Podcast - Insights on the FTC's Approach to Digital Health Companies

Morgan Ribeiro: Welcome to Counsel That Cares. This is Morgan Ribeiro, the host of the podcast and a director in the firm's Healthcare Section. Today we are continuing a series of conversations focused on digital health. And in this episode, we will look at the Federal Trade Commission's scrutiny of digital health companies and what companies in the space should be mindful of. Joining me for this conversation is Ashley Thomas, a privacy and cybersecurity attorney in Holland & Knight's Washington, D.C., office. Ashley, welcome to the show.

Ashley Thomas: Thanks for having me, Morgan, I'm happy to be here.

Morgan Ribeiro: Great! So before we get into our discussion on the FTC's oversight of digital health companies, I first want to give you a minute to share with our listeners just more information about your practice.

Ashley Thomas: Yeah, so I'm a privacy and cybersecurity attorney. I am a senior counsel here at Holland & Knight, based in the Washington, D.C., office. I help global companies navigate the growing number of data privacy laws and cybersecurity obligations. I work with a number of clients across industries, but I also work with digital health companies and vendors of healthcare providers understand their obligations under the Health Insurance Portability and Accountability Act, commonly known as HIPAA, as well as emerging state privacy laws such as the California Consumer Privacy Act, the CCPA, and international laws, including the European Union's General Data Protection Regulation, commonly known as the GDPR. I'm a member of the International Association of Privacy Professionals and hold two certifications from the IAPP, the CIPP/US certification on U.S. privacy laws and the CIPP/E certification on European privacy laws.

The FTC's Increasing Focus on Digital Health Apps

Morgan Ribeiro: All right, so it is evident that you have a lot of experience in this space and spend a large portion of all of your practice advising clients on these issues and on this topic. The FTC is explicitly focused on digital health and has been since 2009, and since there has been an explosion of new digital health and health apps that have come onto the market, particularly those that are direct to consumers, which falls outside of the scope of HIPAA. And so the FTC, however, is tightening the reins on digital health apps that share consumers' medical data with tech companies. And the agency issued in May proposed changes to its health breach notification rule. And so I'm curious, I want to talk to you about that and underscore the rule's applicability to health apps as a way to protect consumers' data privacy and provide more transparency about how companies collect their health information. And I know this explosion that we talk about, and that's been happening for some time now, but I think even since COVID, we've really seen that ramp up. And so can you just tell us more about, you know, what do we need to know about this proposed change that's come out and how does that impact those in the digital health space?

Ashley Thomas: Yes. So the FTC health recertification rule applies to vendors of personal health records known as PHRs and related entities that are not covered by HIPAA and requires those companies to issue notifications to consumers, the Federal Trade Commission and the media in the event of a breach of identifiable health data. The rule was adopted in 2009 but has long been dormant until 2021, when the FTC released a position statement about the scope of the rule and its applicability. Since then, the FTC has continued to take interest in health data not covered by HIPAA and scrutinize digital health companies. And the proposed rule seeks to codify some of the positions taken in the FTC's position statement released back in 2021.

Since then, the FTC has continued to take interest in health data not covered by HIPAA and scrutinize digital health companies.

Changes Under the Proposed Rule

Morgan Ribeiro: What are some of the changes under this proposed rule?

Ashley Thomas: So it will revise the definition of PHR identifiable health information and includes definitions for "healthcare provider" and "healthcare services or supplies," thereby further expanding the FTC's reach into the healthcare space. The expanded definition of PHR identifiable health information would cover traditional health information such as diagnoses or medications, health information derived from consumers' interactions with apps and other online services such as online information, health information generated from tracking technologies employed on websites or mobile apps, as well as emergent health data, such as health information inferred from non-health-related data points such as location and recent purchases. It will also revise the definition of a breach of security. So a reportable breach under the proposed rule includes not just data breaches such as cybersecurity attacks or ransomware events, but any disclosure that is not authorized by a consumer. So sharing information with a third party where the individual consumer did not authorize that sharing of information. The proposed rule will also revise the definition of a PHR-related entity. To clarify that, PHR-related entities include entities that offer products and services online, such as mobile apps and entities that access or send unsecured PHR identifiable health information. The proposed rule will also clarify what it means for a PHR vendor to draw PHR identifiable health information from multiple sources. For example, making clear that simply the ability to draw information from multiple sources would qualify. The FTC actually provides an example within the proposed rule of a depression management app. Accepting consumer inputs of mental health status with a technical capacity to sync with a wearable sleep monitor would be considered a PHR, regardless of whether the customer actually syncs a sleep monitor with the app.

Morgan Ribeiro: Is it accurate that the proposed rule will also authorize electronic notices in the event of a data breach?

Ashley Thomas: The proposed rule will also authorize electronic notice in the event of a data breach. It modernizes the notification process, allowing companies experiencing a data breach to inform their customers via email. The proposed rule also expands the content of the notice in a variety of ways, including that a notice would be required to provide a brief description of the potential harm that may result from the breach, such as medical or other identity theft, as well as the contact information of any third parties that acquired the unsecured PHR identifiable information as a result of the incident if that information is known. The FTC also included a sample model data breach notice to consumers that digital health companies can consult with in the event that they need to make a notification. And I would note that comments to the proposed rule will be accepted until August 8 of 2023, and if the proposed rule is adopted, this would confirm the FTC's significant expansion of the scope of the health recertification rule, and such expansion could signal more aggressive enforcement of the rule against digital health companies.

So a reportable breach under the proposed rule includes not just data breaches such as cybersecurity attacks or ransomware events, but any disclosure that is not authorized by a consumer.

Recent Enforcement Activity and Takeaways for Digital Healthcare Companies

Morgan Ribeiro: OK, so that's a lot for, I think, companies to process, right? It's a big deal, and it does feel like it's a shift and being more stringent and obviously with the lens of protecting consumers. And I think consumers often aren't quite aware either what they're really sharing out there. And this proposed rule follows the February announcement from the agency of a first-of-its-kind enforcement action against telehealth and prescription drug discount provider GoodRx for allegedly violating the health breach notification rules. So can you tell us more about what happened in this particular situation and what other digital health companies should take away from this, as well as other enforcement actions that have happened recently against Easy Healthcare or Premom, BetterHelp? There's a number of others certainly got a lot of news around that. So just based on what you've read and being familiar with some of these other situations, what can you share that other digital health companies should be kind of taking away from these situations?

Ashley Thomas: Yeah. So we have seen a flurry of activity from the FTC regarding digital health companies. As you mentioned, in February of this year, 2023, the FTC reached a settlement with digital health platform GoodRx for sharing users' personal health information with third parties without properly disclosing their data practices or obtaining users' affirmative consent. And this was the FTC's first-ever enforcement decision under the health breach notification rule. As I mentioned, it was adopted in 2009. The FTC released a position statement in 2021, but it never actually enforced the rule until this year. So there was 14 years of non-enforcement of this rule just to provide some more background on the correct settlement. So as part of its services GoodRx lets users keep track of their personal health information, including tracking their prescriptions refills as well as medication purchase history, and GoodRx had made public promises that it would never share personal information with advertisers or other third parties, But according to the FTC's complaint, GoodRx repeatedly violated these promises by sharing sensitive user information with third-party advertising companies and platforms like Facebook and Google. And the complaint states that GoodRx used third party website and mobile app tracking tools such as pixels and software development kits to gather individual data that could be used for data analytics and other services. In addition to that deficiency, the FTC found that GoodRx had failed to limit third party use of personal health information, had failed to maintain sufficient policies or procedures to protect its own users' personal health information and also falsely claimed that it was HIPAA compliant by displaying a HIPAA compliance seal on its website. So as a result of all of these alleged deficiencies, the FTC found that GoodRx had violated the health breach notification rule. And so this is a case that, you know, we typically don't see that involves facts that we don't consider as a data breach. The company here was disclosing consumer health information with advertisers and other third party marketing partners without user authorization. So this signals that the FTC is serious about enforcing its broad interpretation of a data breach moving forward. In addition to this being the first enforcement action, the settlement is also significant because GoodRx is permanently prohibited from sharing user health data with applicable third parties for advertising purposes, which is a first-of-its-kind settlements stipulation.

Morgan Ribeiro: All right, so that is GoodRx. What happened with BetterHelp?

Ashley Thomas: As mentioned, we've seen a number of other enforcements. One that came about a month later was with BetterHelp, and in that case, BetterHelp is a digital mental health app that offers virtual counseling. The FTC complaint against BetterHelp, as with the GoodRx case, was focused on the company's advertising activities, which involve disclosures of consumers' health information to Facebook and other digital advertising companies. But unlike the GoodRx action, the FTC did not rely on the health breach notification rule as its basis for its claims. Rather, it instead relied on alleged violations of Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in or affecting persons or alleged deceptive conduct using and disclosing health information for advertising purposes, despite representations in its privacy policy that it would not share this information.

Morgan Ribeiro: And then we also saw another settlement with Easy Healthcare. Can you tell us more about that?

Ashley Thomas: The FTC reached a settlement with Easy Healthcare for its fertility tracking app, Premom. There the FTC alleged that Easy Healthcare failed to take reasonable measures to address the privacy and security risks created by using core development kits. Also, with the Easy Healthcare case, they were also permanently banned from sharing user personal health data with third parties for advertising. So with all of this activity, what are the key takeaways for digital health companies? So digital health companies that utilize cookies, pixels or online tracking technologies should consider carefully whether any of their web pages or apps are collecting information that could be considered sensitive information. Reviewing their online privacy policies or public privacy notices, and ensure that those privacy policies or notices align with current data collection and sharing practices. And also proceeding carefully when disclosing health data to third parties to ensure that you have a contract in place with any third party which provides adequate safeguards to protect the information being shared. Making sure you train your employees on the company's obligations with respect to privacy laws, as well as avoid characterizing the companies policies as being HIPAA compliant if that is not in fact, the case.

So this signals that the FTC is serious about enforcing its broad interpretation of a data breach moving forward.

Potential Concerns Regarding Pixel Tracking

Morgan Ribeiro: So I think kind of continuing on this theme of GoodRx and BetterHelp and some of these other situations, the FTC's enforcement actions against GoodRx and BetterHelp in particular highlighted the use of third party tracking pixels, which enable these platforms to amass, analyze and further information about user activity. And the remedies in both GoodRx and BetterHelp include strong provisions like bans that place strict comprehensive limits on whether and how certain user information may be disclosed for advertising. And in both of these instances, there's also a ban on the sharing of health information for any advertising purposes, and the BetterHealth situation in particular further bans the disclosure of other personal information. So I know you've touched on some of this, but I really want to kind of dive in deeper to this pixel tracking. There's obviously been a lot in the news about this in recent times and better understanding how it works and how these companies really need to be thinking about the use of pixel tracking.

Ashley Thomas: Yeah, so tracking pixels are single pixel-sized images placed on websites that are typically used to target ads to consumers and track consumer behavior like page views, clicks and ad interactions. And companies who are interested in pixel tracking will first pick a tracking provider, commonly known ones from Facebook and Google. The owner will then generate a tracking pixel, small piece of code, that will be placed onto the website or ad, which will help define the tracking goals such as purchases, clicks or page views. And the company will have some type of dashboard or interface that will permit the company to track and kind of test the pixel action. Pixel tracking can be monetized in several ways. One way to monetize pixel tracking is for companies to use the tracking data collected to improve the company's own markings. The data can be used to target more specific audiences with ads and other marketing messages, and another is that companies can monetize the data by further optimizing their own ad targeting systems and charging other companies to use its advertising offerings.

Morgan Ribeiro: So what are the concerns here? I know that's a very broad question, but it seems like there are some certain things, as you're looking at the FTC's recent actions, what are some of the concerns and particularly as we look at pixel tracking?

Ashley Thomas: So traditional controls, such as blocking third party cookies, may not entirely prevent pixels from collecting and sharing information. Many consumers may not realize that tracking pixels exist because they're invisibly embedded within web pages that users might interact with. Pixels are now considered industry standard tool, but as that we've seen with the GoodRx and BetterHelp examples, we know that they do collect sensitive health data. I would also say that there is a lack of clarity around data collection and use. With pixels, any type of personal and identifying information can be collected and shared. In fact, information collected from a pixel can be used to identify social media profiles through matching information such as a user's email address that automatically connects a user to their social media account on the platform if they have one. These third parties are often covert about how they store the data and in some cases do not know what kinds of information is being tracked and where it is being stored. I would also say that personal information may not be effectively removed. Some pixel tracking methods ostensibly attempt to remove personal information, but may in fact still leak enough information to identify an individual. And I would note that just last week, on July 20, 2023, the FTC and the U.S. Department of Health and Human Services Office for Civil Rights, OCR, sent a joint letter to approximately 130 hospital systems and telehealth providers to alert them about these risks and concerns I've just noted regarding the use of tracking technologies such as the Pixel or Google Analytics that can track a user's online activities.

I would also say that there is a lack of clarity around data collection and use. With pixels,  any type of personal and identifying information can be collected and shared.

The Legal Complications of Data Monetization

Morgan Ribeiro: OK. So we've talked about the matter of pixel tracking, and now we have also have a lot of provider clients at the firm, healthcare providers, physician practices, hospitals, ambulatory surgery centers, really across the gamut who are looking at new revenue streams involving data monetization. Can you tell us more about how they should be thinking about this area in particular and any sort of concerns or challenges as they look to that new revenue stream?

Ashley Thomas: Yes. So healthcare providers have massive amounts of rich health data at their fingertips. Historically, third party vendors to healthcare providers often have derived financial benefits from secondary use of this data, aggregating and brokering de-identified data to downstream customers. But healthcare providers are also looking at data monetization as well. For healthcare providers, if protected health information is shared in exchange for money or other benefits, the standard HIPAA protections come into play. Use of data and exchange for benefit may require education authorization that specifically states the benefit and how the data will be used. Furthermore, if a provider is aggregating or de-identifying data, it will need to follow the method for de-identification. In addition, provider and digital health companies will also need to evaluate emerging state privacy laws and whether it will apply to them in this context or consider whether healthcare exception may apply under these laws. For instance, under the California Consumer Privacy Act, consumers have the right to refuse the sale of their personal data, and a company is required to disclose in its privacy notice if it is selling personal data and provide a method by which an individual can opt out of their information being sold. The CCPA also has certain requirements around the sale or license of de-identified patient data. The CCPA requires that any contract for the sale or license of de-identified patient data shall prohibit the purchaser or licensee from re-identifying or attempting to re-identify the natural person associated with the de-identified patient data, as well as from further disclosing the de-identified patient data to any third party, unless the third party is contractually bound by the same restrictions and conditions as those of the seller or licensor of the de-identified patient data.

For healthcare providers, if protected health information is shared in exchange for money or other benefits, the standard HIPAA protections come into play.

Advice for Digital Health Companies

Morgan Ribeiro: It's a ever-evolving landscape out there, particularly as you look at the regulatory environment. And for this conversation, we've specifically looked at the FTC's proposed rules and some of the recent actions coming out of the FTC. So do you have any advice for digital health companies?

Ashley Thomas: Yes. So I would say being transparent in your privacy notices, understanding the technology tools that your company may be utilizing and what information it's collecting as a result of these tools and ensuring that data collection practices are detailed in your online privacy notices and policies. I would also say making sure you train your employees. Sales and marketing teams often find new opportunities that seem great, but sometimes they don't fully understand that if you're rolling out a new tool embedded in your app or website, they don't fully understand what information may be collected or shared. So making sure that you educate your employees across all departments and teams on the privacy principles and basics. I would also say when you are sharing information, make sure you have an agreement in place that the third party you're sharing the information with is only utilizing it for the purposes defined and ensure that the third party will also comply with the various privacy laws that you, the business, has to comply with as well. And finally, I would say, if you have any further questions on any of these issues, reach out to your preferred legal counsel or any of us here on the data privacy team at Holland & Knight.

Sales and marketing teams often find new opportunities that seem great, but sometimes they don't fully understand that if you're rolling out a new tool embedded in your app or website, they don't fully understand what information may be collected or shared.

Morgan Ribeiro: Awesome. Thank you. Is there anything that we can expect? I know with some of these proposed rules coming out from the FTC, is there a timeline or anything that we can expect to see over the next couple of months?

Ashley Thomas: So as I mentioned, the comments to the proposed rule are due on August 8, 2023. And so then we will be waiting to hear if and when the FTC actually finalizes the rules. So it'll be interesting to see when that happens.

Morgan Ribeiro: I'm sure we'll be putting something out there for friends of the firm once we know more about that information. So thanks for your time today, Ashley. Enjoyed catching up.

Ashley Thomas: Thank you for having me.