chevron-down Created with Sketch Beta.
    September 28, 2022

    The Federal Trade Commission and Health Privacy

    By Tim Shelble-Hall

    Introduction

    With each online transaction, consumers become more comfortable sharing personal information on the internet. Online shoppers, once wary of providing credit card information to vendors, now collectively execute a staggering amount of financial transactions each day with the click of a button. Social media users, once skeptical of publishing personal photos on the web, now broadcast intimate life details to any willing viewer online.

    The same is true of personal health data. Whether users enter their weight and height into an online Body Mass Index (BMI) calculator, or their sleep schedule into a sleep tracking mobile app, or their live heartrate to a workout app - all these instances constitute the transaction of health data from a person to an entity through the medium of the internet. What happens to that data after achieving the initial purpose of providing the user with the result that they want (e.g., BMI, sleep pattern, or heart health)? What does that entity do with the collected data? The answer to that question is important, as personal health information accessed by persons with nefarious intent can provide catastrophic consequences.

    The Health Insurance Portability and Accountability Act (HIPAA) is one of the strongest data privacy laws in the United States and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain health transactions electronically. When an electronic health record is created because of a visit by a patient to a doctor, that record is protected by HIPAA laws and enforced by the Department of Health and Human Services’ Office for Civil Rights (OCR). However, when a user voluntarily provides health information to a mobile app, that data is often not protected by HIPAA because the app developer is not subject to HIPAA. With the proliferation of mobile apps collecting health information, many questions rise to the surface: Who oversees this massive collection of sensitive health data? Who ensures that the collecting entity responsibly safeguards the data it collects? Who ensures that affected consumers are notified when that data is breached?

    In most cases, the answer to these relatively new questions is the Federal Trade Commission (FTC). The FTC is an independent federal agency led by five commissioners, who are nominated by the president, confirmed by the Senate, and serve for seven-year terms. Section 5(a) of the FTC Act provides that “unfair or deceptive acts or practices in or affecting commerce . . . are . . . declared unlawful.” The FTC views this language, and courts have agreed, as a source of authority to provide consumer protection from unfair and deceptive actors in the marketplace. While data privacy is not specifically mentioned in the FTC Act, the FTC has interpreted, and courts have again agreed, that it has authority to regulate unfair and deceptive acts in the context of data privacy. The FTC imposes fines, audits, and security requirements on companies that it finds have committed unfair or deceptive acts through their data privacy practices.

    Past Enforcement Actions

    The FTC will bring an enforcement action when it believes that an actor has violated Section 5 of the FTC Act. Past FTC consent decrees stack upon one another to create a form of common law in the realm of data privacy. Kristin Cohen, Acting Associate Director, FTC Division of Privacy & Identity Protection, states: “We will vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data. The FTC’s past enforcement actions provide a roadmap for firms seeking to comply with the law.” As the quote suggests, past FTC enforcement actions provide guidance for entities in the scope of FTC enforcement.

    In the Matter of LabMD, Inc.

    LabMD was a medical laboratory that conducted cancer diagnostic testing using medical specimen samples and patient health information. The FTC filed a complaint in 2013 alleging that LabMD billing information for over 9,000 consumers was found on a peer-to-peer (P2P) file-sharing network and then, in 2012, LabMD documents containing sensitive personal information of at least 500 consumers were found in the hands of identity thieves. The FTC alleged that LabMD:

    • did not implement or maintain a comprehensive data security program to protect this information;
    • did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities to this information;
    • did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
    • did not adequately train employees on basic security practices; and
    • did not use readily available measures to prevent and detect unauthorized access to personal information. 

    The FTC found that these actions were “unfair” under Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices” and directs the Commission to prevent them. In a circuitous legal battle that made its way to the Eleventh Circuit court, the court ultimately vacated the FTC’s cease and desist order for lack of specificity. The court’s decision was narrow in scope, and did not prevent the FTC from continuing to assert authority over data privacy matters.          

    In the Matter of Practice Fusion, Inc.

    Practice Fusion was a supplier of electronic health record systems to medical providers. The FTC’s 2016 complaint alleged that Practice Fusion solicited reviews from patients of its contracted providers without supplying adequate notice that the reviews would be posted publicly online. As a result, patients supplied sensitive personal health data, not realizing that Practice Fusion would post the information publicly. In many instances, patients provided responses to Practice Fusion with notes to their doctor about symptoms of their conditions, falsely believing that their message would be sent privately to their doctor rather than posted online.

    The FTC stated in its complaint that Practice Fusion’s alleged practices constituted deceptive acts in violation of Section 5(a) of the FTC Act. Practice Fusion agreed to a settlement in which it was prohibited from misrepresenting the extent of its use of any patient information, including the data it makes publicly available, and from posting any personal identifiable information of its provider customers’ patients online without explicit consent.

    In the Matter of SkyMed International, Inc.

    SkyMed sells emergency travel evacuations to cover emergency situations for travelers who may sustain injury or illness. In a complaint first announced in December 2020, the FTC alleged that SkyMed “failed to employ reasonable measures to protect consumers’ personal information” when it left an unsecured cloud database containing more than 130,000 records of consumer personal information on the internet publicly available for at least five months. This unsecured database contained personal health information that SkyMed collected from customers, including names, dates of birth, and health information.

    In a settlement reached with the FTC, SkyMed agreed to implement a comprehensive information security program, obtain biennial assessments of the program by a third party, and notify affected consumers, explaining the breach of personal information. SkyMed is also prohibited from misrepresenting its handling of personal health data under the settlement.

    In the Matter of Flo Health, Inc.

    Flo Health is a mobile application that provides an ovulation calendar, a period tracker, and pregnancy guide to users. Users input data regarding their menstruation and gynecological health. The app has been downloaded over 100 million times and was even the most downloaded health and fitness app in the Apple App Store in August 2019.

    In a complaint first announced in January 2021, the FTC alleged that Flo Health disclosed the personal health data collected on its app to third parties for years, in direct conflict with its own privacy policy provided to users. The complaint alleged that Flo Health broke the promise in its privacy policy, which stated that information shared with third parties “excluded information regarding your marked cycles, pregnancy, symptoms….” According to the complaint, Flo Health transmitted sensitive user health data to numerous third-party marketing and analytics firms, including Facebook, Flurry, Fabric, AppsFlyer, and Google. This data was allegedly transferred without any limitations on how it could be used by the third parties, meaning that rather than constricting the data for the use of Flo Health app performance, it could be used for independent third-party purposes.

    A settlement between the FTC and Flo Health requires the company to acquire affirmative consent from all users before sharing data with third parties. Additionally, Flo Health agreed to some independent oversight of privacy practices.

    Looking Ahead

    Lina Khan was sworn in as chair of the Federal Trade Commission on June 15, 2021, and has clearly demonstrated that data privacy is a priority. In a 2021 report to Congress, Khan stated that “policing data privacy and security is now a mainstay of the FTC’s work.” In this report, Khan pointed to the threat of privacy breaches and the “commercialization of sensitive health data.” As a keynote speaker at the International Association of Privacy Professionals Global Privacy Summit in April 2022, Khan noted “the pandemic hastened the digitization of our economy and society, further embedding digital technologies deeper into our lives.” She again highlighted the growing security threat that accompanies this trend of increased digitization and specifically noted sensitive health data as an area of concern.

    The prioritization of policing data privacy practices, and specifically health data, is evident not just from remarks from FTC Chair Khan, but also in the proliferation of blogs and policy documents from the FTC on the subject. In addition, the FTC announced on August 11, 2022, its intention to file an Advanced Notice of Proposed Rulemaking that will explore rules to “crack down on harmful commercial surveillance and lax data security.” The FTC is currently seeking public comment before crafting a rule directed at commercial data collection and security practices.

    Another indication of the FTC’s focus on data privacy is its apparent resurrection of the FTC Breach Notification Rule. On September 15, 2021, the FTC released a policy statement to provide guidance on the Rule. The Rule requires certain notice to be given by entities that incur a breach of health information collected from consumers. The degree of notice depends on the degree of the breach. While the FTC promulgated the Rule in 2010, it has never been enforced. As the policy statement makes clear, the FTC now intends to hold entities accountable when they eschew the requirements of the Rule. 

    While the Rule shares some similar components as the HIPAA Breach Notification Rule, the FTC Rule does not apply to HIPAA-covered entities. The FTC Rule defines three categories of covered entities: (1) vendors of personal health records (PHR), (2) PHR-related entities, and (3) third-party service providers.

    • Vendor of Personal Health Records: A vendor of PHR is an entity “that offers or maintains a personal health record.” PHR is defined as a “an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”
    • PHR-related entity: A PHR-related entity is one that interacts with a vendor of personal health records by offering products or services through the vendor’s website or “accesses information in a personal health record or sends information to a personal health record.”
    • Third-Party Service Provider: A third-party service provider is an entity that provides services involving the use, maintenance, disclosure, or disposal of health information to vendors of personal health records or PHR-related entities.

    The FTC Breach Notification Rule is triggered by the unauthorized acquisition of unsecured PHR. Such an unauthorized acquisition could occur through an attack by an unauthorized entity, through the accidental sharing of PHR by a vendor employee to an unauthorized entity, or by a vendor’s intentional sharing of PHR without the PHR subject’s authorization. Each of these instances constitutes a breach that the entity must examine in the context of the FTC Breach Notification Rule.

    If an entity determines a breach has occurred that triggers the Rule, there are three parties that may need to be provided notice:

    • Each affected person: Each affected citizen or resident of the United States must be notified within 60 days of breach discovery.
    • Federal Trade Commission: The FTC must be notified of every breach within 60 calendar days at the end of the calendar year. If 500 or more people are affected, then the FTC must be notified within 10 days of discovery of the breach.
    • Media: If 500 or more people are affected in the breach, prominent media serving the relevant region must be notified within 60 days.

    The crux of the Rule is this: entities that collect health data must act to provide notice to affected parties when the data is breached. While this has been true for a number of years now, the FTC with its recent policy statement has clarified the requirement and announced its intent to enforce the Rule going forward.

    Conclusion

    With no broad federal data privacy legislation currently on the books in the United States, the FTC is perhaps the strongest regulator of data privacy actions in the marketplace. Remarks from Chair Lina Khan, along with increased proliferation of guidance from the FTC, make clear that there is an emphasis and intent within the FTC to protect consumer health data collected outside the scope of HIPAA. Entities outside the scope of HIPAA are not exempt from regulatory consequences. For the benefit of the business and the consumer, entities collecting consumer health data must put meaningful thought and preparation into their data privacy and security practices. For a good place to start, entities must prioritize (1) sound data security practices, (2) transparency to consumers (do what you say you will in the privacy policy), and (3) disclosure of breaches.

      Tim Sheble-Hall, Esq.

      nirvanaHealth, Southborough, MA

      Tim Sheble-Hall works in healthcare compliance at nirvanaHealth. He holds a Certified Privacy Professional (CIPP/US) certification from the International Association of Privacy Professionals, and tracks regulatory developments at the intersection of health and technology.  

      Entity:
      Topic:
      The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.