The Federal Trade Commission (FTC) has signaled increased scrutiny over the treatment of sensitive health information through use of the Health Breach Notification Rule, which was originally adopted in 2009 to hold non-HIPAA entities accountable for breaches that disclose sensitive health data. FTC action could include millions of dollars in fines and should put the entire health tech industry on watch regarding their practices around using health data for advertising purposes. Companies in this space should be cognizant of how to proceed in the face of a potential increase in such actions by the FTC.
Why It Matters
The digital economy continues to grow. It’s estimated that there was $189 billion in digital advertising revenue in 2021, a 35% increase from the year prior.1
That spending is partially due to the success of Ad Tech and the popularity of website pixels and other vendor technologies that help track and log user activities on websites in order to serve targeted advertisements. These Ad Tech technologies have been recognized for providing enormous benefits and value by facilitating not just digital advertising, but also user personalization and site analytics.2 Companies of all sizes have adopted this technology wholeheartedly as a way to connect with customers and prospects.
By invoking the Health Breach Notification Rule, the FTC is sending a message to health tech companies that sharing sensitive, individually identifiable health information with advertisers for advertising purposes may be considered a “breach of security.”3 Providing clear disclosures to customers about how their information will be used is now more important than ever before.
Should Companies Be Surprised?
With the explosion of health tech, wearables and other apps and websites that collect, analyze and store health information, the lines between technology-enabled services, health vendors and traditional medical providers are blurring. Yet, the Biden Administration has made the protection of individual privacy, particularly regarding health and location data, a policy priority. Keep in mind:
- On December 1, 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights issued a bulletin announcing that the use of Ad Tech by HIPAA covered entities may violate HIPAA rules, including the use of cookies, web beacons or tracking pixels.4
- While the FTC has not previously invoked the Health Breach Notification Rule, it was implemented over a decade ago in 2009.5 A policy statement was made in 2021 that health apps and connected devices must comply with the rule.6
- In February 2023, President Biden’s State of the Union Address emphasized establishing strict and clear guidelines for sharing sensitive data as a priority and that maintaining the security of such data falls on collecting companies rather than the data subjects themselves.7
Lawmakers and regulators are sending numerous signals that using Ad Tech without clear disclosures will come with enhanced regulatory risk. Time will tell whether these actions by the FTC will have a chilling effect on the current flood of investment into health tech, or whether users will applaud efforts to rein in the spread of personal information across networks.
Recommended Actions
Companies can no longer rely on what has been historically considered an industry standard or best practice when it comes to using personal and identifiable health information for advertising purposes. The combination of increased regulatory scrutiny and emerging state consumer privacy laws dictate robust Ad Tech governance to demonstrate accountability and a defensible position. Executives must remain ahead of state and federal regulatory trends and consumer preferences to ensure that enforcement actions do not compromise strategic business objectives.
- For Chief Executive Officers, understanding the role sensitive data plays in the overall business model, as well as how this data is used to support advertising activities, is crucial to safeguarding long-term growth and sustainability. CEOs need to ensure company practices align with customer expectations and should be aware of the potential ramifications of using sensitive health data, as well as the reputational and regulatory risks that can emerge if such information is compromised or shared without informed consent.
- For Chief Information Officers, Chief Privacy Officers and Chief Risk Officers, implementing data control policies that foster customer trust and align with regulatory requirements is paramount. Companies, and the private equity firms investing in health tech startups should: assess data flow; include Ad Tech in their third-party vendor risk management program; make sure user disclosures, notifications and privacy policies are updated, accurate and reflect current technologies, products and services.
- For Chief Communications Officers, be prepared to communicate the company’s commitment to privacy, and be honest and transparent about how the collection and use of data informs and improves the user experience. Prepare for data breaches, regulatory scrutiny and activist situations by having a comprehensive communications and engagement strategy across multiple scenarios, and strengthen your company’s ability to respond rapidly through tabletop exercises and other crisis simulations.
For further information, please contact:
Lauren Crawford Shaver, FTI Consulting
lauren.crawfordshaver@fticonsulting.com
Footnotes:
1: Kate Tumino and Brittany Tibaldi, “Digital Advertising Soared 35% to $189 Billion in 2021 According to the IAB Internet Advertising Revenue Report,” IAB (April 12, 2022), https://www.iab.com/news/digital-advertising-soared-35-to-189-billion-in-2021-according-to-the-iab-internet-advertising-revenue-report/.
2: “Information Technology Gartner Glossary: Ad Tech,” Gartner, Inc. (last visited March 9, 2023), https://www.gartner.com/en/information-technology/glossary/ad-tech.
3: “Statement of the Commission On Breaches by Health Apps and Other Connected Devices,” Federal Trade Commission (September 15, 2021), https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf.
4: “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” U.S. Department of Health & Human Services (last reviewed December 1, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html.
5: Health Breach Notification Rule, 16 C.F.R. § 318.1 (2009), https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-318.
6: Elisa Jillson and Ryan Mehm, “FTC Warns Health Apps and Connected Device Companies to Comply With Health Breach Notification Rule,” Federal Trade Commission (September 15, 2021), https://www.ftc.gov/news-events/news/press-releases/2021/09/ftc-warns-health-apps-connected-device-companies-comply-health-breach-notification-rule.
7: “FACT SHEET: In State of the Union, President Biden to Outline Vision to Advance Progress on Unity Agenda in Year Ahead,” The White House (February 7, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/02/07/fact-sheet-in-state-of-the-union-president-biden-to-outline-vision-to-advance-progress-on-unity-agenda-in-year-ahead/.