Blog Compliance The FTC sets sights on healthcare tech May 16, 2023 Juan Carlos González There is an adage in the compliance world that most organizations would do well to heed: Say what you do, do what you say. Failure to abide by this seemingly simple statement may have catastrophic consequences for your business. Consequences that extend beyond monetary losses and increased regulatory oversight to reputational damage and lack of consumer trust. In no area is this concept more important than in the healthcare industry, which is the third largest sector in the United States and accounted for nearly $4.3 trillion in revenue in 2021. While plenty of opportunity exists in the healthcare space, the business risk is equally great considering the types of sensitive personal data that are regularly collected, manipulated, and studied; especially as that data is aggregated and manipulated for predictive purposes (a fairly recent phenomenon known as Big Data). If you think compliance is expensive – try non-compliance. Paul McNulty Former U.S. Deputy Attorney General It is no wonder that the introduction of sophisticated healthcare technology has generated skepticism and distrust among healthcare patients. Specifically, how they perceive their healthcare data is being used as recorded in a 2020 Accenture digital survey: While this lack of consumer confidence leaves much to be desired, Accenture Senior Managing Director of Global Health, Kaveh Safavi highlighted that businesses ought to consider the difference between “what’s possible and what’s permissible to consumers.” These considerations can help guide organizations as they develop cutting-edge technologies that require the use of individual healthcare data. But what happens when organizations test these boundaries and act in a manner that exceeds what is permissible to consumers? Exceed what is permissible to consumers and pay the price: The GoodRX story While technological advancements appear to be at the forefront of corporate and individual concerns, there are more troubling and controllable factors at play. Namely, an organization’s failure to do what they say they will do. This is illustrated by the Federal Trade Commission (“FTC”) taking first-of-its-kind enforcement action against GoodRX, a telehealth and prescription drug discount provider, for violating the Health Breach Notification Rule. A violation that resulted in a $1.5 million civil penalty and a permanent ban from disclosing health information to third parties for advertising purposes. At issue in the enforcement action is GoodRX’s failure to notify consumers of unauthorized disclosures of their personal information to various companies, including Facebook and Google. What is the Health Breach Notification Rule? In 2009, Congress directed the FTC, through the Health Information Technology (“HITECH”) Provisions to promulgate rules requiring that organizations that handle health information provide notice to individuals whose identifiable health information has been the subject of a breach. In response, the FTC promulgated the Health Breach Notification Rule, which requires HIPAA-covered entities and their business associates to provide notice to consumers following a breach of unsecured protected health. In addition to promulgating the Health Breach Notification Rule, the FTC is responsible for its enforcement. While the Health Breach Notification Rule lay dormant for over a decade, the FTC now appears to be shifting its strategy to utilize its enforcement capabilities. What went wrong? According to the FTC complaint, GoodRX’s privacy policy promised its users that it would never disclose their personal health information to advertisers or third parties, except for limited purposes necessary to conduct its business. Specifically, the privacy policy stated: “…[W]e never provide advertisers or any other third parties any information that reveals a personal health condition or personal health information.” In addition to statements made in its privacy policy, GoodRx displayed a seal on its webpage, attesting to being in compliance with the Health Insurance Portability and Accountability Act (HIPAA). In conjunction, these two factors typically provide assurance to consumers that their healthcare data is safeguarded and used only for the purposes necessary to receive a service. These displays of corporate good faith drive the market and create opportunity while minimizing intrusiveness to individuals, especially when sensitive personal information is at play. In this case, GoodRx had access to specific medications (e.g., Viagra and Lipitor) and health conditions (e.g., erectile dysfunction and high cholesterol) affecting its consumers. Recommended for you HIPAA vs HITRUST HIPAA vs HITRUST: Navigating the World of Healthcare Information Security icon-arrow-long Unfortunately, for the nearly 55.4 million consumers who have visited GoodRX’s website and may have used their services, the aforementioned assurances were all smoke and mirrors. Beginning in at least 2017, GoodRx violated its privacy promises by sharing its consumers’ information with advertising platforms such as Facebook, Google, and Criteo via the use of tracking pixels, which fed consumer information to the various platforms directly. These advertising platforms were able to receive information about prescriptions or health conditions along with personal contact information such as the user’s city, state, and zip code as well as IP addresses. In addition to sharing personal health information, GoodRX also monetized this information by targeting its users with advertisements on Facebook and Instagram through Facebook’s “Ads Manager.” Shockingly – or maybe not shockingly by now – GoodRX failed to obtain consumer consent before sharing their information with these third parties. What can you do to prevent a similar outcome? Say what you do, do what you say. Though the possibilities for innovation in the healthcare space are endless, the implementation of HIPAA regulations via a robust compliance program can help your organization to metaphorically “pump the brakes.” This allows your business to evaluate the adoption of emerging technologies, all while securing consumer data and building trust in your product. One of the main benefits of implementing a compliance program is the development of internal checks and balances that require conducting due diligence to determine whether internal practices comply with outlined regulatory requirements. If executed appropriately, potential misconduct can be identified and rooted out of your organization. The following illustrates ways in which a HIPAA compliance program can help strengthen your organization: Management Accountability: The Administrative Safeguards provisions in the HIPAA Security Rule require the execution of a risk assessment. A risk assessment is typically accompanied by reporting to senior management and allocation of resources to reduce risk across your organization. Employee Training: HIPAA requires organizations to train their employees. The training is typically targeted toward individuals at your organization that handle personal health information. While no specific cadence is specified, various other compliance frameworks require training at hire and annually thereafter. Creation of Policies: A strong set of policies outlines organizational expectations – the “what?” and associated processes – the “how?” Policies should be reviewed by employees on an established cadence to ensure familiarity with and adherence to your organization’s standards. Compliance Assessment: A formal HIPAA assessment can help your organizational practices align with the requirements set forth in the HIPAA regulation. Results are able to be shared with potential customers or partners and instill confidence that your systems and their information are adequately protected. This non-exhaustive list of requirements and practices may seem overwhelming to digest and implement. But with the right help and guidance, you can be well on your way toward increased customer satisfaction and regulatory compliance. How Can Thoropass Help? If your organization is in the healthcare sector and contemplating or currently processing the personal health information of consumers, Thoropass experts are available to help you evaluate your current policies, procedures, and processes against HIPAA regulations. Our trusted experts undergo rigorous training in their disciplines and are equipped with insight and hands-on experience, so you are never alone on your healthcare compliance journey, whether it’s HIPAA, HITRUST, SOC 2, or ISO 27001. Take the quiz Find out which HITRUST assessment is right for your business Cut through the complexity and find out whether HITRUST e1, i1, or R2 is the best pursuit for your business with our free, online assessment. Take The Quiz icon-arrow Share this post with your network: Facebook Twitter LinkedIn