Digital health companies should re-evaluate how user data is acquired and shared following the Federal Trade Commission's enforcement action against GoodRx, experts said.
Earlier this month the Justice Department, on behalf of the FTC, filed a complaint and proposed order for permanent injunction against GoodRx. Under the order, the company would be prohibited from sharing health information with third parties and be fined $1.5 million. The order, which the consumer drug price comparison and digital health company agreed to, requires the approval of the U.S. District Court for the Northern District of California.
Related: GoodRx shared consumer’s health info with Facebook, Google, FTC alleges
The FTC alleges GoodRx was sharing health information with third parties. The case is the first time the FTC's 2009 Health Breach Notification Rule, which requires companies that collect and share consumers’ health information to notify those consumers, has been enforced.
"I think this is a wake-up call," said Milan Bhatt, president and global head of the healthcare vertical at Hexaware Technologies, an IT and consulting company. “Organizations that are in the adjacencies of the healthcare market, I don't think they understand it very well.”
Experts agreed it is difficult to offer specific guidance to digital health companies seeking clarity on how their practices would be interpreted because the precedent is so new and evolving.
“I think there's a level of uncertainty,” said Bill Dillon, a shareholder specializing in healthcare regulatory cases at law firm Gunster. “I think [companies] are wise to understand and take a look at what [the FTC] did.”
Others agreed. While there are evolving legal concerns, the data is key to companies' business strategies—either to use themselves or to sell to advertisers—and in some cases, fines from federal regulators could be worth the opportunity cost.
“Are you just willing to keep paying a small fine once in a while?” said Erik Gordon, a clinical assistant professor business at University of Michigan. “I mean, you're willing to spend money on advertising to get your hands on the data. If you have to spend your money on fines to get your hands on the data, and then turn the data into money, maybe you do it.”
As customer acquisition costs continue to rise, many companies are finding they need to spend more to reach the same number of customers—especially on social media networks.
Read more: As ad costs rise, digital health companies are building with communities
For other companies, selling user data is a specific business strategy to add to the bottom line.
Several companies declined or did not respond to interview requests to address whether their approaches to data privacy would change. Others were reluctant to discuss the financial benefits of sharing users' data. It is clear companies will continue acquiring a wealth of user data but the uncertainty centers on how and with whom it will be shared.
Curitics, a value-based insurance company serving Medicare and Medicaid patients, said it does not sell user data, but it does share it with other companies. “It doesn't worry me, because at least from our perspective, we aim to be very much adaptable,” said Christopher Pempsell, the company's co-founder and chief product officer. “This data is here to stay, if anything, the data sets will continue to deepen over time.”
As long as the data are de-identified, sharing them is fine under the HIPAA privacy and security rules.
"Many people are more than willing to share their data with their doctor, their health plan, or a company that's managing their disease in general," said Movano Health CEO John Mastrototaro.
He said the company, which will start selling a wearable for women this summer, has no plans to sell its users’ data, but emphasized the value of sharing it.
Sharing user data is necessary for the bottom line of many digital health companies that are attempting to show value to large-scale payer organizations so they can market their products to businesses rather than consumers. There's a consensus that companies must first show value and interest with consumers before pitching to businesses. Data is foundational to that approach.
The strategy essentially follows Fitbit’s model of first winning over consumers and then using the proof of concept to win over enterprise customers.
While Pempsell said changing interpretations of data privacy would affect the company, he said he was not concerned about the industry’s ability to adapt and predicted a set of established guardrails would be in place within the next five to 10 years. “These decisions will continue to be made both from a regulatory level as well as from a data sharing perspective that will ultimately affect us,” Pempsell said.
Most experts predicted more regulatory actions are on the horizon.
“If your business is of any size or you intend to grow it at any size, assume that what you're doing will be detected and will be examined,” Gordon said. “The only way to be under the radar is to be so small that you're not going to really be a factor in the healthcare industry.”
This story first appeared in Digital Health Business & Technology.