From step-counting fitness bands and sleep-grading watches to reproductive-tracking mobile applications, the Internet of Things has empowered consumers with an incredible variety of tools that allow them greater involvement as patients and insights into their own health and fitness. According to Market.us, the wearable medical device market grew to an estimated $30.1 billion in 2022 (and this projection did not include mobile applications that also collect their users’ health data). In addition to wearable health devices and apps, the COVID-19 pandemic forced many traditional health care interactions into the digital space, a trend that has shown no signs of reversing post-pandemic.
The results of these trends: Americans are creating massive amounts of health-related data outside traditional professional medical interactions. As exciting as this new market growth has been, health care data holders are still swimming in murky waters when it comes to their privacy obligations. The disconnection between and overlap of information that is protected by state privacy law and information protected under the Health Insurance Portability and Accountability Act (HIPAA) not to mention information protected by some other privacy regime have created a precarious landscape proving difficult to navigate. Storm clouds are gathering for stewards of health care data that operate both inside and outside HIPAA, and providers will need to adjust quickly if they want to remain on safe ground.
In February 2023, the FTC announced its first enforcement action under its Health Breach Notification Rule against GoodRx, a telehealth and prescription drug discount provider. According to the settlement, GoodRx:
- Shared personal health information with advertisers and third parties in violation of its privacy policies.
- Used personal health information to target its users with personalized health- and medication-specific advertisements,
- Misrepresented its HIPAA compliance.
- Failed to implement policies to protect personal health information.
GoodRx agreed to a no-admit/no-deny settlement, a $1.5 million civil penalty, a notification to impacted consumers and a court order that did the following:
- Prohibited the sharing of personal health data for advertising.
- Required user consent for any other sharing.
- Required the company to seek the deletion of data held by third parties.
- Required the company to limit its own retention of data and to implement a mandated privacy program.
On May 17, the FTC settled with another entity, Easy Healthcare Corporation (EHC), the developer of the fertility app Premom. EHC allegedly deceived users by doing the following:
- Sharing their sensitive personal information with third parties when its privacy policies promised that it would not share health information without users’ consent.
- Failing to take reasonable measures to address the privacy and data security risks created by its use of third-party tracking tools.
- Failing to notify consumers of these unauthorized disclosures in violation of the Health Breach Notification Rule
The company agreed to pay a $100,000 civil penalty, provide a notification to impacted consumers and obey a court order similar to the one given above for the GoodRx settlement.
On May 18, the FTC proposed further amendments to the Health Breach Notification Rule that would do the following:
- Revise several definitions to clarify how the rule applies to health applications and similar technologies that are not covered by HIPAA.
- Codify the agency’s interpretation that a breach includes an unauthorized disclosure.
- Clarify the scope of the entities covered by the rule.
- Clarify what it means for a personal health record to draw information from multiple sources.
- Expanding the ability to provide electronic notice of a breach to consumers (and provide additional requirements regarding such notices)
The FTC’s comment period will run for 60 days from the publication of the new rule in the Federal Register.
 HIPAA-covered entities and their “business associates” must instead comply with the Department of Health and Human Services’ breach notification rule.
About the Author
Peter Bogdasarian is a partner and serves as Chief Privacy Officer for the firm. He counsels clients on data privacy and cyber security-related issues. Peter also provides advice to clients in connection with inquiries, investigations, and enforcement actions initiated by government agencies and self-regulatory organizations as well as general litigation matters.