Protecting the privacy of health information: A baker’s dozen takeaways from FTC cases
Protecting the privacy of health information: A baker’s dozen takeaways from FTC cases In the past few months, the FTC has announced case after case involving consumers’ sensitive health data, alleging violations of both Section 5 of the FTC Act and the FTC’s Health Breach Notification Rule.
Protecting the privacy of health information: A baker’s dozen takeaways from FTC cases
- In the past few months, the FTC has announced case after case involving consumers’ sensitive health data, alleging violations of both Section 5 of the FTC Act and the FTC’s Health Breach Notification Rule.
- The privacy of health information is top of mind for consumers – and so it’s top of mind for the FTC.
Health Privacy: The Basics
- Rather, it’s anything that conveys information – or enables an inference – about a consumer’s health.
- Indeed, Premom, BetterHelp, GoodRx, and Flo Health make clear that the fact that a consumer is using a particular health-related app or website – one related to mental health or fertility, for example – or how they interact with that app (say, turning “pregnancy mode” on or off) may itself be health information.
- Our guidance on health and location highlights the fact that location data can convey health information.
- For example, repeated trips to a cancer treatment facility may convey highly sensitive information about an individual’s health.
- To stay on the right side of the FTC Act, take a broad view of what constitutes health data and protect it accordingly.
- Your obligation to protect the privacy of health information is a given. The need for privacy-by-design is (or should be!)
HIPAA-related claims
- “HIPAA Compliant,” “HIPAA Secure,” and similar claims may deceive consumers. Compliance with HIPAA, the national law protecting the privacy of certain health information, has become a shorthand among patients and providers alike for health privacy protection.
- Not surprisingly, companies offering health-related products and services often want to tout HIPAA compliance to give consumers comfort – even if these companies aren’t actually covered by HIPAA or aren’t actually complying with HIPAA.
- FTC enforcement actions like GoodRx, BetterHelp, Henry Schein, and SkyMed make clear that HIPAA claims like that may deceive consumers, whether those consumers are health care providers (like the dentists in Henry Schein) or regular people (like the therapy patients in BetterHelp).
- In ECM, the FTC proved in court that a company that gave its business customers labels and certificates bearing false claims about biodegradability had provided “the means and instrumentalities” to deceive downstream consumers.
Other Health Privacy Practices
- It may be tempting to use your privacy policy to reserve the right to change your health data practices, so that any continued use of your service constitutes “consent” to the changes.
- The FTC’s action in Vitagene makes clear that’s not a lawful means for obtaining consent for material retroactive privacy policy changes.
- Hidden euphemisms don’t cut it. Rather than living up to their legal obligation to tell consumers the whole truth, some companies hide key terms about data practices in dense privacy policies or terms of service filled with ambiguous language that cloaks how they really use consumers’ health information.
- The orders in our recent health privacy cases uniformly require affirmative express consent – consent that can be obtained only following a clear and conspicuous disclosure of all material facts.