Including the recent cyberattacks on Change Healthcare and Ascension, security incidents are becoming increasingly common in healthcare. Reported events doubled between 2016 and 2021, causing delays in care, issues with billing, and problems for surrounding hospitals.
The Federal Trade Commission (FTC) has recently stepped in as a main guardian of healthcare data, setting policies and cracking down overall on companies that have leaked personal information.
The most commonly known healthcare information protection law is the Health Insurance Portability and Accountability Act (HIPAA), which protects medical records and personally identifiable health information. But some healthcare and data experts say the current privacy laws don’t do enough to protect data in a rapidly digitizing industry.
When a case falls outside of the current laws, the FTC investigates companies that release personal information—while also taking on Ticketmaster and Amazon, of course.
Ryan Mehm, an attorney in the FTC’s privacy and identification division, told Healthcare Brew that the FTC has a “great responsibility” to protect and secure consumer data privacy.
The FTC has two main tools to hold companies accountable: The first is the FTC Act, which prohibits “unfair or deceptive acts or practices.” This was used in the case against Eli Lilly. Another rule, the Health Breach Notification Rule (HBNR), requires companies with personal health records that aren’t covered by HIPAA to notify consumers, the FTC, and sometimes the press of a breach.
The commission updated the rule in late April to include health app and other digital health companies and to expand the information companies must provide to consumers during a data breach. In this way, FTC Bureau of Consumer Protection Director Samuel Levine said in the release that the effort “will ensure [the rule] keeps pace with changes in the health marketplace.”
Navigate the healthcare industry
Healthcare Brew covers pharmaceutical developments, health startups, the latest tech, and how it impacts hospitals and providers to keep administrators and providers informed.
“HIPAA generally applies to what are called covered entities and their business associates. However, what we are seeing more and more frequently in the marketplace is there are a whole host of entities that collect, transmit, share consumers sensitive health information that are not regulated by HIPAA. That is exactly and precisely where the FTC is stepping in to protect that data,” Mehm said. “We are doing that through a variety of enforcement actions, policy actions, as well as consumer and business education.”
In 2023, the FTC enforced the HBNR for the first time after drug discount provider GoodRx and ovulation tracking app Premom were charged with sharing personal health information with third parties.
GoodRx agreed to pay a $1.5 million civil penalty for not notifying customers that it had disclosed personal health information on social media and to other companies, while Premom paid a $100,000 civil penalty.
A few months later, digital therapy company BetterHelp agreed to pay $7.8 million for similarly sharing sensitive health data with four social media platforms for advertising purposes, “after promising to keep such data private,” according to the FTC.
“When we do bring the case, clearly the case is targeted against a specific entity. However…we are often, through the case, sending messages to the industry as a whole,” Mehm said.