The Federal Trade Commission has published a detailed blog post on health information, setting the stage for future enforcement … and not just regarding health information.

There are some eye-opening takeaways in it, making the blog post a must read.

Still, here are some of my thoughts:

There are explicit obligations regarding the following to avoid potential FTC Act Section 5 violations:

  • Health information is (way) broader than you think
  • Yes you do need internal policies and procedures
  • You need to data map
  • There is potential liability for recipients of health information
  • FTC has parallel authority over HIPAA covered entities
  • You can’t have a “just in case” provisions in your privacy notice
  • You can’t have vague language in your privacy notice

In more detail:

Health Information is a Broad Term, and the Stakes are High

  • Health information isn’t just about medications, procedures, and diagnoses. Rather, it’s anything that conveys information – or enables an inference – about a consumer’s health.
  • The fact that a consumer is using a particular health-related app or website – one related to mental health or fertility, for example – or how they interact with that app may itself be health information.
  • Location data can convey health information. For example, repeated trips to a cancer treatment facility may convey highly sensitive information about an individual’s health.
  • The FTC has prioritized enforcement re: health data and specifically biometrics, genetic data and reproductive information.
  • The FTC has imposed and will impose large fines. It also has banned use of health data for advertising purposes; has ordered deletion of data, models and algorithms; and has held individuals personally liable.

The FTC is Looking for Evidence of Privacy by Design

  • The need for privacy by design is (or should be!) axiomatic at this point, especially when it comes to sensitive personal information.
  • This includes: written privacy program, privacy training and supervision, and data retention, purpose and use limitations.
  • In BetterHelp and GoodRx, the FTC specifically alleged that the companies’ failure to have appropriate privacy policies and procedures contributed to the alleged unfair privacy practices.
  • Map your data and know who is responsible for handling it. “The Junior marketing analyst did it” is not a good defense.

Beware Stealth Tracking

  • Don’t share consumers’ health information improperly – and don’t receive it either.
  • For the recipient: If you receive information from other companies for advertising or marketing purposes (for example), you may have a responsibility under Section 5 to take steps (such as procedural and technical measures) to ensure you don’t engage in the unauthorized receipt, use or onward disclosure of sensitive information. Merely using a standard, out-of-the-box contract or terms of use to prohibit sending certain information may not be enough.

HIPAA aspects

  • Section 5 of the FTC Act also applies to most entities covered by HIPAA.
  • “HIPAA Compliant,” “HIPAA Secure” and similar claims may deceive consumers.
  • Companies that provide HIPAA seals and certifications also may be liable for deceptive claims if it falsely implies that the recipient is covered by HIPAA, is complying with HIPAA, has been reviewed by a government agency or has received government approval.
  • Don’t say “we disclose information about the use of the services.” Instead say front-and-center on the home page: “We share your health information with third-party advertising companies so that we can target you with ads.”
  • Euphemisms hidden in privacy policies can be unfair and deceptive.

Privacy notice aspects

  • Reserving the right to make big changes to your privacy policy isn’t real consent and cannot be used for material, retroactive privacy policy changes. (Note: this is also the case under CPRA, Colorado CPA, etc.)
  • Do not hide key terms about data practices in dense privacy policies or terms of service filled with ambiguous language that cloaks how you really use consumers’ health information.
  • Processing and sharing health information requires affirmative express consent – consent that can be obtained only following a clear and conspicuous disclosure of all material facts. [Note: this is true for Colorado CPA and most other state privacy laws that require opt in consent for health information, as well as under Washington State’s My Health My Data law.
  • Omission is misleading too. It’s crucial to disclose all material information to consumers about how you’re using and disclosing their sensitive health information.