In the past few months, the Federal Trade Commission has cracked down on organizations that use consumers’ health data without their consent. That, in itself, isn’t especially notable; it is, after all, well within the agency’s purview to do so. What has taken some onlookers by surprise is the aggressiveness with which the FTC has pursued alleged bad actors.
Companies that have found themselves under scrutiny — or sued and/or fined — due to their data-sharing practices include BetterHelp, Flo Health and Premom.
“The privacy of health information is top of mind for consumers — and so it’s top of mind for the FTC,” the agency wrote in a recent blog post. “Companies collecting or using health data, listen up.”
Clearly the health and wellness industries are in the FTC’s crosshairs. But even as the agency positions itself as a champion of data privacy, major federal privacy legislation is unlikely to make its way through Congress before the upcoming presidential election.
Prior to the recent spasm of FTC activity, the U.S. government had notoriously been considered lax on the data-privacy front. By way of comparison, the European Union’s General Data Protection Regulation (GDPR) requires all companies to obtain consent from consumers prior to using their personal data for marketing purposes. There’s no U.S. equivalent.
While the scrutiny of data privacy practices has increased in recent years, only a handful of states have passed privacy laws of their own. While some Congressional lawmakers have introduced legislation aiming to boost the regulation of health data, most bills remain in limbo.
“In the absence of a federal privacy law, the FTC is using all the rules in its box to enforce general things like the fairness principle and the transparency principle,” said Rapp VP and data privacy officer Laura Aldridge. “They want to make sure that consumers are aware their data is being used for marketing purposes.”
The FTC’s recent enforcement push may also prompt a longer-term shift in the healthcare industry and its handling of consumer health data.
Compliant CEO Jamie Barnard, whose company focuses on data compliance in the realm of digital media, expects the recent FTC actions to spur healthcare companies to transition to a new model — one in which consumers are explicitly asked to consent to the use of their data.
“The message to healthcare, especially in marketing, is that even if the model isn’t consent-driven today, it will be very soon,” Barnard explained.
Some of the momentum toward industry-wide change can be traced back to February. That’s when the FTC reached an agreement with digital health platform GoodRx to pay $1.5 million in fines and remedies over accusations that it shared patient health data with third parties, including Google, for marketing purposes. It was a first-of-its-kind enforcement action and, as such, served as a warning to other healthcare organizations that don’t have protective data privacy practices in place.
In its complaint against GoodRx, FTC argued that the company’s claims that it complied with the Health Insurance Portability and Accountability Act (HIPAA) were untrue, as were its statements to consumers that it wouldn’t share sensitive health data with advertisers.
“GoodRx repeatedly violated these promises… by sharing sensitive user information with third-party advertising companies and platforms like Facebook, Google and Critero, and other third parties like Branch and Twilio,” the FTC wrote.
The GoodRx case was noteworthy because it marked the first time that the FTC employed the Health Breach Notification Rule (HBNR) against a company. That rule requires vendors of personal health records to inform consumers if there has been a data breach around unsecured information.
Other FTC enforcement actions have targeted mental health platform BetterHelp, ovulation tracker app Premom, DNA testing company Vitagene and period tracker Flo Health — and those firms represent only a tiny fraction of the healthcare companies that are using and sharing health data without consent. According to Barnard, it’s happening at a “vast scale” in the U.S.
“If you’re an American citizen and you found out that your private health data was being purchased by a Danish company, how would you feel about that?” Barnard asked. “It’s pretty unsettling.”
In May, the FTC announced a proposal that would clarify how the HBNR applies to health apps and other direct-to-consumer health technologies, like fitness trackers. The FTC noted that it was “witnessing an explosion of health apps” — many of them not covered by HIPAA — “collecting vast amounts of sensitive consumer health information.” If the proposal passes muster, it would require healthcare companies to receive explicit permission from consumers before sharing their health information.
Meanwhile, the agency argued in the recent blog post that its orders against BetterHelp, GoodRx and Premom — which banned them from using or sharing patient health data for advertising purposes — represented a “sea change in the current advertising ecosystem.”
“The upshot? Violating the law can be an expensive proposition for your company,” the FTC concluded.
Even beyond the FTC’s pressure tactics, ethical concerns around companies’ data-sharing policies continue to mount. Following the Supreme Court’s reversal of Roe v. Wade last year, privacy watchdogs expressed concern that health data could be used to prosecute women seeking abortions in anti-abortion states.
To that point, Sen. Amy Klobuchar (D-Minn.) sponsored the UPHOLD Privacy Act, which would prohibit the use of health data in advertising as well as the sale of location data by data brokers. While the fate of UPHOLD remains very much up in the air, healthcare marketers might choose to adjust their practices sooner than later.
“Marketers will have to get clear on what data they have, where it flows, who’s accountable for it and how it is secured,” Aldridge explained. “Those four questions are going to be so important, just as mapping your data is crucial now. Because if you don’t know where your accountability lies in that data flow, you can be vulnerable and risk potential violation.”
Barnard agrees, noting that marketing consent models are “the future… Progressive pharma companies need to look at transparency, accountability and ethics now so that when the time comes, they’re well placed to transition.”
What makes the task at hand even more challenging is that healthcare companies will likely need to do all this in the absence of sweeping federal legislation. With a presidential election cycle just ahead, Aldridge believes data privacy regulation will lag on most lawmakers’ priority lists.
“Personally, I would be happily surprised if we see something signed before the next election,” she said.