All Eyes on Web Trackers Part Two
Part Two of a Two-Part Series: Unprecedented FTC Enforcement of the Health Breach Notification Rule
By: Jeanne E. Varner Powell, The Risk Team, Mutual Insurance Company of AZ (MICA)
Part One of this series provided an overview of online tracking technologies, and summarized guidance provided in December, 2022, by the Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) for HIPAA covered entities addressing privacy concerns stemming from the use of online tracking technologies.
This segment will discuss enforcement by the Federal Trade Commission (“FTC”) of the Health Breach Notification Rule related to tracking technologies.
FTC Developments: The Health Breach Notification Rule – Uncertainty Ahead?
HIPAA covered entities are not the only ones that need to be aware of increasing regulatory scrutiny related to online tracking technology. The FTC is ramping up enforcement activity in this area against entities not subject to HIPPA. Since 2021, the FTC has settled four significant cases involving alleged improper sharing of consumer health information with advertising platforms like Facebook and Google.[i]
In 2021, the FTC settled unfair and deceptive trade practices claims against FloHealth, the developer of the Flo Period & Ovulation Tracker app. The settlement resolved allegations that FloHealth utilized tracking technologies to share consumers’ sensitive health information with third parties for marketing and advertising purposes.[ii] On March 2, 2023, the FTC announced a proposed settlement of similar claims against BetterHelp[iii], an online mental health treatment company. Similar cases could be on the horizon.
Of particular significance, on February 1, 2023, the FTC announced resolution of its first-ever Health Breach Notification Rule (“HBNR”) action.[iv] The Respondent in that case was GoodRx, a digital health platform offering consumers prescription drug discounts and telehealth services. Just a few months later, on May 17, 2023, the FTC settled a second case involving HBNR claims, this time against Easy Healthcare, developer of the Premom Ovulation Tracking App.[v] Allegations from both cases are discussed in more detail below.
The HBNR was enacted in 2009, but until now it essentially sat idle. The Rule applies to certain non-HIPAA covered entities and imposes reporting requirements when there is a breach of individually identifiable health information.[vi] In 2021, the FTC significantly expanded its interpretation of what entities the HBNR covers and what constitutes a breach that triggers reporting requirements.[vii] Organizations not covered by HIPAA that collect consumer health data (or entities that do business with such organizations) should heed recent FTC activity as a sign to stay abreast of FTC communications about the HBNR and work closely with legal counsel to develop a compliance strategy.
Important HBNR Statutory Terms
To understand the significance of recent FTC actions involving the HBNR, knowledge of some of the statutory terms and definitions is essential.
- The Rule applies to “vendors of personal health records” (PHRs), a “PHR related entity” or a “third-party service provider for a vendor of PHRs or a PHR related entity.” It requires notification of individuals and the FTC following discovery of a “breach of security” of unsecured identifiable health information contained in a PHR maintained or offered by a vendor or related entity. Third-party service providers that discover such a breach are required to notify the vendor or related entity.[viii]
- A “personal health record” is “an electronic record of PHR identifiable information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”[ix]
- A “vendor of personal health records” is “an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a PHR.” [x]
- “PHR identifiable health information” is “individually identifiable health information, as defined in section 1171(6) of the Social Security Act (42 U.S.C. sec 1320d(6)), and, with respect to an individual, information that:
- Is provided by or on behalf of the individual; and
- That identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”[xi]
- Under the Social Security Act definition, “individually identifiable health information” means any information, including demographic information collected from an individual that:
- is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
- relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and
- identifies the individual; or
- with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
- “Breach of security” means “with respect to unsecured PHR identifiable health information of an individual in a PHR, acquisition of such information without the authorization of the individual.”[xii]
History Behind GoodRx and Premom – Statement of the Commission on Breaches by Health Apps and Other Connected Devices
In 2020, with more consumers utilizing apps and other technology to stay on top of their health, the FTC recognized that “more companies may be covered by the FTC’s Rule.”[xiii] Accordingly, it initiated rulemaking proceedings and sought public input about potential modifications to the Rule’s definitions and scope. For example, it asked whether it should change the definitions of “PHR related entity,” “third-party service provider,” and “vendor of PHRs”. It also asked, “What are the implications (if any) for enforcement of the Rule raised by direct-to-consumer technologies and services such as mobile health apps, virtual assistants, and platforms’ health tools?”[xiv]
In September 2021, with the rulemaking process still ongoing, the FTC reversed course and published the Statement of the Commission on Breaches by Health Apps and Other Connected Devices[xv] (the “Statement”). The Statement announced for the first time, that the FTC would enforce the HBNR against health app and connected device developers as “health care providers”[xvi] and that it would interpret “breach” to include not just cyberattacks but also sharing of identifying health information without consumer authorization.[xvii] Two commissioners wrote dissents. Both criticized the Commission for publishing the statement without first concluding the ongoing rulemaking process that sought input on these very issues. In addition, they faulted the other commissioners for significantly expanding the Rule in conflict with statutory language, congressional intent, and the Commission’s previously published business guidance.[xviii]
The GoodRx Case
In the GoodRx case, the FTC charged that GoodRx engaged in unfair and deceptive practices in violation of the Health Breach Notification Rule and Section 5 of the FTC Act. [xix] The allegations in the Complaint tracked the FTC’s expanded interpretation of the HBNR as set forth in the Statement. For example, the FTC alleged that the unauthorized disclosures of consumers’ unsecured PHR identifiable health information to Facebook and Google via web trackers constituted a “security breach.” In support of its claim that GoodRx was a “vendor of PHRs,” the FTC alleged as follows:
- The website and mobile apps are electronic records of PHR identifiable information that are capable of drawing information from multiple sources, including:
- inputs from users;
- Medication Purchase Data, pricing, and refill information from Pharmacy Benefit Managers;
- pharmacy information from pharmacies;
- information about prescribed medications from healthcare professionals (such as the name of a medication prescribed during a telehealth session); and
- users’ geographic location information from a third-party vendor that approximates geolocation based on IP address.
- The information is also managed, shared, or controlled by or primarily for the users. GoodRx lets users keep track of their personal health information, including to save, track, and receive alerts about their prescriptions, refills, pricing, and medication purchase history.
In addition, the FTC alleged that GoodRx broke numerous data privacy promises it made to customers including:
- Promised users it would never share health information with advertisers or other third parties, yet used various tracking technologies to send sensitive information like users’ medications and health conditions to companies like Facebook and Google for the purpose of targeted advertising campaigns;
- Promised users that it would only disclose their personal health information for limited purposes, then shared users’ names, addresses, email addresses, phone numbers, and other personal identifiers with advertising platforms; and
- Promised consumers it would limit how third parties that received the information could use the information yet failed to do so.
Per the settlement, GoodRx will pay a $1.5 million penalty and be banned from sharing user health information with third parties for advertising purposes. In addition, GoodRx will need to obtain affirmative express consent from users before disclosing health information to third parties for purposes other than advertising, require third parties to delete data shared with third parties, restrict its data retention periods, and implement a comprehensive privacy program.[xx]
The Premom Case
According to the FTC’s Complaint, hundreds of thousands of women have input sensitive health information into the Premom app, including period dates and pictures of ovulation test strips the app uses for predicting the next ovulation cycle. Like GoodRx, in Premom the FTC claimed the app’s developer made promises it didn’t keep concerning collection and sharing of this “identifiable health information.” The Complaint alleged violations of both the FTC Act and the HBNR.
To support its claim that the app developer is a “vendor of personal health records,” the FTC alleged:
- Premom encourages users to upload ovulation tests and large amounts of information to the app;
- Premom encourages users to connect other apps and products to Premom and permit Premom to import health information from them; and
- Premom allows users to manage and control the PHR identifiable health information in the app and track their ovulation, menstruation, and other health information.
The FTC further asserted that Premom transferred unsecured PHR identifiable health information to third parties like Google and AppsFlyer without users’ authorization. According to the Complaint, these “breaches of security” occurred for years and Premom failed to make breach notifications required by the HBNR.
Under the terms of the settlement, Easy Healthcare (Premom’s owner and developer) will pay a $100,000 civil penalty and:
- Retain users’ personal information only as long as necessary to fulfill the purpose for which it was collected;
- Will not make misrepresentations about its privacy practices;
- Comply with HBNR notification requirements for any future breach of security;
- Seek deletion of data it shared with third parties;
- Notify consumers of the FTC’s allegations and the settlement; and
- Implement comprehensive security and privacy programs with strong safeguards to protect consumer data.
In addition, in a related case, Easy Healthcare will pay $100,000 combined to Connecticut, D.C., and Oregon for violations of their laws.[xxi]
Proposed Amendments to HBNR
The day after the Premom settlement announcement, the FTC voted unanimously to issue a Notice of Proposed Rulemaking to amend the HBNR.[xxii] The proposed amendments were filed in the Federal Register on June 9 and comments will be accepted until August 8, 2023. Briefly, some of the proposed changes include:
- Clarify the scope of the rule – Current definitions would be revised, and new definitions added, to clarify the FTC’s position that mobile health apps and similar technologies not subject to HIPAA are covered by the HBNR. With these changes, the FTC hopes to make clear that the HBNR applies generally to online platforms (“…including websites, apps, and Internet-connected devices…” providing health care services or supplies) and that it covers both medical and wellness services.
- “PHR related entity” definition changes – Revise the definition to clarify that only entities that access or send unsecured PHR identifiable health information to a personal health record (not those that send ANY information) qualify as PHR related entities.
- Require consumer authorization for sharing – Health apps would need to obtain consumers’ authorization to share their information with third parties and would be mandated to notify consumers in the event information is accessed without such authorization.
- “Breach of security” definition changes – This definition would be modified to align with the position the FTC took in GoodRx and Premom. It would include unauthorized disclosures to third parties as well as data security breaches, hacking, and other cyber incidents.
- Expand breach notice and content requirements – Email and other electronic methods could be used to send breach notifications to consumers. Breach notices would need to contain additional information, such as names of third parties who may have accessed information.
- Penalties – add a new section to the rule that states the penalties (up to $50,120 per violation per day) for non-compliance.
For more detail, read the Proposed Amendments in full.
FTC publications
For more information on the FTC’s current interpretation of the HBNR, HBNR compliance, and other FTC enforcement activity, consult the following publications:
[i] FTC Press Release (2021, January 13), Developer of popular women’s fertility-tracking app settles FTC allegations that it misled consumers about the disclosure of their health data. https://www.ftc.gov/news-events/news/press-releases/2021/01/developer-popular-womens-fertility-tracking-app-settles-ftc-allegations-it-misled-consumers-about; FTC Business Blog (2023, February 1), First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices. https://www.ftc.gov/business-guidance/blog; FTC Business Blog (2023, March 3), FTC says online counseling service BetterHelp pushed people into handing over health information – and broke its privacy promises. https://www.ftc.gov/business-guidance/blog/2023/03/ftc-says-online-counseling-service-betterhelp-pushed-people-handing-over-health-information-broke; FTC Press Release (2023, May 17), Ovulation tracking app Premom will be barred from sharing health data for advertising under proposed FTC order.https://www.ftc.gov/news-events/news/press-releases/2023/05/ovulation-tracking-app-premom-will-be-barred-sharing-health-data-advertising-under-proposed-ftc
[ii] FTC Press Release (2021, January 13), Developer of popular women’s fertility-tracking app settles FTC allegations that it misled consumers about the disclosure of their health data. https://www.ftc.gov/news-events/news/press-releases/2021/01/developer-popular-womens-fertility-tracking-app-settles-ftc-allegations-it-misled-consumers-about; https://www.ftc.gov/system/files/documents/cases/flo_health_order.pdf.
[iii]FTC Press Release (2023, March 3), FTC to Ban BetterHelp from Revealing Consumers’ Data, Including Sensitive Mental Health Information, to Facebook and Others for Targeted Advertising. https://www.ftc.gov/news-events/news/press-releases/2023/03/ftc-ban-betterhelp-revealing-consumers-data-including-sensitive-mental-health-information-facebook
[iv] 16 CFR. § 318; FTC Business Blog (2023, February 1), First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices. https://www.ftc.gov/business-guidance/blog
[v] FTC Business Blog (2023, May 17), FTC says Premom shared users’ highly sensitive reproductive health data: Can it get more sensitive than that? https://www.ftc.gov/business-guidance/blog/2023/05/ftc-says-premom-shared-users-highly-sensitive-reproductive-health-data-can-it-get-more-personal
[vi] The Rule implements the requirements of the American Recovery & Reinvestment Act of 2009, Pub. L. No. 111-5, 123 Stat. 115, codified at 42 U.S.C. § 17937; see FTC Health Breach Notification Rule summary, https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule & Complying with FTC’s Health Breach Notification Rule, https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0.
[vii] FTC (2021, September 15). Statement of the Commission on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf
[viii] 16 CFR. § 318.3. Vendors of PHRs must notify the media if the breach affects (or is reasonably believed to affect) more than 500 individuals. Id. at § 318.5(b).
[ix] Id. at § 318.2(d).
[x] Id. at § 318.2(j).
[xi] Id. at § 318.2(e).
[xii] Id. at § 318.2(a).
[xiii] Health Breach Notification, Request for Public Comment, 85 Fed. Reg. 31085 (May 22, 2020).
[xiv] Id.; see also Wilson, C. (2021, Sept. 15) Dissenting statement of Commissioner Christine S. Wilson Policy statement on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596356/wilson_health_apps_policy_statement_dissent_combined_final.pdf
[xv] FTC (2021, September 15). Statement of the Commission on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf
[xvi] The combined statutory definitions of “vendor of personal health records,” “personal health record” and “individually identifiable health information” provide that a PHR vendor subject to the statute is a “health care provider, health plan, employer, or health care clearinghouse.”
[xvii] Id.
[xviii] Wilson, C. (2021, Sept. 15) Dissenting statement of Commissioner Christine S. Wilson Policy statement on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596356/wilson_health_apps_policy_statement_dissent_combined_final.pdf; Phillips, N.J. (2021, Sept. 15) Dissenting statement of Commissioner Noah Joshua Phillips regarding the policy statement on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596328/hbnr_dissent_final_formatted.pdf
[xix] FTC Business Blog (2023, February 1), First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices. https://www.ftc.gov/business-guidance/blog
[xx] Id.
[xxi] FTC Press Release (2023, May 17), Ovulation tracking app Premom will be barred from sharing health data for advertising under proposed FTC order. https://www.ftc.gov/news-events/news/press-releases/2023/05/ovulation-tracking-app-premom-will-be-barred-sharing-health-data-advertising-under-proposed-ftc
[xxii] FTC Press Release (2023, May 18), FTC Proposes Amendments to Strengthen and Modernize the Health Breach Notification Rule. https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-proposes-amendments-strengthen-modernize-health-breach-notification-ruleficnbkvhernjgiddiuhhclrrrjjnuvjuduhdlvhnhttjicdjiubhjfutdiknnnke