For consumers, health care industry experts say, the shift offers more privacy, but could also make it more difficult to find primary care, mental health and other medical services online.
“Legal and compliance teams … are telling the marketing team that these tools are dead men walking, you need to shut it off immediately,” said Ray Mina, head of marketing at Freshpaint, a San Francisco firm that provides software to health care firms for firms managing customer marketing data.
The backdrop for this new concern is a rising trend of Americans receiving information or services from mental health apps, telehealth services and hospital websites. People may not know that these services are capturing detailed personal information that is then used for marketing and advertising.
Now, as regulators set new limits on how this data is used and shared, Mina said clients have swamped his firm with questions about what data it’s collecting and with whom it is sharing it. So Freshpaint has to ensure it doesn’t run afoul of the regulators.
It’s a seismic shift for the industry that’s playing out in the numbers.
In the first three months of 2023, telemedicine firms spent a quarter of what they did on targeted Facebook and Google ads during the same period last year, according to data from MediaRadar, an ad industry intelligence platform. Meanwhile, MediaRadar data shows nonprofit health systems also halved their spending on targeted ads during that same three-month period year-over-year.
HIPAA and its limits
Until recently, much of the health data online — picked up in searches, by websites, apps and wearables — was thought to be outside the government’s purview. The federal health data privacy law, HIPAA, only covers patient data collected by insurers and health care providers, such as doctors or hospitals.
Collecting data consumers leave online, and using it to market products, is a key mechanism for reaching customers that executives are now fretting about.
Last year, lawmakers proposed broad data privacy legislation, but Congress didn’t pass it. Agencies from HHS to the FTC are trying to expand data protections anyway, arguing that existing authorities provide them the power to do so, even though they haven’t used those authorities to broadly protect health data in the past.
HHS’ Office for Civil Rights surprised insurers and health care providers in December when it issued a bulletin expanding its definition of personally identifiable health information and restricting the use of certain marketing technologies.
The office warned that entities covered by HIPAA aren’t allowed to want to only disclose HIPAA-protected data to vendors or use tracking technology that would cause “impermissible” disclosures of protected health information.
That protected data can include email addresses, IP addresses, or geographic location information that can be tied to an individual, under HHS’ 22-year-old HIPAA privacy rule.
“We’re seeing people go in and type symptoms, put in information, and that information is being disclosed in a way that’s inconsistent with HIPAA and being used to potentially track people, and that is a problem,” said HHS Office for Civil Rights Director Melanie Fontes Rainer at the International Association of Privacy Professionals’ summit in Washington this month.
Meanwhile, in February, the Federal Trade Commission said it had fined prescription discount site and telehealth provider GoodRx $1.5 million for sharing customer data with Google, Facebook and other firms.
The FTC’s principle power allows it to police “unfair and deceptive” practices and GoodRx had told customers it would not share their data, and misled them into thinking their records were safe under HIPAA, the agency said.
But the FTC also cited a violation of its health breach notification rule, which says entities not covered by HIPAA that collect personally identifiable health information must tell consumers when there’s been a breach of their data. The agency had never used the rule, which was previously considered a cybersecurity enforcement tool, as a stick to wield against companies that knowingly shared customer data with business partners.
The agency said to expect similar enforcement to come and last month fined online therapy provider BetterHelp $7.8 million for sharing customer data after telling patients it would not.
“Firms that think they can cash in on consumers’ health data because HIPAA doesn’t apply should think again,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Our recent actions against GoodRx and BetterHelp make it clear that we are prepared to use every tool to protect Americans’ health privacy, and hold those who abuse it accountable.”
In both of the cases, the FTC required the firms to change their data protection practices and to stop sharing customer information. Both companies settled their cases, but denied wrongdoing.
GoodRx said in a statement that it “had used technology vendors to advertise in a way that we believe was compliant with all applicable regulations and that remains common practice among many health, consumer and government websites.”
BetterHelp said in a statement that it was accused of using “limited, encrypted information to optimize the effectiveness of our advertising campaigns so we can deliver more relevant ads and reach people who may be interested in our services.”
The company suggested that it had been unfairly singled out, since “this industry-standard practice is routinely used by some of the largest health providers, health systems, and healthcare brands.”
Everyone from online telehealth providers to major hospital systems is taking notice.
“They’re taking a look at anything that looks like a marketing operation that sits on their website and they’re pulling back from it until they get more guidance from HHS,” said Anna Rudawski, a partner at law firm Norton Rose Fulbright who advises health care organizations on data protection.
Measuring the fallout
Data privacy advocates are urging the regulators on, arguing that health information deserves special protections and that enforcement needs to evolve now that the world has moved online. They expect companies to adjust.
“Advertising does not have to be privacy-invasive to be valuable or effective,” said Cobun Zweifel-Keegan, managing director of the Washington office of the International Association of Privacy Professionals.
And the industry is hardly putting up a united front in response.
Laterease Tiffith, the executive vice president for public policy at the Interactive Advertising Bureau, a trade group for online advertising firms, for example, said that recent enforcement actions target companies that explicitly misrepresented their data privacy policies by not telling customers they were sharing information about them with third parties.
“If you tell consumers, we’re not going to do X, and you do X, that’s a problem,” he said. “I don’t think it has anything to do with our industry.”
But some health care executives aren’t so sure. “This has been the reason that my CEO can’t sleep at night,” said a lawyer for a telehealth company whom POLITICO granted anonymity so as not to draw attention to their client.
Rudawski said risk-averse health care organizations are discontinuing advertising with major platforms like Google and Facebook until the new regulatory environment is clearer.
And Brett Meeks, executive director of the Health Innovation Alliance, which represents providers, insurers, and others on health technology matters, said that health systems wanted to follow the rules, but were not prepared for the abrupt policy changes. “It’s hard to follow the rules that change with little notice,” he said.
Others may be trying to avoid the fines and remedies imposed on GoodRx and BetterHelp with preemptive action.
Online telehealth provider Cerebral, which is under federal investigation for allegedly overprescribing controlled substances and, reportedly, for violating privacy regulations, recently filed a data breach notification with HHS, citing its December guidance.
“Cerebral determined that it had disclosed certain information that may be regulated as protected health information under HIPAA to certain Third-Party Platforms and some Subcontractors without obtaining HIPAA-required assurances,” the firm said in the notice, which it also sent to 3.18 million patients and others who visited its website or used its app.
At the same time, the company told customers it hadn’t done anything unusual by tracking their clicks and sharing that information with other businesses, calling it standard practice “in many industries, including health systems, traditional brick and mortar providers, and other telehealth companies.”
In a statement, Cerebral said that the new HHS guidance marked a sea change for the health care industry because it said that “all data — including the submission of basic user contact information — gathered from a healthcare entity’s website or app should be treated as [protected health information]” under HIPAA.
A number of other health care organizations not previously known to be in sight of regulators have also submitted breach reports this year, acknowledging that web trackers they’d employed had collected patient data. New York-Presbyterian Hospital, UC San Diego Health and alcohol recovery telehealth company Monument filed breach reports last month; Brooks Rehabilitation did so in January.
Still other firms are taking a wait-and-see approach, hoping for more guidance from both the FTC and HHS.
An executive at a telehealth company, who spoke on the condition of anonymity so as not to draw attention to his firm, said he doesn’t take issue with the FTC’s actions or the HHS guidance, but is concerned it could lead to more restrictive privacy guidance that directly interferes with standard advertising practices.
“That would suddenly create real challenges for companies to market their services, which if their company is doing something good in the world, you want their services marketed. So how do you balance?” he asked.