Most health apps and wearables are not covered by HIPAA, and the FTC is now cracking down to ensure that users’ privacy is just as protected as if they were. In recent months, the FTC brought several cases against healthtech companies for unauthorized disclosure of personal health information to third parties. The cases resulted in costly penalties, restrictive permanent injunctions, and new healthcare policies and firm requirements for stronger privacy programs.
These new cases reflect the FTC’s tougher stance towards information sharing, particularly health information, by organizations that aren’t bound by HIPAA regulations. This is reinforced by a statement that the FTC released recently and updates it has proposed to existing legislation, requiring health apps to take greater care around data privacy.
FTC regulations for healthtech are becoming stricter
Section 5 of the FTC’s Health Breach Notification Rule (HBNR) regulates access to data for companies that aren’t covered by HIPAA. Its original wording and intent relates to security data breaches, but a 2021 statement expanded HBNR’s scope, clarifying that “a “breach” is not limited to cybersecurity intrusions or nefarious behavior, but includes “incidents of unauthorized access, including sharing of covered information without an individual’s authorization.”
In other words, any third party access to or use of user data without the user’s express consent is considered a data breach, and requires the company to notify all data subjects. This applies regardless of whether the incident was due to intentional sharing, a security failure, or third parties using data for additional purposes.
Violators could pay up to $43,792 per violation per day, and may face permanent prohibitions on sharing personal health information, which could make their business models unviable. The statement specifically mentions fitness and other health-related apps. Additionally, the FTC recently proposed amendments to HBNR to bring the text in line with this statement.
Recent cases show the FTC means business
The FTC is making it clear that the law has teeth. In February 2023, it brought a case against digital health company GoodRx for sharing user health information with third-party advertising platforms without user authorization. GoodRX was penalized with a $1.5 million fine; a ban on ever sharing user health information with third parties for advertising purposes and on sharing data for other purposes without affirmative express consent; and is required to limit retention of health and personal data, among other penalties.
Online mental health counseling service BetterHelp was charged with using and disclosing health information for advertising purposes without consent and despite representations in its privacy policy to the contrary. In this case, BetterHelp had to pay $7.8 million in penalties, accept rigorous consumer consent requirements, implement a comprehensive privacy program, and was banned from disclosing certain information for advertising purposes under any circumstances.
Easy Healthcare’s fertility-tracking app, Premom, was similarly charged by the FTC in May 2023. Easy Healthcare had disclosed sensitive health data to third parties without user consent, allowed those parties broad leeway for data use, and had done so despite extensive promises around data privacy. Easy Healthcare was penalized with a fine of $100,000; a ban on sharing user personal health data at all for advertising purposes, and on sharing it for other purposes without express user consent; and has to set up a comprehensive privacy program.
What do the regulations mean for healthtech companies and health apps?
The FTC now takes a broad view of “health information,” which means that healthtech companies and health apps will have to apply privacy policies to many more data categories and be far more rigorous in their data oversight.
The new requirements include:
- Don’t use or collect data without consent: Refraining from collecting and using health information for advertising purposes without affirmative express user consent;
- Clear disclosure when asking for consent: Providing specific disclosures when requesting consent, including the data categories that will be collected, specific purposes for data collection, and the names of third parties collecting or accessing user data;
- Inform users on privacy policy changes: Expressly informing users about changes to health information sharing;
- Notifying consumers about unauthorized disclosures;
- Easy opt-out: Enabling a “simple, easily located” means for users to withdraw consent.
These mandates are not easy to meet. Apps frequently struggle to identify all their third parties, let alone name each one and the data it can access. It’s even harder to monitor changes to third party data use. It’s also difficult for apps to request consent each time whenever a third party changes data use, and to allow users to easily withdraw consent. Healthtech apps will have to completely reassess their data flows to make them much more transparent.
Privya can help healthtech companies maintain privacy
Privya’s advanced technology can scan the code in health apps to detect whenever data is shared with third parties, thereby giving healthtech companies visibility into data flows and information about each third party’s data access. Privya can also monitor data sharing and alert the company whenever data flows change, enabling them to keep on top of data access and data use.
Healthtech apps need to ramp up their data privacy
It’s clear that health apps have no choice but to change their data sharing processes, or risk the severe fines and bans that could destroy their business viability. Gaining visibility into data access and use can be challenging, and Privya can help.
Learn more about how Privya can can keep your health app compliant.
