The Federal Trade Commission has started cracking down on digital health companies for allegedly sharing consumers’ health data for advertising purposes.
Last month, the agency said GoodRx had shared personal health information with third parties like Google and Facebook. The company, best known for its drug-cost transparency tools, agreed to pay a $1.5 million fine to settle the case, but admitted no wrongdoing.
And just yesterday, the FTC announced a proposed order that would bar online therapy company BetterHelp from disclosing health data for advertising, including $7.8 million in payments to consumers whose data was shared. BetterHelp also admitted no wrongdoing, and noted that it had settled regarding alleged practices in place several years ago.
Scott Loughlin, a partner at Hogan Lovells who also leads the law firm’s global privacy and cybersecurity practice, sat down with MobiHealthNews to discuss the agency’s enforcement action against GoodRx and what digital health companies should learn from the case.
Editor’s note: This interview was conducted before the FTC announced its proposed order regarding BetterHelp.
MobiHealthNews: What were some of your big takeaways from the FTC’s action against GoodRx? In your brief, you called it “groundbreaking.” What do you think are some of the most groundbreaking changes here?
Scott Loughlin: I think there were several things that came out of the proposed order that were groundbreaking. The first was the FTC went and intentionally tried to fill a hole that was created within the HIPAA legal landscape. HIPAA has a direct application to certain types of healthcare providers and healthcare plans, but it does not cover a number of organizations that operate and process sensitive health information.
And the OCR [Office for Civil Rights], which is the primary regulator to enforce HIPAA, doesn’t have jurisdiction over a number of consumer-oriented healthcare organizations. So when OCR published guidance around how entities subject to HIPAA can deploy different tracking technologies on their digital platforms, that wouldn’t have applied to a number of organizations that have sensitive information coming through their digital properties.
And the FTC, through the GoodRx decision, closed that gap and made clear that from their perspective the same types of standards will apply, regardless of whether you are subject to HIPAA.
So the other thing that I think was a really important development was that in the proposed order there were a number of areas that the FTC has indicated is going to be expected of GoodRx on a go-forward basis, including the development and implementation of comprehensive privacy controls.
Those are the types of obligations that have been enforced in the past with respect to security cases by the FTC. And this is an area where they have deployed some of the same types of remedies and the same types of obligations that the FTC has used in security cases, but now within a privacy case.
That is an important development because the obligations that they have required come from everything from having to maintain a comprehensive set of privacy policies that would apply to their internal uses of data to the appointment of an individual who was responsible for privacy compliance that would have a direct reporting relationship to the CEO, to going down to having very specific privacy controls that would support GoodRx’s ability of complying with its underlying privacy commitments.
MHN: Were you surprised to see this enforcement action by the FTC, which they said was the first instance they’d enforced the Health Breach Notification Rule? Do you think that this was coming based on previous regulatory action and news?
Loughlin: It’s not surprising that the FTC went into this space. I think if you look at the order, there are two notable areas that they have enforced. The first is their traditional Section 5 authority for regulating or prohibiting unfair or deceptive trade practices. That is an area that the FTC has frequently enforced.
And what is notable here is that they, for the first time, enforced their Section 5 authority with respect to web-tracking for healthcare organizations. It’s not a surprise that that’s an area that they have been looking into, because of all of the media attention that has focused on the uses of these technologies by healthcare organizations.
Consumer Reports had issued an article about GoodRx in particular, and then The Markup [and STAT] had earlier last year had identified a number of healthcare providers who had used different types of tracking on their digital properties. These were the types of things that the FTC would be concerned about from an unfair or deceptive trade practice, especially when they compare those practices against public statements that those companies have made.
The second portion, which was around the Health Breach Notification Rule, has never been enforced by the FTC. But it’s not a surprise that they’re doing that in this case. They had released a public statement indicating that they have received very few reports of breaches under the Health Breach Notification Rule, and that they suspected that there was underreporting.
So they were effectively reminding the health community or the community that’s subject to these rules that they wanted to receive these reports when required. I think this particular case, while it could have gone forward only under Section 5, they have used this opportunity to really drive home the message that they are serious about organizations reporting under the Health Breach Notification Rule.
MHN: What do you think that other digital health companies or consumer health companies should take from this decision going forward?
Loughlin: One, be very careful about what it is that you are telling your users and specifically how you are using and disclosing their health information. Don’t think of health information narrowly. In this case, the fact that an individual was seeking care or seeking services from a digital health platform itself could be health-related information. So make sure that your disclosures match your practices.
Second, be careful of how you are using tracking technology so that you’re using that deliberately. I’m seeing a number of examples, and the GoodRx decision underscores that there are different groups within organizations who are responsible for deploying tracking technologies. And those groups are different from legal and compliance.
The FTC order requires GoodRx to implement a governance structure, so that decisions relating to the uses of tracking technologies would go through a traditional type of legal or compliance review. And that’s something that is now going to be part of a standard operating procedure.
I think the third thing is to really scrutinize your advertising and marketing practices that are based on sensitive information. In this case, GoodRx was accused of having used sensitive information to target individuals with different types of advertising, different types of drugs and pharmaceutical products.
And the FTC has said you cannot advertise or target individuals using sensitive information without their prior consent. And as a result, that is an important practice for digital health organizations to be thinking about implementing in their practices.
MHN: Do you think we’ll see more FTC enforcement like this?
Loughlin: Yes, I think that the FTC will continue to be really engaged in this. The FTC does not typically issue rules and regulations. Instead, they often will put out guidance. And then they’ll support that guidance through specific types of enforcement actions, almost creating a common law of FTC enforcement, which puts the community on notice that this is the expectation around trade practices that wouldn’t be considered unfair or deceptive.
So I think there’s likely to be a time where organizations are left to pull their business practices to be more in line with the GoodRx set of expectations. But much like the FTC has done with security cases, if they continuously see behavior that they think runs afoul of the principles that they set out in GoodRx, you’ll likely see additional enforcement.