On July 25, 2023, the Federal Trade Commission (“FTC”) issued a strong admonishment putting companies that collect or use health information on notice that it intends to prioritize health information privacy in its enforcement actions. This follows unprecedented actions by the FTC. In February and May of this year, the FTC brought its first enforcement actions under its 2009 Health Breach Notification Rule (“HBNR”)^[1] against GoodRx Holdings, Inc. and Easy Healthcare Corporation for disclosing personal health information of consumers to third party online advertising and tracking platforms without consent. FTC slapped hefty fines on these companies of $1.5 million and $100,000, respectively. Additionally, on May 18, 2023, FTC voted to strengthen and expand the HBNR. Among other things, the proposed rule would expand the HBNR to apply it to digital health and mobile technologies and clarifies that the definition of a security breach is not limited to cybersecurity intrusions, but also includes the sharing of personally identifiable health information to a third party.^[2]

What You Need to Know About the FTC Announcement:

Of most significance is how broadly the FTC interprets the term “health information.” Health information is not “just about medications, procedures, and diagnoses.” According to the FTC, health information refers to “anything that conveys information – or enables an inference – about a consumer’s health” (i.e., location data, the use of a particular app or website, etc.).

To avoid becoming a target of an enforcement action, organizations should consider taking the following actions highlighted by the FTC:

1. Incorporate privacy-by-design principles into your organization. This means organizations must implement robust safeguards to protect any health information that your organization collects as the failure to establish appropriate privacy policies and procedures may constitute an unfair privacy practice. Potential safeguards include a written privacy program, frequent privacy training, and auditing of data usage and controls. Remember, health information now refers to a broad scope of data and your organization may be at risk without proper policies and procedures.
2. Conduct a data mapping analysis to ensure privacy compliance. Organizations need “to understand all of your data flows.” What data is being collected? Where is being stored? How it is being used or disclosed? Is the information being used consistently with representations/promises made to consumers? This will ensure that all staff are following the same privacy principles and complying with privacy safeguards.
3. Don’t share consumers’ health information improperly by “using behind-the-scene technologies that contradict your privacy policies.” Sharing consumers’ sensitive health data for marketing and advertising purposes with third parties, including by tracking pixels on websites, without affirmative express consent may violate the FTC Act, 15 U.S.C. §§ 45(a)(1) (“unfair or deceptive acts or practices”), and FTC’s HBNR. Such conduct may also violates the Health Insurance Portability and Accountability Act (“HIPAA”) and has been the subject of numerous warnings. Most recently, on July 20, 2023, the FTC and the U.S. Department of Health and Human Services’ Office of Civil Rights (“OCR”) sent letters to 130 hospital systems and telehealth providers cautioning them about the privacy and security risks related to the use of online tracking technologies integrated into their websites or mobile apps, which may be “impermissibly disclosing consumers’ sensitive personal health data to third parties.” OCR issued a bulletin in December 2022 that highlighted these same concerns. See Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates | HHS.gov.
4. Further, liability is not restricted to organizations who improperly disclose health information; the FTC indicated that recipients of health information may also face liability for engaging in the unauthorized receipt, use, or onward disclosure of sensitive information and those activities may be deemed unfair or deceptive acts or practice under Section 5 of the FTC Act.
5. Be careful of using the terms “HIPAA Compliant,” “HIPAA Secure,” or using HIPAA seals or certifications on your website or in advertising as such usage could be deemed deceptive. The FTC indicated that organizations should not be representing that they are “HIPAA compliant” because only one government agency can make that determination – OCR. Thus, the use of a HIPAA seal or certification on your website could falsely imply that the government has reviewed and certified your compliance with HIPAA when that did not occur thereby constituting a deceptive marketing practice.
6. Ensure privacy policies are clearly written and concise with no hidden terms that disclose all material information about how your organization uses and discloses sensitive health information. Do not hide key terms about data practices in dense privacy policies or terms of service filled with ambiguous language that cloaks how you really use consumers’ health information. “Reserving the right to make big changes to your privacy policy isn’t real consent.” It is therefore unfair to attempt to make material retroactive policy changes with consent being obtained by the act of continuing to use your service. The FTC intends to scrutinize privacy policies to ensure they are consistent with the basic tenet that consumers were not deceived and are “in control of their data and empowered to make real decisions about it.”

Concluding Thoughts

The FTC has made it clear that health privacy is one of its top priorities. The FTC considers the protection of biometric data and reproductive health information to be of paramount importance. Violations in this area will be costly and the FTC intends to hold individuals liable for poor security practices.

On July 24, 2023, IBM released its 2023 Cost of a Data Breach Report, which demonstrates that the average cost of data breaches has increased by 15.3% over the last three years. “The average cost of a data breach reached an all-time high in 2023 of $4.45 million.” In the healthcare sector, data breach costs have soared 53.3% since 2020. Those breaches cost on average nearly $11 million — the highest across industries for the 13^th year in a row. The importance of safeguarding data has never been more crucial.

This is for informational purposes only and is not intended to be legal advice.  Please contact a member of the Cybersecurity, Privacy, and Data Protection Practice Group if you have any questions.

[1]The FTC adopted the HBNR pursuant to the American Recovery and Reinvestment Act of 2009 to apply to entities not covered under the Health Insurance Portability and Accountability Act.

[2]This proposed rule was published in the Federal Register on June 9, 2023 and interested parties can submit comments by August 8, 2023.  See 88 FR 37819, Federal Register: Health Breach Notification Rule.