HHS and FTC Coordinate Enforcement Activities on Emerging Health Information Regulatory Issues
The Roles of HHS and FTC in Health Information Regulation
The central pillar of federal health information regulation is the Health Insurance Portability and Accountability Act (HIPAA). Enforced by the HHS Office for Civil Rights (OCR), HIPAA consists of several rules, including the Privacy Rule, Security Rule, and Breach Notification Rule, which collectively work to safeguard individuals’ “protected health information” (PHI).
While HIPAA establishes a robust framework to ensure the privacy and security of PHI, it is more limited in scope than many people realize. Only specifically defined “covered entities,” including health care providers and health plans, along with their “business associates” (BAs), must comply with the HIPAA Privacy Rule's restrictions on uses and disclosures of PHI and other HIPAA requirements. A party that obtains PHI but is not a covered entity or BA generally falls outside of OCR's enforcement jurisdiction. To that extent, HIPAA reflects a sector-specific approach to information privacy and security regulation.
In contrast, the namesake legislation that the FTC enforces is neither sector-specific nor explicitly a health information protection law. Section 5 of the FTC Act provides only that “unfair or deceptive acts or practices in or affecting commerce” are unlawful. A recently updated HHS/FTC joint publication about federal health information laws explains that Section 5 requires that companies, including HIPAA covered entities and their BAs, “must not mislead consumers about – among other things – what's happening with their health information.” Additionally, as the FTC has interpreted it, the statute requires companies to “ensure [their] health data practices aren't causing more harm than good.”
In some instances, the same facts may give rise to both a HIPAA violation and Section 5 violation. For example, if a covered entity induces a patient to authorize use or disclosure of the patient's PHI for marketing purposes on the belief that the patient must do so to receive treatment, the covered entity may be in violation of the HIPAA Privacy Rule, which generally prohibits conditioning of treatment on an authorization to use or disclose PHI. As the HHS/FTC joint privacy guidance notes, such conduct may also constitute a “deceptive or misleading” act or practice under Section 5 insofar as the covered entity obtains the authorization based on a misrepresentation of HIPAA Privacy Rule requirements.
The Health Breach Notification Rule (HBNR) is another legal authority the FTC enforces to monitor business practices involving individuals’ health information. Modeled after the HIPAA Breach Notification Rule, the HBNR requires mobile health app developers and other companies that collect, use, or share individuals’ health information but are not regulated under HIPAA to notify consumers, the FTC, and, in some cases, the media of the unauthorized acquisition of individually identifiable health information in an app or other personal health record.
2023 has been a pivotal year in the FTC's enforcement of the HBNR. In February, the FTC took its first enforcement action under the HBNR since the agency promulgated the rule in 2009, obtaining a $1.5 million civil penalty against GoodRx, a digital health platform, for failing to provide notification of unauthorized disclosures of individuals’ health information. Citing the GoodRx case and the proliferation of apps and other direct-to-consumer health technologies since 2009, the FTC issued a notice of proposed rulemaking (NPRM) in June to amend the HBNR for the first time. Among other changes, the NPRM proposes to modernize the method of notice of unauthorized disclosures of individuals’ health information, expand the content of the notice, and articulate the penalties for noncompliance.
Increasingly, the FTC and HHS are conducting joint health information enforcement activities and aligning their respective enforcement agendas around similar policy goals. This interagency cooperation is evident in recent actions the agencies have taken to address online tracking technologies, reproductive health privacy, and information blocking.
1. Tracking Technologies
Tracking technologies refer to techniques for collecting and storing information about how users interact with certain websites and mobile apps. Over the past year, the FTC and HHS have both warned health care providers and other stakeholders about the risks associated with using tracking technologies, such as tracking pixels, on websites, apps, and other health platforms.
The FTC's emphasis on tracking of sensitive health information is notably evident in the GoodRx enforcement action. There, the FTC alleged that GoodRx engaged in advertising activities using pixels to collect and share users’ health information, including information about their prescription medications and health conditions, with large and well-known third-party social media and advertising platforms. According to the FTC, these practices constituted breaches of its users’ information, and the company's failure to notify affected users and other parties of those breaches was a violation of the HBNR. Additionally, the agency claimed that GoodRx committed multiple violations of Section 5 of the FTC Act, including by misrepresenting on its associated telehealth platform that it was a HIPAA covered entity and that its practices were HIPAA compliant.
While the FTC's enforcement in the GoodRx case was premised on GoodRx not being a HIPAA covered entity, OCR conceivably could invoke HIPAA to take action against a covered entity in very similar circumstances. OCR's rationale for how HIPAA regulates usage of tracking technologies by covered entities and their BAs is outlined in an advisory bulletin the agency released last year. However, whether HIPAA actually gives OCR the authority it asserts in the bulletin is a topic of dispute; in a recently filed federal lawsuit, the American Hospital Association contends that the bulletin exceeds the scope of OCR's statutory authority and fails to comply with rulemaking requirements under the Administrative Procedure Act.
Voicing similar concerns as the FTC about how tracking technologies are used and the associated risks, OCR's bulletin explains that tracking technologies embedded on HIPAA regulated entities’ websites and apps may share a wide range of information, potentially including PHI. To that extent, HIPAA regulated entities must, among other things, disclose PHI only as the HIPAA Privacy Rule permits, maintain appropriate BA relationships with tracking technology vendors, and provide breach notifications to affected individuals when necessary. Much like the FTC contested GoodRx's unauthorized use of pixels to share users’ information to third parties for advertising purposes, OCR's bulletin specifically notes that “disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures.”
As a full demonstration of the coordinated efforts between the two agencies, the FTC and OCR released a joint letter on July 20, 2023 to approximately 130 hospital systems and telehealth providers advising of the risks of utilizing tracking technologies in their business lines. The letter synthesizes each agency's prior guidance on tracking technologies and summarizes how HIPAA, the FTC Act, and the HBNR may regulate usage of such technologies, depending on whether the party involved is a HIPAA covered entity or BA. As the letter stresses, both agencies “remain committed to ensuring that consumers’ health privacy remains protected with respect to this critical issue” and will be “closely watching developments in this area.”
2. Reproductive Health Privacy
The US Supreme Court's 2022 landmark decision in Dobbs v. Jackson Women's Health Organization has also prompted joint oversight from the FTC and HHS. Two weeks after the Dobbs decision, the Biden Administration issued Executive Order 14076 to protect “healthcare service delivery and promote access to critical reproductive healthcare services, including abortion.” Acknowledging the heightened privacy risks associated with the “transfer and sale of sensitive health-related data and by digital surveillance related to reproductive healthcare services,” the order directed both the FTC and HHS to take appropriate enforcement actions to safeguard the reproductive health privacy interests of patients and consumers. The order also instructed the HHS Secretary to consult with the Attorney General and Chair of the FTC to “consider options to address deceptive or fraudulent practices related to reproductive healthcare services, including online, and to protect access to accurate information.”
Both the FTC and OCR subsequently released guidance to inform the public about how to protect the privacy and security of reproductive health information. The FTC's guidance focuses on the harm to consumers inherent in the use of connected devices that generate location data and store user-generated health information, including “particularly sensitive” information collected through products that track women's periods, monitor their fertility, oversee their contraceptive use, or target women considering abortion. The FTC stated that it would use “the full scope of its legal authorities” to protect consumers’ privacy. In fact, the agency recently filed a complaint against a fertility tracking app developer that allegedly incorporated software development kits from third-party marketing and analytics firms to enable sharing of users’ information, including precise geolocation data, with those third parties. As in the GoodRx case, the FTC claimed that Easy Healthcare, the developer of the Premom app, violated Section 5 of the FTC Act by disclosing users’ information in a manner inconsistent with its privacy promises and violated the HBNR by failing to provide requisite notice of the resulting breaches.
OCR's post-Dobbs guidance to the public on protecting the privacy and security of health information on connected devices echoes similar concerns as the FTC's guidance. Yet, while the latter guidance clearly conveys the FTC's intent to use the FTC Act and HBNR to address privacy and security risks to sensitive health and geolocation information on cell phones, tablets, and associated apps, OCR's guidance is comparatively restrained. Unless an app is provided by a covered entity or BA, OCR cautioned that HIPAA does “not protect the privacy of data you've downloaded or entered into mobile apps for your personal use, regardless of where the information came from.”
OCR released additional post-Dobbs guidance reminding covered entities and BAs that HIPAA prohibits disclosures of PHI, including information relating to abortion and other sexual and reproductive health care, without an individual's authorization unless a disclosure is expressly permitted or required by the Privacy Rule. OCR later reiterated many of the same points from that guidance in its April 17, 2023 NPRM, which proposed to modify existing HIPAA standards by limiting uses and disclosures of PHI relating to the lawful provision of reproductive health care. In the NPRM, OCR referenced the FTC's post-Dobbs guidance as having informed OCR's determination that “information about reproductive health care is particularly sensitive and requires heighted protections.” Much as the FTC has committed to “using the full scope of its authorities to protect consumers’ privacy, including the privacy of their health information and other sensitive data,” OCR emphasized that the need for heightened protections under HIPAA for “highly sensitive PHI” was “now more acute than it was before, given the actions taken by states to regulate, and even criminalize, reproductive health care.”
3. Information Blocking
Information blocking is another link in the health information regulatory chain that connects the FTC and HHS. While the agencies’ positions on tracking technologies and reproductive health information are driven primarily by privacy and security concerns, a different policy motivation underlies information blocking regulation. As electronic health information (EHI) has become more critical to the delivery of care, this area of health information oversight targets business practices that block the transmission of EHI.
The 21st Century Cures Act lays out the framework for how various federal agencies will regulate information blocking, which the statute defines as a practice that “is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” One of the key oversight bodies is the Office of the National Coordinator for Health Information Technology (ONC), the HHS agency to which the HHS Secretary delegated its authority to adopt regulatory exceptions for “reasonable and necessary activities that do not constitute information blocking . . . .” The Cures Act explicitly calls on HHS to consult with the FTC in exercising its authority to create regulatory exceptions, “to the extent that such regulations define practices that are necessary to promote competition and consumer welfare.” When ONC promulgated its first set of information blocking exceptions in a final rule in 2020, it acknowledged that the FTC provided expertise and informal technical assistance to ONC in developing the exceptions for recovering costs reasonably incurred, responding to requests that are infeasible, and licensing of interoperability elements on reasonable and non-discriminatory terms, among other areas.
To facilitate expanded access to EHI and minimize information blocking risks, patient-directed third-party apps are expected to assume an increasingly prominent role in the health information ecosystem. In ONC's 2020 final rule, commenters expressed concerns about the potential privacy risks these apps pose and called for the FTC to implement a process to “vet apps for the adequacy of the consumer disclosures which should include the privacy and security of the information and secondary uses that should be permitted.” In response, ONC noted that, under Section 5 of the FTC Act, the FTC could challenge deceptive statements by developers of patient-facing health information technology products and services in privacy policies, user interfaces, FAQs, or other consumer-directed materials. Moreover, the FTC could also challenge a particular use or disclosure of EHI as unfair if it “causes or is likely to cause substantial injury to consumers that is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” ONC assured that it will continue to work with the FTC to “assess education opportunities for consumers and app developers about the privacy and security of EHI collected, used, or received by health apps.”
In addition to ONC, the Office of Inspector General (OIG) is another HHS agency charged with information blocking enforcement powers. OIG recently adopted a final rule implementing its authority under the Cures Act to impose civil monetary penalties of up to $1 million against certain actors for committing unlawful acts of information blocking. In that rule, OIG noted that its investigations may uncover “anti-competitive conduct or unreasonable business practices,” such as a “contract containing unconscionable terms related to sharing of patient data,” which could ultimately impede a provider's ability to care for patients. In those instances, ONC may function as a liaison between the FTC and OIG, sharing information related to claims of information blocking or investigations by OIG with the FTC, as it is expressly authorized to do under the Cures Act. OIG indicated it will “coordinate closely with ONC to identify claims and investigations or patterns of claims and investigations that may warrant referral to the FTC.”
Adoption of health apps and wearable health technologies continues to grow as generative artificial intelligence is transforming the consumer engagement experience. Meanwhile, health care providers are leveraging these products and EHI in innovative ways to deliver care. These trends suggest joint efforts from the FTC and HHS to protect the privacy, security, and accessibility of health information are likely to continue.
Health care providers and technology developers alike should ensure they are adequately prepared to defend their health information practices from potential scrutiny by both the FTC and HHS. As a starting point, stakeholders should carefully consider the interplay among HIPAA, the FTC Act, HBNR, and the Cures Act's information blocking rules and the applicability of these laws to their business operations. By establishing that it is a HIPAA covered entity, for example, a party can rule out that the HBNR applies.
With a clear understanding of which laws do or do not apply, a party can better assess its regulatory risks and vulnerabilities. As the FTC's enforcement actions in the GoodRx and Easy Healthcare cases suggest, key risk areas to evaluate may include whether a party's information practices align with its privacy policies and whether it has adequate procedures for responding to and reporting breaches. For health care providers that are accustomed to focusing on compliance with HIPAA, the FTC's assertive posture on protecting sensitive health information should serve as an impetus to also consider Section 5 of the FTC Act in designing their privacy and security compliance programs. By the same token, those parties to which the Cures Act's information blocking rules apply should also consider the necessity of structuring their privacy and security practices within the ONC's respective privacy and security exceptions to minimize the risk of an information blocking violation.
Lastly, stakeholders must not overlook the expanding role of states in health information regulation. Some states, such as Nevada and Washington State, have recently enacted legislation with robust protections for broadly defined “consumer health data,” which explicitly includes reproductive health information. Similarly, California amended its Confidentiality of Medical Information Act to apply to “reproductive or sexual health application information” following enforcement actions by the state’s Attorney General against reproductive health app developers in circumstances similar to those in which the FTC has taken enforcement action under Section 5 of the FTC Act and the HBNR. Indeed, the FTC’s ramped-up enforcement activities may reflect attempts by the agency to stay relevant as states gain new enforcement authorities in the consumer information privacy and security space.
Reproduced with permission. Published 12/22/23. Copyright 2023 Bloomberg Industry Group 800-372-1033.