BetterHelp and GoodRx Serve as an Important Reminder: FTC Health Privacy Rule Will Take Action Against Deceptive Practices Aimed at Patients.

A new enforcer is in charge of protecting health data privacy. This year, the healthcare industry has been targeted by federal crackdowns due to digital health companies sharing customer health data for advertising purposes. Recently, GoodRx was penalized by the Federal Trade Commission for unauthorized disclosure of personal health data to Google and Facebook, resulting in a $1.5 million civil penalty. As a result, GoodRx is now prohibited from sharing user health data for advertising purposes. This is the first time that the FTC and the Department of Justice have proposed an order like this, and it is rare for the FTC's health privacy rule, the Health Breach Notification Rule, to be enforced in the last 15 years.

Although GoodRx did not admit to any wrongdoing, the FTC is determined to continue pursuing those who they suspect of breaking the rules. At the start of March, the FTC revealed plans to enforce an order that prohibits BetterHelp, an online therapy company, from sharing personal information about their clients to certain third parties for re-targeting. This decision was made after the FTC discovered that the company was tricking its clients by promising to keep sensitive information safe, yet failing to do so. The FTC has gone even further by making an unprecedented demand for BetterHelp to pay their clients a total of $7.8 million. Despite BetterHelp admitting that they had come to an agreement about supposed wrongdoings, they deny any accusations of breaking the rules.

There has been a significant surge in legal cases related to data privacy concerns in the healthcare and technology industries in recent times. Therefore, what implications does the revived implementation of the FTC Health Breach Notification Rule have on digital health corporations that rely on customer data to support their commercial operations?

Melanie Musson, a writer for Clearsurance who specializes in healthcare and insurance, has provided insight on how companies can navigate the FTC's latest enforcement standards and safeguard their customers' health data. She proposes strategies that companies can put in place to decrease their chances of becoming targets for the FTC.

People generally understand HIPAA to be a policy to protect medical information, but it is often oversimplified. Many believe that simply mentioning their health information to anyone means it will be kept confidential, as all are bound by HIPAA law.

This is where the problem of deception arises. The Federal Trade Commission (FTC) has taken action against companies that share medical information because consumers assume their medical history is private, and companies take advantage of this assumption. Although these companies may adhere to HIPAA regulations, their claim of HIPAA compliance gives consumers a false sense of security as it is not equivalent to their promise of not sharing information. Looking ahead, companies should be mindful of the FTC's actions.

The authorities are punishing those who share information that is not entirely accurate and may deceive the public. Therefore, the crucial aspect here is to avoid misleading people. If you decide to share information that is permissible by law, ensure that your clients comprehend and consent to it. So, do not make false claims that you are not sharing data and then proceed to do so.

Do you want to know how businesses that rely on consumer information to earn money can avoid getting in trouble with the FTC? Well, the CEO and co-founder of Huvr Inc., Herman DeBoard III, has some helpful tips for digital health companies that want to stay on the FTC's good side. Mr. DeBoard is also a former program manager for the Center of Disease Control's state immunizations department.

When you read that regulation, it pertains to sellers of private health records. It demands that they inform customers if there's a violation involving unprotected details. In this scenario, it looks like there has been no violation. The situation revolves around a company that revealed user information to third-party businesses to offer personalized promotions to their customers.

In my view, it all comes down to HIPAA. In essence, if your company gathers health information such as people's medication prescriptions, you can't claim that you won't share personal details and then proceed to sell them. Therefore, my recommendation is that if you intend to share or sell personal health data you've collected, consult your lawyer and incorporate these situations in your terms of service and privacy policy.

Next, it is important to provide your app users with the option to opt out of having their information sold by including a "Do not sell my information" feature. Additionally, make certain that your code adheres to this request. If you are still concerned about potential legal problems, you can maintain the ability to provide or sell data to partners for research purposes by de-identifying patient names, locations, and phone numbers, rendering the records anonymous.

To comply with regulations, simply adhere to the wording of the law. At present, my business is operating in 50 nations and the regulations related to privacy differ widely from region to region. While privacy is a central concern in politics, it's a fact that personal privacy is scarce these days. Consequently, I recommend that proprietors make certain they invest time to get familiar with the privacy legislation for each country they do business in.

Make sure your users know how you plan to use their information and allow them to choose not to participate.