From 2016 to 2020, almost 50% of all FTC action on competition was in the healthcare sector, whereas less than 2% of their action on consumer protection was against healthcare companies. But we've already seen the FTC take more aggressive action in 2023. They came down hard on two companies for sharing sensitive consumer health information with other organizations and warned Amazon and One Medical that they would take action if they shared sensitive health data with each other.
There are three indicators that point to the FTC's willingness to take an even larger role here moving forward, a trend which brings long-term implications for new and incumbent stakeholders alike.
February 1st, 2023: The first time the FTC successfully acted against a company for violating the Health Breach Notification Rule.
Over a decade after the FTC first issued the Health Breach Notification Rule (HBNR), which requires health apps to inform users when there has been an infringement on their information, the FTC took action against GoodRx — and is also putting other companies on notice.
Samuel Levine, Director of the FTC's Bureau of Consumer Protection said the following regarding the GoodRx complaint: "Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information … The FTC is serving notice that it will use all of its legal authority to protect American consumers' sensitive data from misuse and illegal exploitation."
This is likely the first action of many around HNBR now that the precedent for using it is established, especially considering how common it is for healthcare apps and companies to sell consumer data.
62: The number of new FTEs the FTC is requesting join its Bureau of Consumer Protection.
Lina Khan, current head of the FTC, has been clear about the administration's aggressive stance on both anticompetitive business practices and consumer protection and data privacy. The recent budget request states that the FTEs will help ensure compliance, rulemaking, and supporting enforcement investigations.
Although this is a request for the 2024 budget and not the final budget, the language shows that the FTC is serious about expanding its consumer protection reach — which we've already seen play out in the start of 2023 regarding sensitive consumer health data.
'The misuse of mobile location and health information – including reproductive health data – exposes consumers to significant harm': The FTC's post-Roe v. Wade statement, doubling down on protecting reproductive health consumer data that isn't covered by HIPAA.
HIPAA's health data protections have failed to keep up with the rapid growth of the health technology sector, but some regulative authority could come from the FTC. The Health Insurance Portability and Accountability Act (HIPAA) protects sensitive health information where health insurers and doctors are concerned, but it does not protect health data in apps or in written communication between individuals. This gap in protection is especially concerning in a post-Roe world, where prosecutors can access and use unprotected reproductive health data to enforce anti-abortion laws.
While the FTC has limited legal jurisdiction when it comes to protecting health data or changing legislation, the agency could pursue action against companies that deceive customers when it comes to privacy or buying and selling health data. In 2021, the FTC finalized a settlement requiring Flo Health Inc, a fertility-tracking app, to receive clear consent from consumers before sharing personal health data.
Nearly a third of American women using cycle tracking apps. We expect reproductive health data to become a bigger and more politically charged battleground for consumer protection.
Somewhere in the middle
Create your free account to access 2 resources each month, including the latest research and webinars.
You have 2 free members-only resources remaining this month remaining this month.
Never miss out on the latest innovative health care content tailored to you.