How FTC Enforcement Actions Will Impact Telehealth Data Privacy

May 02, 2023 - The Federal Trade Commission (FTC) made its stance on health data privacy and security abundantly clear with two recent high-profile settlements against GoodRx and BetterHelp, setting the stage for future enforcement actions and heightened compliance obligations for telehealth services and other health tech companies.

Both GoodRx and BetterHelp faced allegations of improper health data sharing and agreed to monetary settlements of $1.5 million and $7.8 million, respectively. Beyond the monetary settlements and corrective actions ordered by the FTC, these settlements sent a signal to other telehealth providers about what the FTC will and will not tolerate when it comes to health data privacy.

“To some degree, I think the FTC has used GoodRx and BetterHelp as case studies, as examples for others in the industry, and is providing a roadmap of what others in the industry may want to consider as they are going through a review of their compliance practices,” Michelle Garvey Brennfleck, healthcare attorney and shareholder at Buchanan Ingersoll & Rooney, said in an interview with HealthITSecurity.

“The FTC is suggesting that now is the time to review those practices, and it is providing guidance in the form of these orders and in the form of statements that providers, telehealth companies, and virtual care companies can use going forward to make sure that they are not subject to these kinds of enforcement activities.”

Overview of the FTC's Recent Actions

To understand the weight of the FTC’s most recent enforcement actions, one must look back to October 2021, when the FTC issued a policy statement affirming that health apps and connected device companies that collect health information must comply with the Health Breach Notification Rule. The policy statement made it clear that the FTC would take action against health tech companies that failed to comply.

The Health Breach Notification Rule requires vendors of personal health records and other entities to alert the FTC, consumers, and in some cases the media when a personal health record data breach occurs.

The FTC notably specified that a data breach “is not limited to cybersecurity intrusions or nefarious behavior.” Instances of unauthorized access, such as an entity sharing health information without an individual’s permission, also triggers notification obligations.  

Although the rule was introduced over a decade ago, the FTC had never brought any enforcement actions under it. That changed in February 2023, when the FTC imposed a $1.5 million civil penalty on telehealth company GoodRx to resolve allegations that GoodRx had violated the Health Breach Notification Rule.

Specifically, GoodRx, a telemedicine and prescription drug discount provider, allegedly “violated the FTC Act by sharing sensitive personal health information for years with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures,” the FTC stated.

The company allegedly leveraged third-party tracking pixels and “plug and play” software development kits from companies like Facebook, Google, Criteo, Branch, and Twilio that supposedly gathered sensitive data and used it for advertising purposes, the FTC stated.

GoodRx denied the allegations and admitted no wrongdoing but agreed to the settlement to avoid protracted litigation. In addition to the monetary penalty, the proposed court order prohibited GoodRx from engaging in deceptive practices such as sharing health data for the purpose of advertising. The company will also be required to obtain affirmative consent before disclosing user health information to third parties, and to direct the third parties to delete the health data that was previously shared with them.

A few weeks later, the FTC proposed a $7.8 million settlement with online counseling service BetterHelp, resolving allegations that the company shared customer health data with third parties like Facebook and Snapchat for advertising purposes.

In this case, the FTC alleged that BetterHelp failed to maintain policies and procedures to protect health data, did not obtain consent from consumers before sharing their information, and denied 2020 news reports that it had shared information with third parties.

“Let this proposed order be a stout reminder that the FTC will prioritize defending Americans’ sensitive data from illegal exploitation,” Samuel Levine, director of the FTC's Bureau of Consumer Protection, said in a press release announcing the settlement.

The order directed BetterHelp to obtain affirmative consent before disclosing health information to third parties and requires it to implement a comprehensive privacy program that better protects consumer data. BetterHelp will also be required to direct third parties to delete any consumer health data that the company revealed to them in the past.

The settlement fund will be used to provide partial refunds to BetterHelp customers who used the service between August 1, 2017, and December 31, 2020, marking the first time that the FTC moved to return funds to consumers whose health data was improperly disclosed.

Implications For Consumers, Health Tech Companies

“Those settlements are particularly interesting because not only are there some significant dollar amounts attached, but there's also a sense that consumers may benefit on the individual level from those settlements,” Brennfleck stated.

“In the BetterHelp settlement, we're seeing for the first time this concept that recovered settlement amounts may be returned to consumers whose information has been inappropriately shared under the Health Breach Notification Rule.”

This provides a new avenue for impacted individuals to benefit from enforcement in this area. HIPAA does not have a private right of action, meaning that individuals cannot enforce HIPAA on their own accord or benefit from a monetary perspective, Brennfleck noted.

In addition to implications for individuals affected by a data breach, the settlements sent a clear message to health tech companies about Health Breach Notification Rule compliance expectations.

“We are seeing telehealth companies and other companies that would be subject to the Health Breach Notification Rule as vendors of personal health records start to look into their own practices,” Brennfleck explained.

The BetterHelp and GoodRx orders provided health tech companies with a clear roadmap to compliance best practices. For example, the GoodRx order required GoodRx to limit data retention, implement a mandated privacy program, and require user consent for any health data sharing, all of which are strong best practices for any health tech company.

“We're also seeing that even stakeholders within the industry may mistakenly think that HIPAA is the end-all-be-all when it comes to protecting any type of consumer or individual health information, and that isn't correct,” Brennfleck added.

“HIPAA is a very particular creature that applies only to certain types of entities, covered entities as defined by HIPAA and their business associates. And so, not only our industry stakeholders are starting to understand more clearly that there are other avenues for protection of that type of information, but so are consumers at the individual level when they're reading in the headlines that the FTC is among the agencies that is responsible for enforcement and for protection of personal health information that is held by certain types of vendors.”

Best Practices Going Forward

Going forward, telehealth and other health tech companies can use the GoodRx and BetterHelp settlements as cautionary tales and roadmaps to compliance.

“In addition to considering the state data privacy and security rules that might apply to the activities of a telehealth company to considering HIPAA and its applicability to a telehealth company, those companies need to also be focusing on the FTC Health Breach Notification Rule and what they should be doing to comply with the rule and be proactive in compliance with the rule,” Brennfleck noted.

Specifically, the two settlements underscore the FTC’s definition of a breach – threat actors launching a ransomware attack may result in a breach, but so can sharing health data with advertisers without consent.

Brennfleck stressed the importance of maintaining clear privacy policies, especially surrounding how the company uses health information and whether that information is shared with third parties.

“That could mean implementing policies that seek and require the deletion of data after a certain period of time that limit a company's ability to retain data and extending those protections to any third parties that may have obtained data for a valid or specific purpose and appropriate purpose,” Brennfleck advised.

“I would recommend that any telehealth company have a policy in place or a contractual arrangement in place with any third party that is receiving the health information of a consumer to require that company to delete the information after a certain period of time, use that information only for specific approved purposes.”

Additionally, telehealth providers and other health tech companies subject to the Health Breach Notification Rule may want to review the BetterHelp and GoodRx settlements internally and with their legal counsel in order to ensure compliance.

“All of the protections laid out within the proposed orders should really be taken to heart by these telehealth companies and their counsel both internally and externally,” Brennfleck suggested.