How the FTC Enforces Healthcare Privacy Regulations

The healthcare privacy landscape is always evolving. Check out the Freshpaint Privacy Hub for the latest updates, reactions, and resources to prioritize healthcare privacy without compromising marketing performance.

In March 2023, the Federal Trade Commission (FTC) requested an additional $160M to “investigate and litigate more and increasingly complex matters.” It turns out that one of those complex matters is healthcare privacy.

Between the rise of cyberattacks and countless instances of mishandling sensitive data, healthcare privacy is on the minds of consumers—and the federal government.

In this article, we’ll clarify the FTC’s role in consumer privacy, how they enforce their rules, and what healthcare companies can do to avoid getting tripped up. 

What Is the FTC’s Role in Healthcare Privacy?

The FTC’s job is to protect consumers from deceptive or unfair business practices. That job extends into the healthcare sector, where the FTC ensures that healthcare companies maintain the privacy and security of personal health information.

The most commonly known healthcare privacy law is HIPAA, which protects patients’ personally identifiable health information. However, HIPAA doesn’t always do enough to protect consumers in a world that’s going more digital by the day. Accordingly, if a case falls outside of HIPAA, the FTC can still investigate healthcare companies with sloppy data handling practices.

For example, if a healthcare company doesn’t notify consumers that it improperly disclosed their personal health information to Google, the FTC can impose penalties—financial and otherwise (more on that later).

Which Healthcare Organizations Can the FTC Take Action Against?

As of April 2024, The FTC has broad authority to take action against healthcare organizations, including health apps and other digital health companies.

1. Hospitals and clinics
2. Pharmaceutical companies
3. Health insurance companies
4. Medical device manufacturers
5. Telehealth providers
6. Health information technology (HIT) companies
7. Pharmacies
8. Laboratories
9. Health and wellness apps

How Does the FTC Enforce Data Privacy Regulations in Healthcare?

The FTC has two main levers to hold healthcare companies accountable for their data-handling practices:

The FTC Act

The FTC Act prohibits companies from engaging in “unfair or deceptive acts or practices.” Translation: It’s illegal for businesses to lie to consumers about what’s happening with their private health information.

If you’re a for-profit healthcare company, that means you have to go beyond HIPAA compliance. You also have to ensure your statements to consumers aren’t deceptive or misleading—otherwise, it could be a violation of the FTC Act. 

The Health Breach Notification Rule

The Health Breach Notification Rule (HBNR) requires both for-profit and non-profit vendors of personal health records, related entities, and third-party service providers to notify consumers, the FTC, and potentially the media if there’s a data breach involving unsecured health information.

The term “breach” might remind you of cyberattacks or employee negligence. But the HBNR also covers the unauthorized transfer of data to third-party platforms like Google and Meta. If a healthcare company discloses personal health records or related information to an advertising platform without proper authorization, the FTC has the right to crack down.

Anatomy of an FTC Investigation

Here’s how privacy-related FTC enforcements typically work:

1. Initiation: The FTC can start an investigation based on complaints, referrals, or its own monitoring activities.
2. Investigation: The FTC collects evidence through document requests, subpoenas, and interviews.
3. Preliminary Findings: If evidence suggests a violation, the FTC may issue a warning or propose a settlement.
4. Enforcement Action: If unresolved, the FTC can file a complaint in federal court or initiate an administrative action.
5. Resolution: Cases are resolved through settlements, court orders, or administrative rulings, which may include fines, injunctions, or required changes in practices.

The timeline can vary, but investigations and enforcement actions can take several months to years, depending on the complexity of the case.

Notable FTC Enforcements Against Healthcare Companies

The FTC has a history of taking action against healthcare companies that fail to protect consumer data Let’s take a look at three high-profile cases.

GoodRx

In 2023, the FTC enforced the HBNR for the first time after GoodRx was charged with sharing personal health information with third parties.

The FTC fined GoodRx $1.5 million for “deceptively” sharing information with Facebook and other providers and “cash[ing] in on consumers' extremely sensitive and personally identifiable health information.” For context, GoodRx was serving ads to customers based on their use of GoodRx.

Read the press release here.

Premom

Ovulation tracking app Premom violated the FTC's Health Breach Notification Rule by sharing sensitive health data to third-parties and failing to notify users. 

The FTC's settlement with Premom requires the company to stop sharing personal health data with third parties, which has destroyed their ability to advertise effectively on most digital platforms. Premom also now has to obtain consent before sharing any health data for any purpose, and pay a fine of $100,000.

Read the press release here.

Cerebral

In April 2024, the FTC ordered the telehealth company Cerebral to pay a $7 fine for disclosing their customers’ personal health information to third parties for ads.

“Cerebral violated its customers’ privacy by revealing their most sensitive mental health conditions across the Internet and in the mail,” said  FTC Chair Lina Khan.

In addition to the fine, the FTC banned Cerebral from sharing most data with marketing tools, a catastrophic blow to their customer acquisition strategy.

Check out our deep dive into the FTC’s crackdown on Cerebral.

How to Stay Compliant with FTC Privacy Regulations

Here are three steps every healthcare organization should take to stay on the FTC’s good side.

Ensure Transparent Data Practices

To comply with the FTC Act, healthcare companies need to provide clear disclosures to consumers about data collection practices, including obtaining informed consent for data usage and sharing.

“Don’t bury key facts in links to a privacy policy, terms of use, or the HIPAA authorization,” the FTC says.

Evaluate Your Tracking Technologies

Web trackers are notorious for triggering privacy violations. Accordingly, you’ll need to audit all of the tracking tech that exists on your website to ensure they don’t share sensitive information with any unauthorized third parties.

This will require some collaboration with your product, marketing, IT, and legal teams. For each tool, ask these two questions:

1. What data is that web tracker sharing?
2. Is that data sharing permissible?

Want a full assessment of your website’s privacy risks? Get a free web tracker report.

Govern The Data Shared From Your Website to Third Party Tools

The best way to prevent the FTC from knocking on your (digital) door is to stop sharing sensitive data in the first place.

Many native web trackers take your users’ and patients’ sensitive information to enrich their platforms. However, they don't need all that data to deliver results.

Freshpaint's Healthcare Privacy Platform helps you securely capture visitor data, then choose what’s safe (or not) to share with downstream tools.

What Happens if You Ignore the Risks?

FTC crackdowns are costly in terms of time, money, and consumer trust. Here’s what’s on the line.

Financial Loss

The FTC has issued several multi-million-dollar fines against healthcare companies for violating privacy rules. But fines aren’t the only financial burden to be aware of. These court cases can drag on for months, and paying lawyers to defend you is a fast way to burn through cash.

Bans On Data Use

The FTC has the power to throw a wrench into a healthcare company’s business model if a privacy violation occurs. Remember, Cerebral and Premom were both banned from sharing their users’ personal and health information with third parties for marketing purposes.

Without accurate data (or without data at all) advertising costs will soar, which in turn causes your customer acquisition cost to soar—and that’s unsustainable for any company.

Negative Press

Fines against healthcare companies are public spectacles. Accordingly, your organization can end up in the headlines for all the wrong reasons if you don’t proactively safeguard your users’ and patients’ data.

Loss of Consumer Trust

Online privacy is a value that’s nearly universal amongst consumers, especially when their medical information is in the mix. When healthcare companies blatantly disregard patient privacy, consumer trust quickly evaporates—rightly so. 

Will the Recent AHA Lawsuit Ruling Affect FTC Enforcement?

The short answer is no—the recent AHA ruling doesn’t absolve healthcare companies from adhering to FTC privacy regulations.

In June 2024, a federal judge vacated a narrow portion of HHS guidance on web tracking technologies. However, the ruling did nothing to shield for-profit healthcare companies from the FTC, which operates separately from HHS.

As data privacy violations become increasingly common in healthcare, the FTC shows no signs of loosening up. But as long as you take a privacy-first approach to marketing, you can dodge the fines and PR nightmares. Need help making that happen? Talk to an expert at Freshpaint about auditing your website for privacy risks.