January 10, 2024

Podcast - The FTC's Health Privacy Enforcement Actions

Clearly Conspicuous Podcast Series

In this episode of his "Clearly Conspicuous" podcast series, "The FTC's Health Privacy Enforcement Actions," consumer protection attorney Anthony DiResta examines the two recent actions from the Federal Trade Commission (FTC) that signal its emergence as a leading regulatory agency concerning health data. Mr. DiResta reviews a joint letter from the FTC and the U.S. Department of Health and Human Services (HHS), as well as a recent post on the FTC's business blog that provides key insights for companies regarding its approach to health data protection and regulatory enforcement.

Listen to more episodes of Clearly Conspicuous here.

Good day and welcome to another podcast of Clearly Conspicuous. As we've noted in previous sessions, our goal in these podcasts is to make you succeed in this current regulatory and governmental environment, make you aware of what's going on with the federal and state consumer protection agencies and give you practical tips for success. It's a privilege to be with you today.

FTC Ramps Up Health Privacy Enforcement

Today, we discuss the efforts of the Federal Trade Commission in health privacy enforcement. Over the past year, the FTC has become a leading actor in the health privacy enforcement space with enforcement actions, policy statements and regulatory changes. These efforts are all focused at companies' misuses or uses of consumer health data and related information types. Recently, the FTC has taken two additional actions that further signal its emergence as a leading regulatory agency concerning health data.

  1. On July 20, the commission issued a joint letter with the Department of Health and Human Services Office of Civil Rights pertaining to the use of online tracking technologies by hospitals and telehealth providers.
  2. On July 25, the commission published a blog post highlighting key takeaways from its recent health data enforcement action.

Taken together, these actions indicate that the FTC means business. Therefore, companies that handle health data as broadly defined by the FTC, particularly those outside the scope of HIPAA, should ensure that their health data privacy and security programs are robust.

The Joint Letter from HHS and the FTC

So let's summarize these developments. Let's first look at the joint letter with HHS. The FTC and HHS circulated a letter to approximately 130 hospital systems and telehealth providers regarding potential risks associated with the use of online tracking technologies. In particular, the letter highlights that these technologies, which the letter describes as, "gathering identifiable information about users as they interact with the website or mobile app, often in ways which are not avoidable by and largely unknown to users," may be present on a given entity's website or app and "impermissibly disclosing consumer sensitive personal health information to third parties."

The letter goes on to raise the following three key points.

  1. The letter makes clear that HIPAA-regulated entities "are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to third parties or any other violations of the HIPAA or rules."
  2. Non-HIPAA entities must still monitor their use of online tracking technologies. The letter emphasizes that even if a company is not subject to HIPAA, it must still "protect against impermissible disclosure of personal health information under the FTC Act in the FTC Health breach notification rule."
  3. The letter concludes by warning that recipients using online tracking technologies should "review the laws cited in the letter and take actions to protect the privacy and security of individual's health information."

The FTC's Recent Business Blog Post

So now let's look at the blog post, the FTC's recent post on its business blog. It's called "Protecting the Privacy of Health Information: A Baker's Dozen Takeaways from FTC Cases," highlights several themes from recent health privacy enforcement actions. As the FTC tries to establish new laws through guidance and enforcement actions, this post informs companies about the FTC's views on these issues.

Key points from this post include:

  • A broad definition of "health information." The post makes clear that the FTC views the balance of "health information" as extending beyond prototypical examples like medical history or lists of medication. Rather, the FTC views health information as encompassing "anything that conveys information or enables an inference about a consumer's health."
  • Then there's the use of tracking technologies, picking up where its joint letter with HHS left off. The FTC emphasizes that companies should be wary of how they collect and use consumer's sensitive health information. In particular, the post highlights companies' use of tracking technologies such as pixels and software development kits, warning that the use of these and similar technologies "may run afoul of the FTC Act and the health breach notification rule if they violate privacy promises or if the company fails to get consumers' affirmative express consent for the disclosure of sensitive health information."
  • Then there's the issue of affirmative express consent. The post highlights the need for companies to obtain affirmative express consent from consumers before disclosing their sensitive health information. And such consent, the FTC informs, can only follow "a clear and conspicuous disclosure of all material facts." Hidden euphemisms and enigmatic references buried within lengthy privacy policies are insufficient.
  • Then there's robust data privacy and security programs, which is critical. The FTC encourages companies to implement formalized data privacy and security programs to protect health information. Specifically, the commission counsels that such programs should include data protection safeguards, risk assessments and employee training and supervision, as well as policies and procedures pertaining to data retention, purpose and use limitation.
  • And finally, there is special attention to sensitive data that the FTC focuses on. The post highlights the FTC's particular focus on biometric data, including genetic data, as well as reproductive health information.

The Key Takeaway

So here's the key takeaway from all of this. There are several ways for impacted companies to challenge these views. Nonetheless, it's critical and prudent for any company gathering and using any data that the FTC views as health data to be evaluating these views and assessing how the company's practices fit within the standards being defined by the FTC.

So please stay tuned to further programs as we identify and address the key issues and developments and provide strategies for success. I wish you continued success in a meaningful day. Thank you.

Related Insights