Tag: PHI

The FTC Announces First Health Breach Notification Rule Enforcement Action

On February 1, the Federal Trade Commission (“FTC”) announced enforcement action for the first time under its Health Breach Notification Rule[1]. The complaint against telehealth and prescription drug discount provider GoodRx Holdings Inc. (“GoodRx”), alleges its failure to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google and other companies.

In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect. The Health Breach Notification Rule requires vendors of personal health records and related entities, which are not covered by the Health Insurance Portability and Accountability Act (HIPAA), to notify consumers and the FTC of unauthorized disclosures. In a September 2021 policy statement, the FTC warned health apps and connected devices that they must comply with the rule.

According to the FTC’s complaint, for years GoodRx violated the FTC Act by sharing sensitive personal health information with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures as required by the Health Breach Notification Rule.  Specifically, the FTC claims GoodRx shared personal health information with Facebook, Google, Criteo and others. According to the FTC, since at least 2017, GoodRx deceptively promised its users that it would never share personal health information with advertisers or other third parties. GoodRx repeatedly violated this promise by sharing sensitive personal health information—such as including its users’ prescription medications and personal health conditions.

The FTC also alleges GoodRx monetized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health and medication-specific advertisements on Facebook and Instagram.

The FTC further alleges that GoodRx:

  • Failed to Limit Third-Party Use of Personal Health Information: GoodRx allowed third parties it shared data with to use that information for their own internal purposes, including for research and development or to improve advertising.
  • Misrepresented its HIPAA Compliance: GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law that sets forth privacy and information security protections for health data.
  • Failed to Implement Policies to Protect Personal Health Information: GoodRx failed to maintain sufficient policies or procedures to protect its users’ personal health information. Until a consumer watchdog publicly revealed GoodRx’s actions in February 2020, GoodRx had no sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place.

In addition to the $1.5 million penalty for violating the rule, the proposed federal court order also prohibits GoodRx from engaging in the deceptive practices outlined in the complaint and requires the company to comply with the Health Breach Notification Rule. To remedy the FTC’s numerous allegations, other provisions of the proposed order against GoodRx also:

  • Prohibit the sharing of health data for advertising: GoodRx will be permanently prohibited from disclosing user health information with applicable third parties for advertising purposes.
  • Require user consent for any other sharing: GoodRx must obtain users’ affirmative express consent before disclosing user health information with applicable third parties for other purposes. The order requires the company to clearly and conspicuously detail the categories of health information that it will disclose to third parties.  It also prohibits the company from using manipulative designs, known as dark patterns, to obtain users’ consent to share the information.
  • Require the company to seek deletion of data: GoodRx must direct third parties to delete the consumer health data that was shared with them and inform consumers about the breaches and the FTC’s enforcement action against the company.
  • Limit Retention of Data: GoodRx will be required to limit how long it can retain personal and health information according to a data retention schedule. It also must publicly post a retention schedule and detail the information it collects and why such data collection is necessary.
  • Implement a Mandated Privacy Program: GoodRx must put in place a comprehensive privacy program that includes strong safeguards to protect consumer data.

© 2023 Dinsmore & Shohl LLP. All rights reserved.

For more Cybersecurity and Privacy Legal News, click here to visit the National Law Review

FOOTNOTES

[1] 16 CFR Part 318

OCR Announces $300,000 Settlement Related to Improper Disposal of Physical PHI

On August 23, 2022, the U.S. Department of Health & Human Services, Office for Civil Rights (“HHS”) announced that it had settled a case involving the disposal of physical protected health information (“PHI”).

OCR alleged that, on March 31, 2021, a specimen containing PHI was found by a third-party security guard in the parking lot of the New England Dermatology and Laser Center (“NEDLC”). The PHI included patient name, patient date of birth, date of sample collection, and the name of the provider who took the specimen, in violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

As part of the settlement, NEDLC agreed to pay HHS $300,640. According to NEDLC’s Resolution Agreement and the Corrective Action Plan, there were two potential violations by NEDLC. First, NEDLC allegedly failed to maintain appropriate safeguards to protect the privacy of PHI,” as required by 45 C.F.R. § 164.530(c). Second, NEDLC allegedly permitted the impermissible disclosure of PHI, in violation of Rule 45 C.F.R. § 164.502(a). The Corrective Action Plan requires NEDLC to develop, maintain and appropriately revise written policies and procedures in accordance with HIPAA.

Several highlights of the settlement include:

  1. Changes to Policies and Procedures. NEDLC must develop, maintain and revise, as necessary, its written HIPAA policies and procedures, and provide such policies and procedures to HHS for review and approval. NEDLC also must assess, update and revise, as necessary, such policies and procedures at least annually, or as needed, and seek HHS’s approval of the revised policies and procedures.
  2. Designation of Privacy Official. NEDLC must designate a privacy official who is responsible for the development and implementation of NEDLC’s HIPAA policies and procedures, and a contact person or office who is responsible for receiving relevant complaints.
  3. Training Requirements. NEDLC must provide HHS with training materials for its workforce members and seek HHS’s approval of such training materials. NEDLC must also distribute the HIPAA policies and procedures to its workforce members and relevant business associates, and obtain a written compliance certification from all such individuals. NEDLC must provide HIPAA training for new workforce members, and all workforce members at least every 12 months. Each workforce member must certify, in electronic or written form, that they received training. NEDLC must review the training at least annually, and update the training where appropriate. NEDLC must promptly investigate, review, report to HHS, and sanction any workforce member that does not comply with its HIPAA policies and procedures.
  4. Implementation Report and Annual Report.  NEDLC is required to submit to HHS a written report summarizing the status of its implementation of the requirements provided set forth in the settlement, and annual compliance reports.

For more Health Care legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Bring Your Own Device To Work Programs: Regulatory and Legal Risks and How To Minimize Them

Poyner Spruill LLP Attorneys at Law, a North Carolina Law Firm

If you’ve ever left your mobile phone on an airplane, in a restaurant, or somewhere other than in your possession, you know it’s frightening enough to think of losing the device itself, which costs a premium, as well as your personal photos or information stored on the device. Now imagine if you lost your mobile phone, but it also had protected health information (PHI) associated with your health care work stored on it.  The lost device suddenly presents the potential for reputational damage and legal or regulatory obligations, in addition to the inconvenience and cost of replacement.

Mobile phones are lightweight, palm sized, and cordless, which makes them convenient and easily portable. These same features make mobile phones highly susceptible to theft or loss. As such, there are serious compliance risks to consider and mitigate when allowing personal mobile device use for work purposes, or a bring your own device (BYOD) program, especially in a healthcare setting. Despite the known risks, current research shows that in some industries, up to 90% of employees are using their personal devices for work purposes whether “allowed” or not.  For example, an assisted living nurse using a personal device for work purposes might send a text message to a patient’s primary care physician (PCP) to obtain guidance or to provide an update.  That communication includes PHI, raising compliance obligations, such as state laws or HIPAA security requirements. In the long term care setting, it’s also a clear violation of applicable privacy laws and the Centers for Medicare and Medicaid Services will, and has been, citing such infractions on surveys.  We suspect the Division of Health Service Regulation would do likewise under state law if this occurred in an adult care home.

There is no quick and easy remedy to completely eliminate all risks associated with the use of mobile phones, particularly employee-owned devices. However, there are steps that can be taken to minimize those risks while allowing the use of mobile technology to provide enhanced and continuous care to patients. One such step is implementing a mobile device management (MDM) solution. An MDM solution allows a secure connection for employees to access work networks and information resources remotely, using an application installed on their personal device. That solution keeps “work applications” such as the employer’s email program technically separated from “personal applications” like social media apps. In addition, an MDM solution allows the employer to force technical controls on the device, such as password requirements, encryption or the ability to remotely wipe all data from the device.

Recognizing that employers must relinquish ownership and technical control to make a BYOD program work, employers also must implement robust policies and procedural controls. For example:

  • Permissible Uses. Document the permissible uses of personal devices for work purposes, including whether employees are ever permitted to transfer PHI or other types of sensitive personal information on a personal device and the employment terms associated with such uses.

  • Device Security Controls. Document the policies that govern device controls (such as requiring employees to use passwords, up-to-date malware protection, device time-out, authentication or encryption on the device).

  • Training and Sanctions. Enforce training requirements and frequency as part of the terms of use and implement clear sanctions policies for unauthorized access or use.  Employers may also consider whether the same training and policies/procedures will apply to vendors or contractors.

  • HR Policies.  Review other important employment law considerations such as employee privacy rights, social media policies, and policies for removing applicable data from the devices of terminated or exiting employees.

There are many compliance considerations to keep in mind when deciding whether to implement a BYOD program. A comprehensive security framework, including technical controls, policies, procedures, and training, can reduce the high risks associated with the use of personal mobile devices for work purposes.

ARTICLE BY

Tara N. Cho
OF
Poyner Spruill LLP