Rachel Woods: Let me tell you where my brain goes when I think about the FTC, I think about antitrust. And if I'm correct, some of the research that you all have done shows that from 2016 to 2020, half of the FTCs focus in healthcare was on antitrust. That's the majority. And very little, like 2% or something like that, was actually on data privacy, which is of course the conversation that we want to have today. We're starting maybe to see the FTC shift its focus. What are we seeing now?

Sara Zargham: So like you mentioned, Rae, we are really starting to see the FTC crack down on companies that share consumers sensitive health data. So one reason that the FTC is really stepping in is that not all health data is actually covered by HIPAA. For example, when health data exists in an app as opposed to through your provider or insurer, it isn't technically covered by HIPAA, and because of that, it's not subject to the same level of protection and confidentiality that HIPAA really demands. So we've been thinking a lot about this as almost a HIPAA gap or a gap in protection of health data depending on really its source and context.

So HIPAA's one example, and then another big thing that we're seeing with the FTC is they're actually starting to really enforce specifically using the health breach notification rule. This was actually originally passed in 2009, so 14 years later we're just starting to see this being leveraged and HBNR basically requires health apps to inform users when there's been an infringement on their information, and this is actually what happened with GoodRx recently.

Woods: And Paul, I think you have some personal experience with GoodRx and the health breach notifications rule. Is that right?

Paul Trigonoplos: Yeah. I use GoodRx in my personal life and I got an email a few months ago. Do you want me to read it?

Woods: Yeah, let's do it.

Trigonoplos: Okay. "The Federal Trade Commission alleges that between July 2017 and April 2020, you visited GoodRx or used the GoodRx app. During this time, we shared identifiable information related to you, including health information, without your permission. This information includes included details about drug and health conditions you searched and your prescription medications. We shared this information with third parties, including Facebook, in some cases GoodRx used the information to target you with health-related ads. The FTC alleges we broke the law by sharing your information without your permission. To resolve the case, we have agreed to an FTC order requiring that we'll tell third parties like Facebook who received that information to delete it. We'll never share your information with other third parties. We'll never share your information for other purposes unless we get your permission."

And there's a few more bullets on basically things they will not do, that they were alleged to do, but still deny.

Woods: So what is your real talk translation of this email that you got?

Trigonoplos: It sounds like because they settled, they don't have to admit guilt, so they can just say sorry and we're going to change the way we act in the future. Also, use of the word alleged is a little bit galling here, but that might be a side point, because they did have to pay up at the end of the day.

Woods: My interpretation is, sorry, we promise not to do it again.

Ty Aderhold: And Rae, the other thing I would add here is it doesn't truly address all of the data that now exists with third parties. And GoodRx isn't the only organization that has done this. So another consideration here is how many non-healthcare organizations, data aggregators, places like Meta that now have consumer health data.

Woods: And again, that data is not protected by HIPAA.

Aderhold: Right. As soon as it's outside of the hands of a healthcare provider, organization or payer, it's not going to be protected.

Zargham: Absolutely, Ty. This is just the first of many to come. And actually following the GoodRx settlement, the FTC put other companies on notice for sharing consumer sensitive health information for advertising purposes. So this is probably just the first of a lot to come.

Woods: But it also took us 14 years to get here. So why is the FTC kind of finally feeling momentum to act now?

Aderhold: Frankly, Rae, I think we've just reached a breaking point, for regulators and for advocates, I think we've reached a point where there's been enough reports and sort of whistleblowing journalism that has been done. There's been enough outcry, particularly around providers sending data to Facebook, and that's health systems as well, there's been big reporting around that.

And we haven't seen any other sort of agencies or regulators step up to sort of fill some of the gaps that have come about as we've continued to expand our data capabilities and the usefulness of consumer data. And so I think the FTC is seeing that gap and saying, "All right, if there's no one else that's going to step in here, we do have this law we passed back in 2009, let's start to use it to fill some of those gaps."

Trigonoplos: I also think the momentum here reflects just the posture of the FTC overall. Like Lina Khan has said that healthcare's kind of where they're going to be aggressive and separately you can see some signals in their new budget on how aggressive they're going to be on the consumer protection side this year and next year. And they also are going to try to move the law forward however they can to beef up their ability to prosecute what is either anti-competitive or harmful to consumers, this is on that list.

Zargham: Yeah, I agree, Paul. I think it's also a lot easier for the FTC to regulate, like you were saying, now that there is precedent that's been established with GoodRx's win, and then also with recent settlements across the past few years with both Flo and Better Health as well, who also shared sensitive health information with large technology companies.

Woods: Meaning those are apps, Flo and Better Health are apps that collect user data, sold that data, right?

Zargham: Yes. So with these wins, I think it's a lot easier really for the FTC to kind of continue the momentum here as opposed to with vertical integration for example, which is an area they are exploring, but they haven't really made any concrete strides there.

Woods: That's right. And that's something that we've talked about before on this podcast. But if what I'm hearing you say is that the momentum is just going to keep gaining speed, I want to talk about who's going to be impacted by that. Look across healthcare, who are the winners and the losers of the FTCs actions?

Trigonoplos: I'll start with the loser, which is just anyone that makes money using or selling consumer data, this makes it a lot harder to get the free or cheap data that you'd want to make that revenue.

This is mostly tech companies, apps, some big tech a little bit, Facebook, Meta, they might be impacted because they can't get the same advertising data, but I mean, I think they'll be okay. It's really kind of smaller health tech companies that I think are going to be on the losing side here, rightfully or wrongfully, depending on how you look at it.

Aderhold: And that's especially true because for a lot of earlier stage startups or tech companies trying to operate in the healthcare app space, data has been their short term revenue as they try to build a larger model. So they've relied on patient data as a revenue source short term as they try to build out market share in a long term actual business plan.

Woods: Wait, wait, wait, I'm guessing that alarm bells are going off for our listeners right now, that are going, "Wait a minute, I'm partnering with a tech company, or I'm being told I should partner with a tech company, or I need to bring my business into the future and be thinking about artificial intelligence, to be thinking about a digital front door." And these are things Advisory Board has said. What does it mean for organizations that partner with tech companies?

Aderhold: I think the biggest thing is that you have to be doing your due diligence right now. We know health systems and health plans have been investing heavily in consumer data and getting consumer insights from big tech companies like Meta.

Most of those arrangements, I'm guessing, involve data moving in both directions, and that is where these organizations need to be looking. What are we sending out? What are we giving up in return for some of these consumer insights that we've started to use and are really valuable to our organization? And do we need to change our practices there?

Woods: And I'm guessing that muscle is actually going to be very new for most healthcare organizations, is that right?

Aderhold: Yes. The people who have made the decisions around marketing and consumer data aren't used to having to consider the regulators and FTC and HIPAA and all these different regulations. And so certainly I would say a new muscle to flex.

Woods: So patients have to be the winner then, because the goal is to protect patients, people who are using these data in their daily lives. Is it as simple as saying that?

Zargham: I think on the surface, yes, the idea is that this precedent should protect data privacy somewhat, at least when it comes to apps selling your data to Google or Meta or really any other big tech company.

But this isn't a comprehensive solution at the end of the day, to data privacy concerns, unfortunately. And there's still a lot of use cases that need to be hatched out, and this is, I think, really just the beginning in terms of any sort of real regulation this space. I mean, we keep going back to the fact that the HBNR was passed in 2009 and then it took 14 years for really any action to be taken with it. So I think we're kind of a long time out from seeing real comprehensive protection.

Woods: Patients and consumers could ultimately benefit here. And what I mean by that is benefit from the FTC's crackdown on data sharing. And this is where I want to be particularly careful with what I'm about to say. If it sounds like patients could benefit, is it actually their responsibility to take a bigger part in their own data privacy? Is that even fair to ask that of the general population?

Aderhold: I have a pretty short answer for you, Rae. I would say no, it's not fair to place that on patients, particularly when this is oftentimes very sensitive data they might be giving in high stress scenarios where there's a million other things they need to be focused on other than the fine print in the app when they click through once initially downloading it.

Woods: And it's not only high stress scenarios. First of all, no one probably actually reads the terms and conditions. In last week's episode, Solomon very gently but bluntly made fun of me for giving away my data to Amazon when they were buying One Medical and we were all in a meeting and I said, "Let me get on and let me see what I can do," and then all of a sudden realized not only did I pay $40 for that visit, but I was giving away information to Amazon that is protected in a different way than if I was doing that through a provider telehealth program, right?

Aderhold: Right. But I would say the other thing, Rae, is that terms and conditions is the most obvious place that a patient would know. And again, it should not be on them to know that. But a lot of the news stories we've seen that have broken is on a scheduling website for a provider, a patient puts in their information to try to schedule online and that information ends up going to Meta. And in that case, there are no terms and conditions. The patient is just going to the provider's website expecting that, hey, I'm just filling out this form. And those are the scenarios where there is, I would say, it should be 0% on the patient.

We're likely to see continued action and enforcement from the FTC when it comes to sharing sensitive health data. Read on for how FTC's new focus on consumer privacy could impact healthcare.