Watch out HHS, the FTC is taking the lead in enforcing privacy violations by companies also subject to HIPAA. BetterHelp, an on-line mental health platform, engaged in unfair and unreasonable privacy practices according to the FTC’s complaint, leading to a proposed $7.8 million settlement payment to customers.

The U.S. Department of Health and Human Services (HHS) warned us that use of on-line tracking technologies can violate HIPAA. Now the Federal Trade Commission (FTC) is flexing its enforcement muscles. Last month, it published a post about the $1.5 million civil monetary penalty it imposed on drug discount and telehealth provider GoodRx for violating the FTC act’s prohibition on unfair and deceptive practices. According to the FTC complaint, GoodRx shared sensitive health information with third parties using automated data tracking tools from Facebook, Google, Criteo, and other third parties into its websites and Mobile App. These tracking tools collected and sent data to third parties so that they could provide advertising, data analytics, or other business services to GoodRx.

Those of us attuned to HIPAA requirements shouldn’t be surprised by anything here, but these quotes from the FTC’s BetterHelp blog post are worth noting.

Generally speaking, an email address might not be considered “health information” – unless, of course, the source of the information is a health-related service. In the case of BetterHelp, most people visited the site to seek mental health assistance. Therefore, just the fact that BetterHelp, Pride Counseling, or Faithful Counseling was the source of their email or IP address revealed highly sensitive information to third parties. The message for others in the industry: Context counts.”

HIPAA translation: Yes, the patient’s or member’s email or IP address or cell phone number is protected health information, even as a stand-alone identifier.

Although BetterHelp hashed people’s email addresses before sharing them with third parties – in other words, converted them into a sequence of letters and numbers through a cryptographic tool – the hashing was done just to hide the addresses in case of a security breach. The FTC says BetterHelp knew that third parties like Facebook would effectively undo the hashing to reveal the email addresses of people who had gone to the BetterHelp site for mental health services. Once Facebook had those addresses, it would easily match them to the email of people with Facebook accounts. What can other companies learn from that example? Certainly there are instances where hashing may be called for, but it won’t protect the privacy of consumers’ information if third parties can un-hash the data.

HIPAA translation: Hashing data is not the same as de-identifying data in accordance with HIPAA. Beware of vendors who say they don’t access PHI simply because it’s hashed.

As the FTC’s complaint makes clear, a lack of appropriate safeguards can lead to unfair and deceptive practices related to the collection, use, and disclosure of health information. For example, the complaint alleged that BetterHelp failed to have written policies and procedures for protecting the privacy of health information. And it failed to properly train and supervise employees that handled that health information. It also didn’t get consumers’ affirmative express consent before disclosing their health information to third parties and it failed to contractually limit those third parties from using the data for their own purposes.”

HIPAA translation: Covered entities — make sure your HIPAA Notice of Privacy Practices is accurate and up-to-date. Business Associates make sure your website Privacy Notices are up-to-date and accurately describe your role under HIPAA and your business associate agreements. Both — comply with these notices.

And my personal favorite:

“Almost all of BetterHelp’s pages displayed multiple seals from third parties. Among them was a depiction of the medical caduceus and the term “HIPAA.” The complaint alleges that BetterHelp’s use of that visual falsely signaled to consumers that a government agency or other third party had reviewed the company’s practices and determined they met HIPAA’s requirements. Have you checked your site recently for graphics that could send similar deceptive messages?”

Interestingly, GoodRx also allegedly displayed a “HIPAA seal” on its website for several months in 2019. The implication (let alone outright statement) that a company is “HIPAA compliant” is risky. Even the most HIPAA=conscious covered entity or business associate is one small HIPAA violation away from making a false (aka deceptive) statement.

For more on FTC’s BetterHelp action, see fellow Fox partner Odia Kagan’s post here.