FTC BetterHelp Investigation
A January study by MarkUp and Stat showed how the top 50 telehealth startups routinely share sensitive patient information with marketing companies for profit. Since then, industry news headlines have been dominated by a systematic crackdown by US federal agencies on companies suspected of sharing sensitive patient information. Some of the more well-known companies under scrutiny are BetterHelp, Cerebral, and GoodRx.
In the most recent FTC announcement regarding the BetterHelp investigation, the FTC explained that BetterHelp uploaded website visitor email addresses to marketing companies such as Facebook. The FTC announcement clarified that email addresses constitute personally identifiable health information because email addresses identify visitors as people seeking mental health care. It specified six clear takeaways for healthcare companies.
Takeaways are abbreviated below for the reader’s convenience using salient FTC language.
- “Personal information” may be “health information” simply due to the nature of the product or service. Generally speaking, an email address might not be considered “health information” – unless, of course, the source of the information is a health-related service.
- Institute policies, practices, and procedures to protect health information. For example, the complaint alleged that BetterHelp failed to have written policies and procedures for protecting the privacy of health information. And it failed to properly train and supervise employees that handled that health information. It also didn’t get consumers’ affirmative express consent before disclosing their health information to third parties, and it failed to contractually limit those third parties from using the data for their own purposes.
- Ditch deceptive design. As the complaint discusses in detail, while BetterHelp moved consumers through a series of prominent prompts in an effort to get them to turn over their personal information, the company put privacy “disclosures” behind hard-to-find and hard-to-read links.
- “Slinging hash” won’t necessarily protect consumers’ personal data. Although BetterHelp hashed people’s email addresses before sharing them with third parties – in other words, converted them into a sequence of letters and numbers through a cryptographic tool – the hashing was done just to hide the addresses in case of a security breach. The FTC says BetterHelp knew that third parties like Facebook would effectively undo the hashing to reveal the email addresses of people who had gone to the BetterHelp site for mental health services. Once Facebook had those addresses, it would easily match them to the email of people with Facebook accounts.
- Monitor data flows to all third parties your site or app may transmit to via web beacons, pixels, or other tracking technologies. It’s illegal to make privacy promises to consumers without taking into account any information that’s going to third parties through various forms of ad tech. It boils down to this: Don’t make privacy promises that your practices don’t live up to.
- When it comes to conveying claims to consumers, a picture can be worth a thousand words. Almost all of BetterHelp’s pages displayed multiple seals from third parties. Among them was a depiction of the medical caduceus and the term “HIPAA.”
Full details are available on the FTC Business Blog website.
US Justice Department Privacy Update
The Department of Justice’s (DOJ) Antitrust Division withdrew three policies to clarify its position on sharing sensitive patient data on February 3, 2023. These policies were jointly authored by the DOJ and the FTC to provide guidelines on business collaborations in the healthcare industry that were, in the words of the DOJ, “overly permissive on certain subjects, such as information sharing.”
Concurrently on February 2, 2023, DOJ’s Principal Deputy Assistant Attorney General Doha Mekki spoke at an antitrust conference on these changes. He stated that the guidance provided in these documents “no longer reflects the market realities of the modern health care system or the Division’s current enforcement priorities.” Recent decisions have set increasingly clear limits on groups seeking to profit from sharing sensitive information.
Mobile Apps Industry Is Not Yet Included
The researcher expressed interest in buying patient data collected from mental health apps, only to learn that such sales are straightforward to negotiate. The report commented that the information typically includes detailed mental health information and is affordable. The report also explained that HIPAA regulations may not be as clear as needed for health apps if covered entities such as clinicians are not involved.
In its telehealth crackdown, FTC investigations have not explicitly mentioned the involvement of mental health app companies, mental health support websites, or data brokers in selling consumer health data. More is yet to come as these peripheral industries come under needed scrutiny.
How to Report Bad Business Practices to the FTC
Clinicians concerned about specific practices they see in telehealth companies, apps, mental health support websites, or data brokerages may want to consider filing a report to the FTC to request an impartial investigation. Any US citizen can request an investigation if they suspect bad business practices. This FTC FAQ explains what should and should not be reported and how to request an investigation of an employer and remain anonymous.
In fact, requesting such investigations may be the ethical thing to do. See Section 1.5 of the American Psychological Association’s Ethical Principles and Code of Conduct, quoted here (bolded emphasis is mine):
1.05 Reporting Ethical Violations
If an apparent ethical violation has substantially harmed or is likely to substantially harm a person or organization and is not appropriate for informal resolution under Standard 1.04, Informal Resolution of Ethical Violations , or is not resolved properly in that fashion, psychologists take further action appropriate to the situation. Such action might include referral to state or national committees on professional ethics, to state licensing boards, or to the appropriate institutional authorities.
As the reader can see, the code does not explicitly address what to do when an Internet employer gives the clinician the willies. Instead, it refers the psychologist to the previous code section, which advises the clinician to speak to the potentially errant party to advise them. Clearly, this code section needs updating to include the possibility that the clinician in large Internet company enterprises valued at $4-10B isn’t going to stop sharing data if it meets the company goal of increased profits unless the federal government steps to protect consumers.
Along with the DOJ policy changes, the FTC’s BetterHelp investigation settlement clarifies pre-existing ambiguities about the risks of collecting, using, and sharing information that can identify an individual’s health.
- The stakes are high. Under the proposed consent order, BetterHelp must, among other things, pay a fine of $7.8 million and immediately halt sharing individually identifiable information with any third party for advertising or re-targeting.
- The Betterhelp investigation also requires the company to obtain affirmative, express consent before sharing any consumer’s personal information with a third party for other purposes.
- Now that the industry has been put on notice and associated policies have been tightened, company privacy statements in the future will continue to be a target for FTC scrutiny and discipline.
- Many ethical codes do not yet reflect the realities of companies intentionally sharing millions of patients’ sensitive health data with marketing and data brokerage websites. Until now, most clinicians may not have known what to do if an online employer’s policies made them uncomfortable. Asking ethical clinicians to simply leave these companies is not a reasonable, long-term solution, as these same companies are already positioned to dominate mental health service delivery worldwide.
- Clinicians may ask professional associations to address the issue in their upcoming ethical codes. They can request clear direction for clinicians offering services on the Internet through large employers who may be remiss in their healthcare consumer protections.
- It may also be time for clinicians working for companies engaging in questionable practices to consider requesting an FTC investigation directly. Millions of innocent consumers have already been compromised. If clinicians do not advocate for and police the Internet business interests already dominating our industry, who will?
- The FTC and DOJ are the best levers available to concerned professionals. Aside from exerting some control over clinicians, professional associations and licensing boards have no power over large Internet companies.
- Sun Tzu, the Chinese philosopher, and writer, said: “Wheels of justice grind slow but grind fine.” The question is, how many trusting, vulnerable people will be harmed while we wait?
In protecting patient data, the second of two FTC announcements of the BetterHelp investigation gave clear guidance for other companies in the industry. Telehealth.org has made it clear that it is time for clinicians to empower themselves to protect the privacy of vulnerable people seeking mental health services online.
Stay tuned; more is sure to come. Telehealth.org will keep you updated with relevant news. Meanwhile, your comments are invited below.