals about HIPAA compliance to other businesses should be aware of FTC precedent holding purported certifiers liable for deceptive representations. For example, in Tested Green, the FTC alleged that the seller of “green” seals and certifications provided other companies with the means to deceive consumers, because those seals weren’t backed up with evidence about real environmental practices. In ECM, the FTC proved in court that a company that gave its business customers labels and certificates bearing false claims about biodegradability had provided “the means and instrumentalities” to deceive downstream consumers. The same principles apply in the health context. If a company provides a health-related seal or certification to others that falsely implies that the recipient is covered by HIPAA, is complying with HIPAA, has been reviewed by a government agency, or has received government approval, both the certifier and the user of that false certification could be subject to FTC enforcement action.

Other Health Privacy Practices

Reserving the right to make big changes to your privacy policy isn’t real consent.  It may be tempting to use your privacy policy to reserve the right to change your health data practices, so that any continued use of your service constitutes “consent” to the changes. Not so fast. The FTC’s action in Vitagene makes clear that’s not a lawful means for obtaining consent for material retroactive privacy policy changes. Importantly, the Vitagene complaint, which builds on (and goes beyond) the Gateway Learning and Facebook complaints, says the company’s material retroactive changes were unfair even though the company had not yet implemented them. Vitagene underscores that announcing future broad data-sharing practices in that way can create a likelihood of substantial injury to consumers who never agreed to that sharing. Remember that a touchstone of FTC Act compliance is that consumers – not you – should be in control of their data and empowered to make real decisions about it.

Hidden euphemisms don’t cut it.  Rather than living up to their legal obligation to tell consumers the whole truth, some companies hide key terms about data practices in dense privacy policies or terms of service filled with ambiguous language that cloaks how they really use consumers’ health information. For example, too many companies make enigmatic references in privacy policies to the “disclosure of information about the use of the services” when they should be laying their cards on the table by saying prominently (think front-and-center on the home page) “We share your health information with third-party advertising companies so that we can target you with ads.” Euphemisms hidden in privacy policies can be unfair and deceptive. Even if you slip one past consumers, the FTC isn’t fooled. The orders in our recent health privacy cases uniformly require affirmative express consent – consent that can be obtained only following a clear and conspicuous disclosure of all material facts. Hiding the ball and “clear and conspicuous” don’t mesh.

You may be liable under the FTC Act for what you say and for what you don’t say.  You may think the FTC won’t come your way because you aren’t saying anything wrong, so there’s no “deception.” Not necessarily so. The FTC’s complaints against BetterHelp, Practice Fusion, and PaymentsMD make clear that you may be deceiving consumers not only by what you say, but also by what you fail to say. It’s crucial to disclose all material information to consumers about how you’re using and disclosing their sensitive health information. And BetterHelp, Premom, and GoodRx make clear that if your practices harm consumers, you may face FTC enforcement action, regardless of who said what.

Health privacy: A top priority for the FTC – and for your company

The FTC Act protects biometric data.  Since announcing its Biometric Policy Statement in May, the FTC has brought enforcement actions about voice data (Amazon/Alexa), video data (Ring), and DNA information (Vitagene). DNA data is particularly sensitive because it conveys information not only about you, but also people you’re related to. The FTC has also issued guidance about selling genetic testing kits, and Vitagene shows that the FTC will back guidance up with enforcement action. As these cases demonstrate, it’s of paramount importance that companies collecting this sensitive data keep it safe.

Reproductive information should be protected from prying eyes.  It’s no coincidence that the FTC has brought two actions focused on fertility apps (Premom and Flo) and issued guidance on reproductive privacy (among other issues). This is an area of crucial importance to consumers – and so it’s of crucial importance to us. Companies dealing with this data are on notice that half-measures to protect privacy and security aren’t enough.

There’s a lot at stake. There’s always been a lot at stake for consumers whose health data is exposed or misused. But some stakeholders have said there hasn’t been enough at stake for the companies responsible. That argument doesn’t hold water in the wake of the FTC’s recent series of health and other cases. The BetterHelp, GoodRx, and Premom orders banned those companies from disclosing health data for advertising purposes – a sea change in the current advertising ecosystem. Recent orders have also required companies to pony up major money – from tens of thousands to millions of dollars in consumer redress (BetterHelp, Vitagene) or civil penalties (GoodRx, PreMom) – and to instruct recipients to delete data (BetterHelp, GoodRx, Premom, Flo) or DNA specimens (Vitagene). Other orders have held individuals liable for their companies’ security practices (Drizly) or required companies to delete models and algorithms based on ill-gotten data (Amazon/Alexa, Ring, Weight Watchers/Kurbo). The upshot? Violating the law can be an expensive proposition for your company. Think twice (or thrice or more) before making decisions that could harm your customers and land you in legal hot water.