The new kid on the block: The Federal Trade Commission and data sharing

When most people think of protected health information (PHI) and personally identifiable information (PII) in relation to the illicit sharing and tracking of data, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) springs to mind.

Although the Federal Trade Commission (FTC) has enforced violations of data breaches and statements about securing customers’ PHI in accordance with HIPAA (i.e., CVS (Feb. 18, 2009) and Henry Schein (May 23, 2016)), two recent settlements underscore its status as an enforcement agency with the power to enforce consumers’ rights in relation to their sensitive information. First, let’s step back to 2009 when the FTC’s Health Breach Notification Rule came on the scene. Specifically, 16 C.F.R. Part 318,

The Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media.

While it has some language similarities to the HIPAA Breach Notification Rule, it is not limited to covered entities, business associates, and subcontractors, as defined in 45 CFR 160.103. Also, the FTC’s enforcement authority is derived from Section 5 - The Federal Trade Commission Act of 1914 as amended. Two recent enforcement action settlements, which occurred between February and early-March 2023, underscore its authority and both are notable for distinct reasons:

• GoodRx (February 1, 2023) – the first case where an enforcement action was taken under the FTC’s Health Breach Notification Rule. Here, GoodRx, a telehealth and prescription drug discount provider “fail[ed] to notify consumers and other of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.” Moreover, “[i]n a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect.” GoodRx paid the government $7.8 million to settle the allegations.
• BetterHelp, Inc. (Mar. 2, 2023) – in another first of its kind case, the FTC provided remuneration to customer who were harmed by “online counseling service BetterHelp revealed consumers’ sensitive data with third parties such as Facebook and Snapchat for advertising after promising to keep such data private.”

In sum, these actions serve as somber reminders that the U.S. Department of Health and Human Services – Office for Civil Rights is not the only federal government agency with the authority to address privacy and security violations related to sensitive personal and health data. From a compliance standpoint, persons should ensure that the FTC Health Breach Notification Rule is covered in training, policies and procedures, and BAA agreements.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.