Blog

By: Max Mashal, Juris Doctor Candidate (Class of 2025), Sandra Day O’Connor College of Law at Arizona State University

Introduction

On September 29, 2023, the U.S. Food and Drug Administration (FDA) announced a proposed rule that would classify laboratory-developed tests (LDTs) as “devices” under the Federal Food, Drug, and Cosmetic Act (FDCA) by amending the definition of in vitro diagnostic products (IVDs) under 21 C.F.R. § 809.3(a).[1] If this rule is implemented, LDTs will now have to meet the same regulatory standards as other FDA-regulated medical devices.[2]

Laboratory-Developed Tests

Laboratory-developed tests are in vitro diagnostic products that are designed, manufactured, and used within a single clinical laboratory which meets certain laboratory requirements (including CLIA certification).[3] Until recently, LDTs were mainly used for rare diseases and low-volume testing.[4] Now, they are widely-used by a more diverse population, thanks to high-tech instrumentation and software.[5] LDTs can now be used to diagnose and treat complex diseases, act as companion diagnostics for personalized medicine, and can be rapidly adapted to address emergency responses.[6]

However, unlike other IVDs, LDTs have not historically been subject to the FDA’s regulatory oversight.[7] The FDA has exercised enforcement discretion over LDTs for decades, allowing them to enter the market without FDA approval or clearance.[8] This has created a regulatory gap that poses significant risks to public health, as some LDTs may be inaccurate, unsafe, or ineffective.[9]

Phasing Out the FDA’s Enforcement Discretion Policy

Under the proposed rule, the FDA would implement a phased approach to end its enforcement discretion policy over a period of one to four years after the publication of the final rule.[10] The transition period would vary depending on the risk level of the LDTs, with high-risk tests being subject to premarket review earlier than moderate-risk or low-risk tests.[11] The FDA estimates that about 50% of the current LDTs are low-risk tests that may be exempt from premarket review under the new regulations.[12]

Under the proposed rule, the FDA has structured the phaseout policy as follows:

• One Year After Publication: The FDA’s general enforcement discretion approach would end with respect to Medical Device Reporting (MDR) requirements, as well as correction and removal reporting requirements.
• Two Years After Publication: Enforcement discretion would also end for other requirements. This would exclude MDR, correction and removal reporting, Quality System (QS) regulations, and premarket review. LDTs will then need to comply with FDA regulations related to registration, listing, labeling, and investigational device exemptions.
• Three Years After Publication: Enforcement discretion would end for QS requirements.
• Three and a Half Years After Publication:[13] Enforcement discretion would end for premarket review requirements for high-risk IVDs, subjecting Class III LDTs to full Pre-Market Approval requirements under the FDCA.
• Four Years After Publication:[14] Enforcement discretion would end with respect to premarket review requirements for moderate and low risk IVDs needing premarket review. Class II and certain Class I LDTs would need to meet full 510(k) premarket and de novo requirements under the FDCA. The proposed rule suggests the FDA will not enforce actions against LDTs for which 510(k)s and de novo applications are submitted within this four-year period until the FDA review concludes.

Closing the Theranos Loophole

The FDA’s proposed rule aims to ensure the safety and effectiveness of LDTs, foster innovation, and align with evolving healthcare needs. It also intends to close a loophole which has been exploited by companies like Theranos, a startup that claimed to offer revolutionary blood tests that could perform hundreds of analyses with a single drop of blood.[15] Theranos’ tests were found to be unreliable, inaccurate, and fraudulent, putting patients at risk of misdiagnosis and mistreatment.[16] The company was able to market its tests without FDA approval by exploiting this regulatory loophole for LDTs.[17] The FDA’s proposed rule is intended to prevent such cases from happening again by requiring all LDTs to comply with the same regulatory standards as other medical devices.[18]

Conclusion

The FDA’s proposed rule is expected to face challenges and legal disputes from stakeholders who may oppose the agency’s authority over LDTs or fear the impact of the proposed regulations on their businesses.[19] The public comment period for the proposed rule closed on December 04, 2023.[20]

---

[1] Medical Devices; Laboratory Developed Tests, Federal Register (2023), https://www.federalregister.gov/documents/2023/10/03/2023-21662/medical-devices-laboratory-developed-tests (last visited Oct 11, 2023).

[2] Harsh Parikh et al., FDA proposes new regulations to increase oversight of Laboratory Developed Tests, Nixon Peabody LLP, https://www.nixonpeabody.com/insights/alerts/2023/10/11/fda-proposes-new-regulations-to-increase-oversight-of-laboratory-developed-tests (last visited Dec 18, 2023).

[3] Center for Devices and Radiological Health, Laboratory Developed Tests, FDA (2023), https://www.fda.gov/medical-devices/in-vitro-diagnostics/laboratory-developed-tests (last visited Oct 11, 2023).

[4] Office of the Commissioner, FDA Proposes Rule Aimed at Helping to Ensure Safety and Effectiveness of Laboratory Developed Tests, FDA (2023), https://www.fda.gov/news-events/press-announcements/fda-proposes-rule-aimed-helping-ensure-safety-and-effectiveness-laboratory-developed-tests (last visited Oct 11, 2023).

[5] Federal Register, supra note 1, at 3.

[6] An introduction to diagnostic testing in laboratories—US, https://www.thermofisher.com/us/en/home/clinical/clinical-genomics/molecular-diagnostics/diagnostic-testing-laboratories-intro.html (last visited Dec 18, 2023).

[7] Federal Register, supra note 1, at 3.

[8] Office of the Commissioner, supra note 4.

[9] Id.

[10] Federal Register, supra note 1, at 19.

[11] Id.

[12] Id. at 8; See also Inside FDA’s Proposed Rule to Regulate LDTs, https://www.thefdagroup.com/blog/fda-proposed-rule-ldt (last visited Dec 18, 2023).

[13] But no earlier than October 1, 2027.

[14] But no earlier than April 1, 2028.

[15] Kezia Parkins, The Theranos saga: a wake-up call for the lab-developed test market, (2022), https://www.medicaldevice-network.com/features/theranos-ldt-regulation/ (last visited Oct 11, 2023).

[16] Id.

[17] Id.

[18] See Office of the Commissioner, supra note 4.

[19] Gregory Levine, Joshua Oyster & Michael Purcell, Regulation Without Legislation: FDA Proposes Rule to Regulate Laboratory Developed Tests and End Historical Enforcement Discretion Policy | Insights | Ropes & Gray LLP, (2023), https://www.ropesgray.com/en/insights/alerts/2023/10/regulation-without-legislation-fda-proposes-rule-to-regulate-laboratory-developed-tests (last visited Oct 11, 2023).

[20] Federal Register, supra note 1, at 2; Center for Devices and Radiological Health, supra note 4.

By Kaytie Ravega, partner at Quarles & Brady LLP, with contributions from partner Ted Sullivan and associates Ashleigh Giovannini, Shamika Mazyck, Jacob Pallotta, and Monica Wright, who thankfully watched the DEA listening sessions referenced below in shifts to capture the threads and important points raised by the many speakers on this critical topic.

Introduction to federal law regulating telemedicine controlled substance prescribing, circa 2009 through 2020

It is well known that the Drug Enforcement Administration (“DEA”) requires a prior in-person visit before a healthcare provider may prescribe a controlled substance to a patient during a telemedicine encounter.  This is a component of the Ryan Haight Act (the “Act”), a federal statute that took effect in 2009. Perhaps less familiar, the Act also includes a mandate to DEA to create a way for telemedicine providers to register or have some path to providing controlled substance prescriptions to their patients without the in-person visit requirement.  Developing a registration for telemedicine providers has apparently not been as easy as creating a separate registration number, such as the recently-retired “X” numbers for suboxone prescribing.  Rather, despite multiple instructions from Congress over the past decade, as well as pleas from industry leaders such as the American Hospital Association, DEA has not implemented an option for telemedicine providers to provide care for patients who require controlled substance prescriptions without the in-person visit.  The most recent Covid-19 public health emergency (“PHE”), however, continued to force the issue.

Attempts at regulating telemedicine controlled substance prescribing, circa 2023

During the PHE the in-person visit requirement for telehealth controlled substance prescribing was generally waived, with an express statement from DEA that the requirement would be restored once the pandemic ended. As the PHE rambled toward closure, on February 24, 2023 the Department of Health and Human Services (“HHS”), the Department of Veterans Affairs (“VA”), and DEA issued a Notice of Proposed Rulemaking (the “Proposed Rule”) proposing to permanently extend the PHE telemedicine prescribing flexibilities and requesting public comments on the proposal.  

In May 2023, the DEA published an alert indicating that it received more than 38,000 comments from industry stakeholders regarding the Proposed Rule. Because of this comment volume, the DEA announced the submission of a draft Temporary Rule to the Office of Management and Budget titled “Temporary Extension of COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications” (the “Temporary Rule”) with an effective date of May 11,^,2023. The Temporary Rule authorized providers to continue relying on the PHE telemedicine flexibilities for the prescription of controlled substances through November 11, 2023. Upon that expiration date, the Temporary Rule had stated that the full scope of telemedicine flexibilities will end for new relationships, and only be extended through November 11, 2024 for provider-patient telemedicine relationships established prior to or on November 11, 2023. 

As part of the planning for the Proposed Rule to become effective (once the Temporary Rule ended or at some other time to be determined) and to consider what additional changes may be needed in light of all the comments to the Proposed Rule, DEA hosted a two-day listening session on September 12 and 13, 2023 to empower “healthcare practitioners, experts, advocates, patients, and other members of the public” to voice their support for or objection to the provisions of the Proposed Rule. The stated goal of the listening session was to “receive additional input concerning the practice of telemedicine with regards to controlled substances and potential safeguards that could effectively prevent and detect diversion of controlled substances via telemedicine.”  In other words, DEA and the healthcare community at large face a challenge of competing interests in terms of telemedicine prescribing; specifically, how to support increased access to healthcare through telemedicine while managing the risk of diversion? 

Numerous presenters over the course of the two day event addressed a range of topics related to telemedicine prescribing, discussing:

• the need for more flexibility, away from the rigidity of the pre-PHE prior in-person visit requirement;
• concerns about ensuring prescriptions are valid and that provider-patient relationships exist;
• ensuring that pharmacies are not treated as a gatekeeping substitute for adequate enforcement against rogue prescribers;
• preventing telemedicine from being an avenue of diversion or fraud to the extent possible; 
• the critical role of telemedicine in access to care in multiple scenarios where many parts of the U.S. confront provider shortages, including mental health care, behavioral health, and chronic condition management of many kinds; 
• telemedicine’s effect on patient compliance with care and improved participation in care management, such as showing up for telemedicine visits more reliably and other key examples; 
• a wide range of proposals for recommended changes, including those who requested prohibiting some specific products or provider types, such as nurse practitioners and physician assistants, from controlled substance prescribing via telemedicine altogether; and
• whether DEA has a legitimate role in affecting telemedicine practice to the extent clinical care is affected, among many other points both for and against these examples.

In the face of all of this, to consider options and next steps, DEA again adjusted the compliant path.

The Current Rule, circa 2023-2024

Approximately a month after the listening sessions, on October 10, 2023, DEA, jointly with HHS, published a “Second Temporary Extension of COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications,” (the “Current Rule”).  Note that state requirements may vary from and be more stringent than DEA’s requirements.

The Current Rule extended and renewed the Temporary Rule, meaning that instead of ending on November 11, 2023, the flexibilities for controlled substance prescribing in place during the PHE are now extended through December 31, 2024. Further, the Current Rule authorizes all DEA-registered practitioners to prescribe Schedule II-V controlled substances via telemedicine until December 31, 2024, regardless of whether the practitioner established a telemedicine relationship with the patient prior to or on November 11, 2023. The DEA signaled that the agency chose to extend these flexibilities as it continues to evaluate the information gathered during the two-day listening session and develop new standards and/or safeguards for telemedicine prescribing of controlled medications. Drafters of the Current Rule indicated that DEA anticipates promulgating new rules in the Fall of 2024. 

Specifically, under the Current Rule, and if allowed by applicable state laws, controlled substance prescriptions may be issued during a telemedicine encounter, without a prior in-person visit, only if all of the following conditions are met: 

(1) The prescription is issued for a legitimate medical purpose by a practitioner acting in the usual course of professional practice; 

(2) The prescription is issued pursuant to a communication between a practitioner and a patient using an interactive telecommunications system referred to in 42 CFR § 410.78(a)(3) [a two way, audio video real time encounter];

(3) The practitioner is (i) authorized to prescribe the class of controlled substance specified on the prescription, or (ii) exempt from obtaining a registration to dispense controlled substances; and

(4) The prescription is consistent with all other applicable legal requirements.

See 21 CFR § 1307.41; 42 CFR § 12.1.

By: Nikki Hazelett, 2025 J.D. Candidate, Sandra Day O’Connor College of Law at Arizona State University

In early spring, the Drug Enforcement Agency (DEA) and Substance Abuse and Mental Health Services Administration (SAMHSA) issued a temporary regulation that extended specific telemedicine flexibilities that were initially implemented during the federal COVID-19 Public Health Emergency (PHE).

Per this extension, the DEA’s full set of COVID-19 waivers for prescribing controlled substances via telemedicine will remain viable until November 11, 2023. Provided such prescriptions comply with DEA regulations, physicians may continue to prescribe schedule II-V controlled medications through telemedicine without first conducting an in-person medical examination of the patient.

Additionally, the extension grants individuals who formed a practitioner-patient relationship via telemedicine on or before November 11, 2023, a one-year grace period through November 11, 2024, to continue utilizing PHE flexibilities for prescribing controlled medications through telemedicine.

The intended goal of the temporary extension is to prevent lapses in patient care, ensure the accessibility of telemedicine, and allow sufficient time for healthcare practitioners and patients to prepare for future regulations regarding prescribing controlled medications via telemedicine.

Ultimately, the DEA and SAMHSA anticipate enacting a final set of regulations concerning the practice of telemedicine. Until then, the federal government has determined this temporary regulation is “otherwise consistent with public health and safety,” allowing the DEA and Department of Health and Human Services (HHS) time to address the 38,396 public comments received on two previous notices of proposed rulemakings concerning telemedicine.

Legal Authority & Background:

The Ryan Haight Online Pharmacy Consumer Protection Act of 2008 (the Ryan Haight Act) amended the Controlled Substances Act by adding several new provisions regarding the illegal distribution of controlled substances over the internet. The Ryan Haight Act prohibits distributing and delivering controlled substances online without a valid prescription.[1] The Ryan Haight Act aimed to deter the exploitation of controlled substances through “rouge websites” and “online pharmacies” offering medications without a valid physician-patient relationship.

Implemented by the DEA, the Ryan Haight Act requires practitioners to perform in-person medical evaluations before prescribing controlled medications to patients via telemedicine. It also established seven “practice of telemedicine” exceptions, one of which authorizes the Attorney General and Secretary of Health and Human Services to promulgate rules allowing practitioners to prescribe controlled medications without conducting an in-person examination, provided the practice is in accordance with Federal and State law.

DEA & HHS Proposals:

In response to the COVID-19 PHE, the DEA granted temporary exceptions to both the Ryan Haight Act and the DEA’s power to implement regulations, which permitted physicians to prescribe controlled medications through telemedicine without a prior in-person medical examination. 

The DEA put forth these regulations via two published letters in 2020:

• A March 25, 2020 “Dear Registrant” letter signed by William T. McDermott, DEA’s then-Assistant Administrator, Diversion Control Division; and
• A March 31, 2020 “Dear Registrant” letter signed by Thomas W. Prevoznik, DEA’s then-Deputy Assistant Administrator, Diversion Control Division. 

Three years later, faced with the impending expiration of the COVID-19 PHE, the DEA and HHS promulgated two notices of proposed rulemakings (NPRMs) on March 1, 2023:

• “Telemedicine Prescribing of Controlled Substances When the Practitioner and the Patient Have Not Had a Prior In-Person Medical Evaluation” (the General Telemedicine Rule); and
• “Expansion of Induction of Buprenorphine via Telemedicine Encounter” (the Buprenorphine Rule). 

The proposed rules would establish limited circumstances where a practitioner may prescribe specific controlled medications to patients through telemedicine post-PHE. The agencies expressed a desire to transition seamlessly into post-PHE regulations and ensure patients have reliable access to controlled prescriptions via telemedicine consistent with “public health and safety, while maintaining effective controls against [drug] diversion.”

For example, the General Telemedicine Rule proposed a grace period of 180 days after the expiration of the COVID-19 PHE to extend telemedicine flexibilities to practitioner-patient relationships formed during COVID-19. 

The comment period for the proposed rules ran through March 31, 2023, and generated an astonishing 38,369 public comments. To effectively review these comments, the DEA and SAMHSA issued a temporary extension of PHE telemedicine flexibilities, as discussed above.

Public Response to the NPRMs:

The American Psychiatric Association (APA) was one among many organizations to submit a comment on the NPRMs. Notably, the APA cautioned the DEA from taking “too many steps backwards” and imposing futile restrictions on the practice of telemedicine during an “opioid public health emergency and nationwide mental health and access to care crisis.”

The APA produced five key recommendations that better balanced the DEA’s obligation to prevent drug diversion without restricting individuals’ access to life-saving technology. The recommendations include:

1. Allowance for referring practitioners to not be DEA-registered.
2. Reduction in administrative requirements for referring and prescribing practitioners.
3. Reduction in additional state-based registration requirements.
4. Removal of clinical decision-making from regulation in these proposed rules.
5. Clarification of key inconsistencies in the proposed rules.

The American Hospital Association (AHA) also submitted a comment letter to the DEA regarding the NPRMs. The AHA wrote that the exceptions for in-person medical evaluations under the Ryan Haight Act —specifically under the “other circumstances” catch-all— were opportunities for the DEA to build upon policies for the safe administration of prescriptions via telemedicine. However, the AHA felt that the DEA failed to expand upon prior policies and instead created “unnecessarily burdensome” limits to telemedicine that would adversely impact individuals’ access to healthcare.  

Conclusion:

The purpose of this rulemaking is to extend, for a limited period, the telemedicine flexibilities that existed during the federal COVID-19 PHE. Without this temporary regulation, the COVID-19 PHE telemedicine flexibilities for prescribing controlled substances would have expired at the conclusion of the PHE on May 11, 2023. Despite the uncertainty that lies ahead, the DEA and HHS now have time to address the 38,369 comments received in response to the two NPRMs. This extension will hopefully encourage the DEA to explore regulatory alternatives to expand access to telemedicine.

---

[1]  The term “valid prescription” means a prescription that is issued for a legitimate medical purpose in the usual course of professional practice by-

(i) a practitioner who has conducted at least 1 in-person medical evaluation of the patient; or

(ii) a covering practitioner. 21 USC § 829(e)(2).

Part Two of a Two-Part Series: Unprecedented FTC Enforcement of the Health Breach Notification Rule

By: Jeanne E. Varner Powell, The Risk Team, Mutual Insurance Company of AZ (MICA)

Part One of this series provided an overview of online tracking technologies, and summarized guidance provided in December, 2022, by the Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) for HIPAA covered entities addressing privacy concerns stemming from the use of online tracking technologies.

This segment will discuss enforcement by the Federal Trade Commission (“FTC”) of the Health Breach Notification Rule related to tracking technologies.

FTC Developments: The Health Breach Notification Rule – Uncertainty Ahead?

HIPAA covered entities are not the only ones that need to be aware of increasing regulatory scrutiny related to online tracking technology. The FTC is ramping up enforcement activity in this area against entities not subject to HIPPA.  Since 2021, the FTC has settled four significant cases involving alleged improper sharing of consumer health information with advertising platforms like Facebook and Google.[i]

In 2021, the FTC settled unfair and deceptive trade practices claims against FloHealth, the developer of the Flo Period & Ovulation Tracker app. The settlement resolved allegations that FloHealth utilized tracking technologies to share consumers’ sensitive health information with third parties for marketing and advertising purposes.[ii] On March 2, 2023, the FTC announced a proposed settlement of similar claims against BetterHelp[iii], an online mental health treatment company. Similar cases could be on the horizon.

Of particular significance, on February 1, 2023, the FTC announced resolution of its first-ever Health Breach Notification Rule (“HBNR”) action.[iv] The Respondent in that case was GoodRx, a digital health platform offering consumers prescription drug discounts and telehealth services. Just a few months later, on May 17, 2023, the FTC settled a second case involving HBNR claims, this time against Easy Healthcare, developer of the Premom Ovulation Tracking App.[v] Allegations from both cases are discussed in more detail below.

The HBNR was enacted in 2009, but until now it essentially sat idle. The Rule applies to certain non-HIPAA covered entities and imposes reporting requirements when there is a breach of individually identifiable health information.[vi] In 2021, the FTC significantly expanded its interpretation of what entities the HBNR covers and what constitutes a breach that triggers reporting requirements.[vii] Organizations not covered by HIPAA that collect consumer health data (or entities that do business with such organizations) should heed recent FTC activity as a sign to stay abreast of FTC communications about the HBNR and work closely with legal counsel to develop a compliance strategy.

Important HBNR Statutory Terms

To understand the significance of recent FTC actions involving the HBNR, knowledge of some of the statutory terms and definitions is essential.

• The Rule applies to “vendors of personal health records” (PHRs), a “PHR related entity” or a “third-party service provider for a vendor of PHRs or a PHR related entity.” It requires notification of individuals and the FTC following discovery of a “breach of security” of unsecured identifiable health information contained in a PHR maintained or offered by a vendor or related entity. Third-party service providers that discover such a breach are required to notify the vendor or related entity.[viii]

• A “personal health record” is “an electronic record of PHR identifiable information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”[ix]

• A “vendor of personal health records” is “an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a PHR.” [x]

• “PHR identifiable health information” is “individually identifiable health information, as defined in section 1171(6) of the Social Security Act (42 U.S.C. sec 1320d(6)), and, with respect to an individual, information that:

• Is provided by or on behalf of the individual; and

• That identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”[xi]

• Under the Social Security Act definition, “individually identifiable health information” means any information, including demographic information collected from an individual that:

• is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

• relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and

• identifies the individual; or

• with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

• “Breach of security” means “with respect to unsecured PHR identifiable health information of an individual in a PHR, acquisition of such information without the authorization of the individual.”[xii]

History Behind GoodRx and Premom – Statement of the Commission on Breaches by Health Apps and Other Connected Devices

In 2020, with more consumers utilizing apps and other technology to stay on top of their health, the FTC recognized that “more companies may be covered by the FTC’s Rule.”[xiii] Accordingly, it initiated rulemaking proceedings and sought public input about potential modifications to the Rule’s definitions and scope. For example, it asked whether it should change the definitions of “PHR related entity,” “third-party service provider,” and “vendor of PHRs”. It also asked, “What are the implications (if any) for enforcement of the Rule raised by direct-to-consumer technologies and services such as mobile health apps, virtual assistants, and platforms’ health tools?”[xiv]

In September 2021, with the rulemaking process still ongoing, the FTC reversed course and published the Statement of the Commission on Breaches by Health Apps and Other Connected Devices[xv] (the “Statement”). The Statement announced for the first time, that the FTC would enforce the HBNR against health app and connected device developers as “health care providers”[xvi] and that it would interpret “breach” to include not just cyberattacks but also sharing of identifying health information without consumer authorization.[xvii] Two commissioners wrote dissents. Both criticized the Commission for publishing the statement without first concluding the ongoing rulemaking process that sought input on these very issues. In addition, they faulted the other commissioners for significantly expanding the Rule in conflict with statutory language, congressional intent, and the Commission’s previously published business guidance.[xviii]

The GoodRx Case

In the GoodRx case, the FTC charged that GoodRx engaged in unfair and deceptive practices in violation of the Health Breach Notification Rule and Section 5 of the FTC Act. [xix] The allegations in the Complaint tracked the FTC’s expanded interpretation of the HBNR as set forth in the Statement. For example, the FTC alleged that the unauthorized disclosures of consumers’ unsecured PHR identifiable health information to Facebook and Google via web trackers constituted a “security breach.” In support of its claim that GoodRx was a “vendor of PHRs,” the FTC alleged as follows:

• The website and mobile apps are electronic records of PHR identifiable information that are capable of drawing information from multiple sources, including:
  • inputs from users;
  • Medication Purchase Data, pricing, and refill information from Pharmacy Benefit Managers;
  • pharmacy information from pharmacies;
  • information about prescribed medications from healthcare professionals (such as the name of a medication prescribed during a telehealth session); and
  • users’ geographic location information from a third-party vendor that approximates geolocation based on IP address.
• The information is also managed, shared, or controlled by or primarily for the users. GoodRx lets users keep track of their personal health information, including to save, track, and receive alerts about their prescriptions, refills, pricing, and medication purchase history.

In addition, the FTC alleged that GoodRx broke numerous data privacy promises it made to customers including: 

• Promised users it would never share health information with advertisers or other third parties, yet used various tracking technologies to send sensitive information like users’ medications and health conditions to companies like Facebook and Google for the purpose of targeted advertising campaigns;
• Promised users that it would only disclose their personal health information for limited purposes, then shared users’ names, addresses, email addresses, phone numbers, and other personal identifiers with advertising platforms; and
• Promised consumers it would limit how third parties that received the information could use the information yet failed to do so.

Per the settlement, GoodRx will pay a $1.5 million penalty and be banned from sharing user health information with third parties for advertising purposes. In addition, GoodRx will need to obtain affirmative express consent from users before disclosing health information to third parties for purposes other than advertising, require third parties to delete data shared with third parties, restrict its data retention periods, and implement a comprehensive privacy program.[xx]

The Premom Case

According to the FTC’s Complaint, hundreds of thousands of women have input sensitive health information into the Premom app, including period dates and pictures of ovulation test strips the app uses for predicting the next ovulation cycle. Like GoodRx, in Premom the FTC claimed the app’s developer made promises it didn’t keep concerning collection and sharing of this “identifiable health information.” The Complaint alleged violations of both the FTC Act and the HBNR.

To support its claim that the app developer is a “vendor of personal health records,” the FTC alleged:

• Premom encourages users to upload ovulation tests and large amounts of information to the app;
• Premom encourages users to connect other apps and products to Premom and permit Premom to import health information from them; and
• Premom allows users to manage and control the PHR identifiable health information in the app and track their ovulation, menstruation, and other health information.

The FTC further asserted that Premom transferred unsecured PHR identifiable health information to third parties like Google and AppsFlyer without users’ authorization. According to the Complaint, these “breaches of security” occurred for years and Premom failed to make breach notifications required by the HBNR.

Under the terms of the settlement, Easy Healthcare (Premom’s owner and developer) will pay a $100,000 civil penalty and:

• Retain users’ personal information only as long as necessary to fulfill the purpose for which it was collected;
• Will not make misrepresentations about its privacy practices;
• Comply with HBNR notification requirements for any future breach of security;
• Seek deletion of data it shared with third parties;
• Notify consumers of the FTC’s allegations and the settlement; and
• Implement comprehensive security and privacy programs with strong safeguards to protect consumer data.

In addition, in a related case, Easy Healthcare will pay $100,000 combined to Connecticut, D.C., and Oregon for violations of their laws.[xxi]

Proposed Amendments to HBNR

The day after the Premom settlement announcement, the FTC voted unanimously to issue a Notice of Proposed Rulemaking to amend the HBNR.[xxii] The proposed amendments were filed in the Federal Register on June 9 and comments will be accepted until August 8, 2023. Briefly, some of the proposed changes include:

• Clarify the scope of the rule – Current definitions would be revised, and new definitions added, to clarify the FTC’s position that mobile health apps and similar technologies not subject to HIPAA are covered by the HBNR. With these changes, the FTC hopes to make clear that the HBNR applies generally to online platforms (“…including websites, apps, and Internet-connected devices…” providing health care services or supplies) and that it covers both medical and wellness services.

• “PHR related entity” definition changes – Revise the definition to clarify that only entities that access or send unsecured PHR identifiable health information to a personal health record (not those that send ANY information) qualify as PHR related entities.

• Require consumer authorization for sharing – Health apps would need to obtain consumers’ authorization to share their information with third parties and would be mandated to notify consumers in the event information is accessed without such authorization.

• “Breach of security” definition changes – This definition would be modified to align with the position the FTC took in GoodRx and Premom. It would include unauthorized disclosures to third parties as well as data security breaches, hacking, and other cyber incidents.

• Expand breach notice and content requirements – Email and other electronic methods could be used to send breach notifications to consumers. Breach notices would need to contain additional information, such as names of third parties who may have accessed information.

• Penalties – add a new section to the rule that states the penalties (up to $50,120 per violation per day) for non-compliance.

 For more detail, read the Proposed Amendments in full.

FTC publications

For more information on the FTC’s current interpretation of the HBNR, HBNR compliance, and other FTC enforcement activity, consult the following publications:

• Complying with FTC’s Health Breach Notification Rule

• First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices

• FTC Business Guidance blog

---

[i] FTC Press Release (2021, January 13), Developer of popular women’s fertility-tracking app settles FTC allegations that it misled consumers about the disclosure of their health data. https://www.ftc.gov/news-events/news/press-releases/2021/01/developer-popular-womens-fertility-tracking-app-settles-ftc-allegations-it-misled-consumers-about; FTC Business Blog (2023, February 1), First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices. https://www.ftc.gov/business-guidance/blog; FTC Business Blog (2023, March 3), FTC says online counseling service BetterHelp pushed people into handing over health information – and broke its privacy promises. https://www.ftc.gov/business-guidance/blog/2023/03/ftc-says-online-counseling-service-betterhelp-pushed-people-handing-over-health-information-broke; FTC Press Release (2023, May 17), Ovulation tracking app Premom will be barred from sharing health data for advertising under proposed FTC order.https://www.ftc.gov/news-events/news/press-releases/2023/05/ovulation-tracking-app-premom-will-be-barred-sharing-health-data-advertising-under-proposed-ftc

[ii] FTC Press Release (2021, January 13), Developer of popular women’s fertility-tracking app settles FTC allegations that it misled consumers about the disclosure of their health data. https://www.ftc.gov/news-events/news/press-releases/2021/01/developer-popular-womens-fertility-tracking-app-settles-ftc-allegations-it-misled-consumers-about; https://www.ftc.gov/system/files/documents/cases/flo_health_order.pdf.

[iii]FTC Press Release (2023, March 3), FTC to Ban BetterHelp from Revealing Consumers’ Data, Including Sensitive Mental Health Information, to Facebook and Others for Targeted Advertising. https://www.ftc.gov/news-events/news/press-releases/2023/03/ftc-ban-betterhelp-revealing-consumers-data-including-sensitive-mental-health-information-facebook

[iv] 16 CFR. § 318; FTC Business Blog (2023, February 1), First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices. https://www.ftc.gov/business-guidance/blog

[v] FTC Business Blog (2023, May 17), FTC says Premom shared users’ highly sensitive reproductive health data: Can it get more sensitive than that? https://www.ftc.gov/business-guidance/blog/2023/05/ftc-says-premom-shared-users-highly-sensitive-reproductive-health-data-can-it-get-more-personal

[vi] The Rule implements the requirements of the American Recovery & Reinvestment Act of 2009, Pub. L. No. 111-5, 123 Stat. 115, codified at 42 U.S.C. § 17937; see FTC Health Breach Notification Rule summary, https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule & Complying with FTC’s Health Breach Notification Rule, https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0.

[vii] FTC (2021, September 15). Statement of the Commission on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf

[viii] 16 CFR. § 318.3. Vendors of PHRs must notify the media if the breach affects (or is reasonably believed to affect) more than 500 individuals. Id. at § 318.5(b).

[ix] Id. at § 318.2(d).

[x] Id. at § 318.2(j).

[xi] Id. at § 318.2(e).

[xii] Id. at § 318.2(a).

[xiii] Health Breach Notification, Request for Public Comment, 85 Fed. Reg. 31085 (May 22, 2020).

[xiv] Id.; see also Wilson, C. (2021, Sept. 15) Dissenting statement of Commissioner Christine S. Wilson Policy statement on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596356/wilson_health_apps_policy_statement_dissent_combined_final.pdf

[xv] FTC (2021, September 15). Statement of the Commission on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf

[xvi] The combined statutory definitions of “vendor of personal health records,” “personal health record” and “individually identifiable health information” provide that a PHR vendor subject to the statute is a “health care provider, health plan, employer, or health care clearinghouse.”

[xvii] Id.

[xviii] Wilson, C. (2021, Sept. 15) Dissenting statement of Commissioner Christine S. Wilson Policy statement on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596356/wilson_health_apps_policy_statement_dissent_combined_final.pdf; Phillips, N.J. (2021, Sept. 15) Dissenting statement of Commissioner Noah Joshua Phillips regarding the policy statement on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596328/hbnr_dissent_final_formatted.pdf

[xix] FTC Business Blog (2023, February 1), First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices. https://www.ftc.gov/business-guidance/blog

[xx] Id.

[xxi] FTC Press Release (2023, May 17), Ovulation tracking app Premom will be barred from sharing health data for advertising under proposed FTC order. https://www.ftc.gov/news-events/news/press-releases/2023/05/ovulation-tracking-app-premom-will-be-barred-sharing-health-data-advertising-under-proposed-ftc

[xxii] FTC Press Release (2023, May 18), FTC Proposes Amendments to Strengthen and Modernize the Health Breach Notification Rule. https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-proposes-amendments-strengthen-modernize-health-breach-notification-ruleficnbkvhernjgiddiuhhclrrrjjnuvjuduhdlvhnhttjicdjiubhjfutdiknnnke