Q&A: FTC motion on well being information sharing may put digital well being ‘on discover’
The Federal Commerce Fee has began cracking down on digital well being corporations for allegedly sharing customers’ well being information for promoting functions.
Final month, the company mentioned GoodRx had shared private well being data with third events like Google and Fb. The corporate, greatest identified for its drug-cost transparency instruments, agreed to pay a $1.5 million advantageous to settle the case, however admitted no wrongdoing.
And simply yesterday, the FTC introduced a proposed order that may bar on-line remedy firm BetterHelp from disclosing well being information for promoting, together with $7.8 million in funds to customers whose information was shared. BetterHelp additionally admitted no wrongdoing, and famous that it had settled relating to alleged practices in place a number of years in the past.
Scott Loughlin, a accomplice at Hogan Lovells who additionally leads the legislation agency’s international privateness and cybersecurity apply, sat down with MobiHealthNews to debate the company’s enforcement motion in opposition to GoodRx and what digital well being corporations ought to study from the case.
Editor’s notice: This interview was carried out earlier than the FTC introduced its proposed order relating to BetterHelp.
MobiHealthNews: What have been a few of your massive takeaways from the FTC’s motion in opposition to GoodRx? In your transient, you known as it “groundbreaking.” What do you suppose are a few of the most groundbreaking adjustments right here?
Scott Loughlin: I feel there have been a number of issues that got here out of the proposed order that have been groundbreaking. The primary was the FTC went and deliberately tried to fill a gap that was created throughout the HIPAA authorized panorama. HIPAA has a direct software to sure kinds of healthcare suppliers and healthcare plans, nevertheless it doesn’t cowl quite a lot of organizations that function and course of delicate well being data.
And the OCR [Office for Civil Rights], which is the first regulator to implement HIPAA, would not have jurisdiction over quite a lot of consumer-oriented healthcare organizations. So when OCR printed steerage round how entities topic to HIPAA can deploy completely different monitoring applied sciences on their digital platforms, that would not have utilized to quite a lot of organizations which have delicate data coming via their digital properties.
And the FTC, via the GoodRx choice, closed that hole and made clear that from their perspective the identical kinds of requirements will apply, no matter whether or not you’re topic to HIPAA.
So the opposite factor that I feel was a extremely vital improvement was that within the proposed order there have been quite a lot of areas that the FTC has indicated goes to be anticipated of GoodRx on a go-forward foundation, together with the event and implementation of complete privateness controls.
These are the kinds of obligations which have been enforced prior to now with respect to safety instances by the FTC. And that is an space the place they’ve deployed a few of the similar kinds of treatments and the identical kinds of obligations that the FTC has utilized in safety instances, however now inside a privateness case.
That is a crucial improvement as a result of the obligations that they’ve required come from the whole lot from having to take care of a complete set of privateness insurance policies that may apply to their inside makes use of of information to the appointment of a person who was answerable for privateness compliance that may have a direct reporting relationship to the CEO, to taking place to having very particular privateness controls that may help GoodRx’s potential of complying with its underlying privateness commitments.
MHN: Have been you stunned to see this enforcement motion by the FTC, which they mentioned was the primary occasion they’d enforced the Well being Breach Notification Rule? Do you suppose that this was coming primarily based on earlier regulatory motion and information?
Loughlin: It isn’t stunning that the FTC went into this area. I feel should you have a look at the order, there are two notable areas that they’ve enforced. The primary is their conventional Part 5 authority for regulating or prohibiting unfair or misleading commerce practices. That’s an space that the FTC has regularly enforced.
And what’s notable right here is that they, for the primary time, enforced their Part 5 authority with respect to web-tracking for healthcare organizations. It isn’t a shock that that is an space that they’ve been wanting into, due to the entire media consideration that has centered on the makes use of of those applied sciences by healthcare organizations.
Consumer Studies had issued an article about GoodRx specifically, after which The Markup [and STAT] had earlier final 12 months had recognized quite a lot of healthcare suppliers who had used several types of monitoring on their digital properties. These have been the kinds of issues that the FTC can be involved about from an unfair or misleading commerce apply, particularly after they evaluate these practices in opposition to public statements that these corporations have made.
The second portion, which was across the Well being Breach Notification Rule, has by no means been enforced by the FTC. Nevertheless it’s not a shock that they are doing that on this case. They’d launched a public assertion indicating that they’ve acquired only a few experiences of breaches beneath the Well being Breach Notification Rule, and that they suspected that there was underreporting.
So that they have been successfully reminding the well being group or the group that is topic to those guidelines that they needed to obtain these experiences when required. I feel this specific case, whereas it may have gone ahead solely beneath Part 5, they’ve used this chance to essentially drive house the message that they’re critical about organizations reporting beneath the Well being Breach Notification Rule.
MHN: What do you suppose that different digital well being corporations or shopper well being corporations ought to take from this choice going ahead?
Loughlin: One, be very cautious about what it’s that you’re telling your customers and particularly how you’re utilizing and disclosing their well being data. Do not consider well being data narrowly. On this case, the truth that a person was in search of care or in search of providers from a digital well being platform itself might be health-related data. So guarantee that your disclosures match your practices.
Second, watch out of how you’re utilizing monitoring expertise so that you simply’re utilizing that intentionally. I am seeing quite a lot of examples, and the GoodRx choice underscores that there are completely different teams inside organizations who’re answerable for deploying monitoring applied sciences. And people teams are completely different from authorized and compliance.
The FTC order requires GoodRx to implement a governance construction, in order that choices regarding the makes use of of monitoring applied sciences would undergo a standard kind of authorized or compliance evaluate. And that is one thing that’s now going to be a part of an ordinary working process.
I feel the third factor is to essentially scrutinize your promoting and advertising practices which can be primarily based on delicate data. On this case, GoodRx was accused of getting used delicate data to focus on people with several types of promoting, several types of medicine and pharmaceutical merchandise.
And the FTC has mentioned you can not promote or goal people utilizing delicate data with out their prior consent. And in consequence, that is a crucial apply for digital well being organizations to be interested by implementing of their practices.
MHN: Do you suppose we’ll see extra FTC enforcement like this?
Loughlin: Sure, I feel that the FTC will proceed to be actually engaged on this. The FTC doesn’t sometimes difficulty guidelines and rules. As a substitute, they usually will put out steerage. After which they will help that steerage via particular kinds of enforcement actions, nearly creating a standard legislation of FTC enforcement, which places the group on discover that that is the expectation round commerce practices that would not be thought of unfair or misleading.
So I feel there’s more likely to be a time the place organizations are left to tug their enterprise practices to be extra according to the GoodRx set of expectations. However very similar to the FTC has achieved with safety instances, in the event that they repeatedly see habits that they suppose runs afoul of the rules that they set out in GoodRx, you may seemingly see further enforcement.
