On February 1, the Federal Trade Commission (“FTC”) announced enforcement action for the first time under its Health Breach Notification Rule[1]. The complaint against telehealth and prescription drug discount provider GoodRx Holdings Inc. (“GoodRx”), alleges its failure to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google and other companies.

In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect. The Health Breach Notification Rule requires vendors of personal health records and related entities, which are not covered by the Health Insurance Portability and Accountability Act (HIPAA), to notify consumers and the FTC of unauthorized disclosures. In a September 2021 policy statement, the FTC warned health apps and connected devices that they must comply with the rule.

According to the FTC’s complaint, for years GoodRx violated the FTC Act by sharing sensitive personal health information with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures as required by the Health Breach Notification Rule.  Specifically, the FTC claims GoodRx shared personal health information with Facebook, Google, Criteo and others. According to the FTC, since at least 2017, GoodRx deceptively promised its users that it would never share personal health information with advertisers or other third parties. GoodRx repeatedly violated this promise by sharing sensitive personal health information—such as including its users’ prescription medications and personal health conditions.

The FTC also alleges GoodRx monetized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health and medication-specific advertisements on Facebook and Instagram.

The FTC further alleges that GoodRx:

• Failed to Limit Third-Party Use of Personal Health Information: GoodRx allowed third parties it shared data with to use that information for their own internal purposes, including for research and development or to improve advertising.
• Misrepresented its HIPAA Compliance: GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law that sets forth privacy and information security protections for health data.
• Failed to Implement Policies to Protect Personal Health Information: GoodRx failed to maintain sufficient policies or procedures to protect its users’ personal health information. Until a consumer watchdog publicly revealed GoodRx’s actions in February 2020, GoodRx had no sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place.

In addition to the $1.5 million penalty for violating the rule, the proposed federal court order also prohibits GoodRx from engaging in the deceptive practices outlined in the complaint and requires the company to comply with the Health Breach Notification Rule. To remedy the FTC’s numerous allegations, other provisions of the proposed order against GoodRx also:

• Prohibit the sharing of health data for advertising: GoodRx will be permanently prohibited from disclosing user health information with applicable third parties for advertising purposes.
• Require user consent for any other sharing: GoodRx must obtain users’ affirmative express consent before disclosing user health information with applicable third parties for other purposes. The order requires the company to clearly and conspicuously detail the categories of health information that it will disclose to third parties.  It also prohibits the company from using manipulative designs, known as dark patterns, to obtain users’ consent to share the information.
• Require the company to seek deletion of data: GoodRx must direct third parties to delete the consumer health data that was shared with them and inform consumers about the breaches and the FTC’s enforcement action against the company.
• Limit Retention of Data: GoodRx will be required to limit how long it can retain personal and health information according to a data retention schedule. It also must publicly post a retention schedule and detail the information it collects and why such data collection is necessary.
• Implement a Mandated Privacy Program: GoodRx must put in place a comprehensive privacy program that includes strong safeguards to protect consumer data.

© 2023 Dinsmore & Shohl LLP. All rights reserved.

For more Cybersecurity and Privacy Legal News, click here to visit the National Law Review

FOOTNOTES

[1] 16 CFR Part 318

The post The FTC Announces First Health Breach Notification Rule Enforcement Action appeared first on The National Law Forum.

The U.S. Department of Health and Human Services (HHS) has finally issued its omnibus HITECH Rules.  Our firm will issue a comprehensive summary of the rules shortly (sign up here), but of immediate import is the change to the breach reporting harm threshold.  The modification will make it much more difficult for covered entities and business associates to justify a decision not to notify when an incident occurs.

Under the interim rule, which remains in effect until September 23, 2013, a breach must be reported if it “poses a significant risk of financial, reputational, or other harm to the individual.” The final rule, released yesterday, eliminates that threshold and instead states:

“[A]n acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [the Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.”
(Emphasis added).

In other words, if a use or disclosure of information is not permitted by the Privacy Rule (and is not subject to one of only three very narrow exceptions), that use or disclosure will be presumed to be a breach.  Breaches must be reported to affected individuals, HHS and, in some cases, the media.  To rebut the presumption that the incident constitutes a reportable breach, covered entities and business associates must conduct the above-described risk analysis and demonstrate that there is only a low probability the data will be compromised.  If the probability is higher, breach notification is required regardless of whether harm to the individuals affected is likely.  (Interestingly, this analysis means that if there is a low probability of compromise notice may not be required even if the potential harm is very high.)

What is the effect of this change?  First, there will be many more breaches reported resulting in even greater costs and churn than the already staggering figures published by Ponemon which reports that 96% of health care entities have experienced a breach with average annual costs of $6.5 billion since 2010.

Second, enforcement will increase.  Under the new rules, the agency is required (no discretion) to conduct compliance reviews when “a preliminary review of the facts” suggests a violation due to willful neglect.  Any reported breach that suggests willful neglect would then appear to require agency follow-up.  And it is of course free to investigate any breach reported to them.  HHS reports that it already receives an average of 19,000 notifications per year under the current, more favorable breach reporting requirements, so where will it find the time and money to engage in all these reviews?  Well, the agency’s increased fining authority, up to an annual maximum of $1.5 million per type of violation, ought to be some help.

Third, covered entities and business associates can expect to spend a lot of time performing risk analyses.  Every single incident that violates the Privacy Rule and does not fit into one of three narrow exceptions must be the subject of a risk analysis in order to defeat the presumption that it is a reportable breach.  The agency requires that those risk analyses be documented, and they must include at least the factors listed above.

So why did the agency change the reporting standard?  As it says in the rule issuance, “We recognize that some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set. As a result, we have clarified our position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. . . .”

The agency may also have changed the standard because it was criticized for having initially included a harm threshold in the rule, with critics claiming that the HITECH Act did not provide the authority to insert such a standard.  Although the new standard does, in essence, permit covered entities and business associates to engage in a risk-based analysis to determine whether notice is required, the agency takes the position that the new standard is not a “harm threshold.”  As they put it, “[W]e have removed the harm standard and modified the risk assessment to focus more objectively on the risk that the protected health information has been compromised.”  So, the agency got their way in that they will not have to receive notice of every single event that violates the Privacy Rule and they have made a passable argument to satisfy critics that the “harm threshold” was removed.

The new rules are effective March 26, 2013 with a compliance deadline of September 23, 2013.  Until then, the current breach notification rule with its “significant risk of harm” threshold is in effect.  To prepare for compliance with this new rule, covered entities and business associates need to do the following:

• Create a risk analysis procedure to facilitate the types of analyses HHS now requires and prepare to apply it in virtually every situation where a use or disclosure of PHI violates the Privacy Rule.
• Revisit security incident response and breach notification procedures and modify them to adjust notification standards and the need to conduct the risk analysis.
• Revisit contracts with business associates and subcontractors to ensure that they are reporting appropriate incidents (the definition of a “breach” has now changed and may no longer be correct in your contracts, among other things).
• If you have not already, consider strong breach mitigation, cost coverage, and indemnification provisions in those contracts.
• Revisit your data security and breach insurance policies to evaluate coverage, or lack thereof, if applicable.
• Consider strengthening and reissuing training.  With every Privacy Rule violation now a potentially reportable breach, it’s more important than ever to avoid mistakes by your workforce.  And if they happen anyway, during a subsequent compliance review, it will be important to be able to show that your staff was appropriately trained.
• Update your policies to address in full these new HIPAA rules.  The rules require it, and it will improve your compliance posture if HHS does conduct a review following a reported breach.

As noted above, our firm will issue a more comprehensive summary of these new HIPAA rules in coming days.

© 2013 Poyner Spruill LLP

The post Brace for Impact – Final HITECH Rules Will Require Substantially More Breach Reporting appeared first on The National Law Forum.