Posted In: Corporate Counseling & Cybersecurity & Data Privacy
By Jarman J. Smith & Sharilyn N. Clark, Summer Associate on July 12, 2023
This year the Federal Trade Commission (FTC) has used the Health Breach Notification Rule (HBNR) twice to punish vendors who failed to use consumers’ personal health data properly. The FTC first began enforcing the HBNR in February when it ordered GoodRx, a mobile prescription drug comparison and coupon application, to pay a $1.5 million civil penalty for its disclosure of personal health information to Google, Facebook, and other marketing companies, contrary to their own privacy policies.1 In May, the FTC ordered Easy Healthcare to pay a $100,000 civil penalty to the FTC and three states after blatantly lying to consumers and sharing their health data with third parties.2 As part of both orders, the FTC permanently prohibited the companies from sharing personal health data with third parties for advertising amongst a host of other punishments. Both entities have one glaring fact in common: they were subject to massive fines stemming from Section 5 of the Federal Trade Commission Act.
The FTC has made it clear that it will vigorously pursue any company that fails to use, protect, and notify consumers of its actions regarding personal health information.3 Businesses that host mobile health data applications that are not covered under HIPAA will likely find themselves explicitly subject to the proposed Health Breach Notification Rule.4
The FTC has released proposed amendments to strengthen its Health Breach Notification Rule.5
Some notable proposed amendments are listed below:
- Broaden the definition of the phrase “health care services or supplies” to include mobile applications or internet connected devices that offer health related services or tools
- Broaden the definition of the phrase “health care provider” to include ANY entity furnishing health care services or supplies
- Broaden the definition of a “breach” to include unauthorized disclosures and data security breaches
- Broaden the definition of “PHR related entity” to include entities that are not covered under HIPAA but offer products or services through the website of a vendor of personal health records
- Modernize the methods of notice and increase the required content
Potential Business Impacts
It has become increasingly clear that businesses that collect health data must exercise the utmost care and transparency or face fines at the hands of the FTC. The FTC’s commissioner stated the agency will use existing mechanisms, like Section 5 of the FTC Act, to enforce against the risk of discrimination and privacy concerns.6 What does this mean for your business? To avoid potential fines levied by the FTC or other governmental bodies for mishandling consumer data, your business should:
- Review your current contracts
Companies sharing data with contracted vendors have been the center of recent enforcement actions. While vendors have their own privacy policies and practices, companies that utilize their services are held accountable for those practices. Reviewing vendors’ contracts and adding key provisions that ensure the vendor is abiding by their regulatory duties helps you stay informed and could create a cause of action in the case of non-performance.
- Review internal company policies
Companies often fail to ensure the promises and assertions made in the public facing policies posted on their website are actual practices of the company. When a company’s practices and policies differ, they are deemed deceptive and unfair by the FTC. The designation costs companies millions of dollars in fines, loss of effective avenues to advertise and the costly addition of privacy security programs. Including data privacy counsel in business operation discussions helps build privacy into the daily practice of the business and can save companies thousands on litigation expenses. The goal is to be proactive when considering privacy while juggling business innovation and growth.
- Connect with Data Privacy Advisors
Your organization should develop a team to help you navigate through the complexities of data privacy law and provide the best course of action to avoid regulatory fines for noncompliance. In addition to key information technology personnel, it is important to make sure that your team also has experienced data privacy attorneys who can keep you updated on changes to data privacy laws, develop the written policies needed for compliance and provide assistance in any responses to privacy enforcement actions.
How Brouse Can Help
We have seen an increased emphasis placed on the enforcement of regulatory fines and penalties for data processing misconduct. Therefore, it has become more important to pay attention to your organization’s cybersecurity protocols and adhere to applicable data processing requirements. Brouse McDowell’s Cybersecurity and Data Privacy team can provide the guidance and tools you need to defend against cyberattacks, protect consumer information, and become compliant with applicable data privacy regulations. Our cybersecurity team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2023 Brouse McDowell. All rights reserved.