Need-to-Knows: The FTC’s Warning Shot to Digital Health and Expanding Powers

GoodRX has agreed to settle an FTC complaint that alleged they shared sensitive data with third parties despite their promise to keep customer health information private. GoodRX agreed to a moderate monetary settlement ($1.5M), notice to users, and 26 pages of strict governance and audit mandates that last through 2053. The settlement represents the FTC’s commitment to more aggressive flex its enforcement authority over digital health, and to severely punish companies that violate its expanding interpretation of the law through two newly created authorities described below.

Over the last few years, our team has been advocating that digital health companies should invest in ensuring data is used and shared as intended to best position themselves to avoid the coming regulatory wave (here and here), and to unlock trust and engagement with users (here). Given the new authorities outlined below, the question for digital health leaders is no longer whether this space is worthy of investment. The question whether your internal technical team is capable of building a system that can transparently enforce correct data use and sharing in line with complex FTC requirements, or if it’s time to partner with a team of experts.

FTC Expansion of Power: The Health Breach Notification Rule (HBNR)

In September of 2021, the FTC adopted a policy statement emphasizing their commitment to expand the interpretation of a 2009 “breach notification” rule to include situations when digital health companies disclose sensitive health information without users’ authorization (versus true security breaches). In February of 2022 I wrote that it was “clear from the FTC statement … that a reckoning is coming for digital health companies that don’t prioritize exchanging data in line with policies and regulations.” Last month I summarized the interpretation of the expansion of the HBNR rule with two simple parts:

If digital health companies use or share data in ways that go beyond what they say, they are in violation of the HBNR, are subject to fines, and must provide notice of the “breach.” Given the perceived simplicity of the two part test, the majority of digital health leaders will read the GoodRX headlines and conclude that they are safe from FTC enforcement, and the majority of them will be wrong. Non-technical stakeholders do not know what data is being shared, with whom, and for what purposes. Even for technical leaders, this simple test is hard to meet at scale. A few months before their IPO, the GoodRX’s CTO stated in internal emails:

“[w]e need to strengthen our policies and procedures to ensure that we are consistent about what data we share to whom.” and acknowledged, “What we do not have is the data we are sharing by partner along with its business purpose.”

The percentage of digital health companies in violation of the FTC framework was further illustrated in three academic studies (one two three) that applied versions of the two part test above, and concluded 83%, 46%, and 60%, respectively, were in violation of FTC rules.

FTC Expansion of Power: Affirmative Express Consent

The GoodRX settlement drastically changed the two part test described above for digital health companies to share sensitive data with third parties. In GoodRX, the FTC found that the lack of affirmative express consent before sharing sensitive data with third parties met the standard of “unfair acts or practices.” The settlement requires GoodRX to obtain affirmative express consent after clearly and conspicuously stating:

(1) categories of Health Information that will be disclosed to Third Parties;

(2) the identities of such Third Parties;

(3) and all purposes for Defendant’s disclosure of such Health Information, including how it may be used by each Third Party

The FTC definition of “Affirmative Express Consent” mandates that users must opt-in after clear notice that is apart from a privacy policy or any other document that includes unrelated information.

The new requirement for “affirmative express consent” is far more complex than the sneakily complex two part test:

Exemplary illustration

To illustrate the difference between the requirements under the two rules, let’s take one simple example of a digital health company sharing data with one category of third parties. The example digital health company acquires customers through payer and employer contracts. Each payer and employer contract is individually negotiated and leads to custom data sharing requirements back to each respective payer and employer.

Digital health companies commonly include language in their terms and conditions like, “we may share sensitive health information with companies paying for your participation in the program,” and have a user check a box that they consent to the entirety of a lengthy terms and conditions. In the past, this would pass FTC scrutiny as long as their data use and sharing practices matched the notice.

With the new requirement, the context under which the user came to the platform will need to surface the specific company paying for the participation of the program by name. It will need to specify the specific data shared (which will vary by company), and how the data will be used by the third party (which may vary by company). The user will need to opt-in after being presented with the above description in plain language, and outside of terms and conditions. The digital health company will then need to assure that the data shared, and its purpose, is an exact match to the notice. In practice, this will be further complicated as digital health companies have multiple products or services, across many geographies, and share data with many third parties for various purposes:

· Other users for community based applications

· Advertisers

· Service providers that are required to enable products and services

· Partners for joint products or services

· Potential users in the form of user referrals

· Promotional offers for add-on products and services

· Providers

· Family members

· Other organizations in the course of corporate transactions like bankruptcy, merger, acquisition, reorganization, or sale of all or a portion of our assets

· Research partners

The complex web of notice and the accompanying data sharing requirements mean any manual attempt to meet the affirmative and express consent requirement will fail. Instead, digital health companies need to automate enforcement with a policy based approach that understand the context under which a user has arrived at the platform. Then policies must fail fast any attempt to share data in a way that violates policy. The system must also be capable of incorporating fully transparent audit capabilities and be able to share with stakeholders and regulators what data was shared, when, with whom, and under what policy version.

At Tranquil Data, we have been working on this problem since 2017, and developed software purpose-built to solve this specific problem in the context of healthcare and life sciences. If you are a digital health company and do not yet have a plan in motion to meet the new FTC requirements we can help.