The Federal Trade Commission’s recent actions against the digital behavioral health providers Cerebral and Monument are an expensive and very public reminder to all behavioral health providers to take caution when using digital tracking and other ad-tech tools.
In April, the FTC released several complaints and orders, including fines and stipulations, to settle allegations about how the companies handled patient data in their online advertising work. However, the most precise lesson learned by the FTC action isn’t so much about how the company’s handling of the data as it is about how the company portrayed its privacy and data sharing practices to customers.
“The FTC isn’t charged with regulating how a behavioral health company or any other business safeguards data per se,” Valerie Breslin Montague, a healthcare partner and certified information privacy professional/United States (CIPP/US) at the law firm Nixon Peabody LLP, told Behavioral Health Business. “The issue here is that the public statements and other statements to consumers regarding how these organizations will use and disclose the data were either not fully accurate or were misleading.”
The responsibility to oversee privacy rules — the most widely known and applicable being Health Insurance Portability and Accountability Act of 1996 — lies with the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS).
Monument and Cerebral were both alleged to have violated provisions of two laws: Section 5 of the Federal Trade Commission Act and the Opioid Addiction Recovery Fraud Prevention Act of 2018. Both prohibit “unfair or deceptive acts of practices.” Cerebral based the additional allegation of violating the Restore Online Shoppers’ Confidence Act on “negative option” practices related to subscription fees.
Other regulators have not taken action specific to these companies’ handling of personal data. However, the complaints detail, with breadth and specificity, data and privacy practices that raised eyebrows. At least within the scope of the FTC’s work, enforcing these provisions about truthful representations to consumers is meant to ensure that consumers have an accurate and fair opportunity to assess whether or not they are OK with how companies use their personal information, Montague said.
How providers can avoid FTC scrutiny
All behavioral health organizations that the FTC would otherwise regulate are subject to these laws, but some nonprofit organizations are not. So, the fact that the two organizations the FTC took action against are telehealth-only providers belies the impact these actions could have on the industry.
It is also clear that the FTC intends to send a signal about data sharing and privacy practices. In a blog post, the FTC said it intended to send a “loud-and-clear message” that the agency “won’t back down” regarding health data protections.
“Make sure any public-facing statements — whether that’s a website, privacy policy, advertising materials, terms of service or other agreements with their patients or potential patients — are accurately describing how the organization will use and disclose and protect data,” Montague said.
This needs to be an ongoing process. As companies grow or otherwise change, the practices detailed in public-facing materials may no longer be accurate, Montague added.
Montague also noted the especially sensitive nature of the type of care and conditions relevant to these companies.
So, no more marketing? Not quite
These actions signal the wrong use of digital marketing tools and third-party advertising partners. Further, the OCR has taken note of these practices and sought to clarify the correct use of these tools.
On March 18, OCT released a bulletin that restated the office’s assessment of the privacy protections detailed by HIPAA in the context of digital tracking technology.
At the heart of it, any tracking efforts must distinguish and separate protected health information from other identifying information, Richard Briddock, chief strategy officer of Cardinal Digital Marketing, told BHB.
“What you can’t do is provide any health context [related to a] conversion when you send it back” to an advertising partner, Briddock told BHB. “The way that we perceive the guidance from HHS is that you can send all the personal information in the world that you want to these platforms, as long as you’re not sending any health context.”
HHS and OCR also require that providers covered by HIPAA and their digital marketing partners have business associate agreements (BAAs) in place.
Still, balancing all of the privacy rules and trying to make the most of digital marketing tools sets up “an imperfect system,” especially on digital platforms where ads and marketing are seen as relevant and effective such as Facebook, Google search or other ad-tech platforms that place ads online.
Whenever in doubt, simply removing tracking technologies is a necessary first step. Immediately, that may eliminate being a target for regulators and may spare a company from being a target for litigation.
Outside of behavioral health, Chicago-based Aspen Dental was sued in February over its alleged use of third-party marketing partners. The plaintiffs are seeking class certification.
There is some degree of “wiggle room,” Briddock said, when people click on ads, even if they click for a service that is exclusively dedicated to behavioral health services and may identify what HHS calls “future health, health care, or payment for health care.”
In that context, the patient is representing to the ad platform that potential health information is not a covered entity, Briddock notes, adding that this “technicality” might not remain in place in the future. The current focus on health privacy may eventually merge into the increasing antagonism toward tech giants that base their revenue on targeted ads and marketing. Internationally, digital advertising is under greater scrutiny after sweeping laws meant to protect privacy and commerce have come into effect.
“What is acceptable within the guidance today may change in the future,” Briddock said. “They could get more draconian in the future.”