Bass, Berry & Sims attorneys Wes McCulloch, Nesrin Tift, Shannon Wiley and Roy Wyman authored an article for Fierce Healthcare outlining recent settlements between the Federal Trade Commission (FTC) and healthcare companies involving the Health Breach Notification Rule. These settlements mark the first time the FTC has enforced rules around breaches of healthcare data that aren’t subject to HIPAA. In the first case, GoodRx Holdings agreed to pay $1.5 million to settle allegations it did not adequately disclose the collection and use of health information to users; in the second case, BetterHelp agreed to pay $7.8 million for sharing consumers’ health data with social media companies for advertising purposes.
As the authors point out, “The settlements, along with FTC’s allegations regarding the underlying conduct, signal increased enforcement around the use of monitoring technologies by digital health companies and can provide guidance regarding the terms of consent forms and privacy policies.” With this in mind, the attorneys outline four things companies should be mindful of:
- Usage data can constitute identifiable health information.
- Inaccurate public statements can lead to “breaches” of personal health information.
- Be wary of statements regarding compliance with HIPAA.
- Implement privacy and data-sharing governance.
Details about these four issues can be found in the article, “Industry Voices—FTC Health Breach Notification Rule Finally Gets a Target,” that was published by Fierce Healthcare on April 18 and is available online.