In July, the Federal Trade Commission and the Health and Human Services Department’s Office for Civil Rights sent a warning letter to 130 health systems and telehealth providers regarding the privacy risks of third-party tracking technology. The agencies said using such technologies could be a violation of the Health Insurance Portability and Accountability Act of 1996 or the FTC Health Breach Notification Rule, which requires companies that collect and share consumers’ health information to notify those consumers.
The FTC has also been enforcing its breach notification rule for the first time since its implementation in 2009. This spring, the agency penalized GoodRx for alleged violations of this rule.
Related: FTC to seek clarification of Health Breach Notification Rule
Christine Moundas, partner at the healthcare practice at law firm Ropes & Gray, joined Modern Healthcare to talk about what this increased activity means for digital health companies and hospitals. The interview has been edited for length and clarity.
How is the FTC's Health Breach Notification Rule different from HIPAA?
It’s intended to really cover a gap and address entities that aren't covered by HIPAA but [use] health information. One of the difficulties is the government uses terminology that's not necessarily intuitive to try to describe that gap between the HIPAA-covered entities and the rest of the world. They use these terms: "personal health record vendors," and "PHR-related entities," and "third-party service providers." What the FTC meant by that is any type of technology that's not subject to HIPAA but is compiling health information. The way they introduced the terminology was difficult, but it is intended to hit a very large swath of entities.
What might be an example of this gap?
Even though people use [HIPAA] colloquially to mean privacy in general, HIPAA-covered entities are a very defined set of organizations: Health plans, healthcare clearing houses, and providers that are engaged in certain covered standard transactions. That generally means entities that engage in billing providers. HIPAA business associates are the vendors that might process protected health information on behalf of those HIPAA-covered entities. If you have a health-related app but it’s not related to a particular provider, health plan or clearinghouse, it’s outside of HIPAA. One example might be a direct-to-consumer app where patients pay out of pocket and do not engage in the covered transactions that make providers subject to HIPAA.
Keep up with one the industry’s fastest growing sectors. Sign up for Digital Health Intelligence.
In May, the FTC proposed changes to the Health Breach Notification Rule. What are they?
One of the main things the agency did was work on the definitions to make it much clearer what that FTC Health Breach Notification Rule is intended to cover. When the rule initially came out in 2009, health apps were relatively new and a lot of people didn’t have smartphones at that point. Now there’s just been an explosion.
So [through the changes, the agency] has refined the definition around health apps and similar technologies. It also doubles back on what it meant by the term “breach of security” under the rule and makes clear that it intends that to include unauthorized acquisitions of identifiable health information that occur as a result of a data security breach or an unauthorized disclosure. It further expounded upon how these entities could provide breach notices to consumers and whether they could use email and other electronic means.
What do digital health companies need to know about complying with the rule?
The first penalties under this rule just came out in the past year, and it’s clear these regulators are really intending to enforce this rule. Digital health companies really need to think if they have policies and procedures and other documents in place to show that they are compliant. Most companies in this space don’t have an FTC Health Breach Notification Rule policy [that answers questions such as]: How would a company identify a potential breach under that rule? What would it do to investigate it? What procedures would it follow to actually provide notice of breach under that rule?
In HIPAA land, companies have had [procedures] like that for at least a decade now. I think these digital health companies that fall under [this law] really need to kind of apply the same rigor and start to think about their policies and procedures as something that will be really scrutinized in this space.
Not a Modern Healthcare subscriber? Sign up today.
It’s also important for them to provide training to their employees. Employees must understand what their obligations are when it comes to this rule. In general, they need to think about what promises they are making to their customers. What requirements are they pushing down to their own sub-vendors? And how does that square with the Health Breach Notification Rule?
The fines the FTC has levied against the companies accused of allegedly violating the Health Breach Notification Rule have been relatively small. How do you see this enforcement playing out?
When regulators are starting to enforce rules, they tend to start small and then build up. I could see this being part of just an opening foray into more severe enforcement.
You have a whole area where [regulators are] scrutinizing arrangements and documents in a way that a lot of entities never thought to before. For instance, a lot of times people thought a website’s privacy policy was just kind of a form document or template. That website privacy policy is now being used by these regulators as basically the manual to understand what you are promising to consumers and exactly how you’re using their information. And they are holding organizations to their public representation.
I think it’s important that [companies] realize that these documents are more important than ever, and they are being scrutinized more than ever. And these things really require careful review by cross-disciplinary teams to make sure they’re accurate.
In July, the FTC and HHS sent letters to 130 hospitals and telehealth providers to warn them about third-party tracking. An April study in Health Affairs found more than 98% hospitals use third-party tracking technologies on their websites. What should these hospitals make of this warning letter?
The HHS Office for Civil Rights and the FTC are coordinating on this issue in a way that we really haven’t seen before, down to the timing of the guidance they provided in the wintertime and their enforcement actions, as they’ve started to engage in investigations that we’ve seen being launched. And now, there are these warning letters.
We’ve been busy trying to help a lot of organizations get a handle on what is actually operating on their websites, their portals and their apps, which is sometimes a very technical and complex review. We’re helping determine what their obligations are depending on what they find and how to remediate whatever they find. Organizations need to look at this very carefully and move quickly. These regulators are very serious and they could very quickly turn a warning letter into an investigation letter.
Correction: A previous version of the article misstated the law under which Teladoc’s BetterHelp was fined by the Federal Trade Commission to resolve allegations the company shared consumers’ sensitive health data.