(423) 443-4525 [email protected]

In response to the increased utilization of telehealth due to the COVID-19 pandemic, there has been growing concern over how telehealth vendors and practitioners protect and use health data. Policymakers and regulators have proposed or implemented policies to address the type of information collected, its usage, and the need for disclosure to patients. While privacy concerns over reproductive health information are part of this discussion, federal agencies have recently focused on the use of collected data for marketing purposes.

The Federal Trade Commission (FTC) has taken action against questionable data-sharing practices. In February, the FTC imposed a fine of $1.5 million on GoodRx for sharing consumer health data with third-party firms like Google and Facebook after claiming that they would not share such data. The FTC deemed this behavior as “unfair and deceptive” practices. Similarly, in March, the FTC fined BetterHelp, an online therapy company, $7.8 million for sharing customer data for advertising purposes with Facebook and Snapchat. This included information such as customer email and IP addresses, health questionnaire responses, and therapy history. BetterHelp had previously assured patients that personal information would not be shared. The FTC found these recent cases to be violations of unfair and deceptive business practices and the FTC’s health breach notification rule, which covers entities that collect personally identifiable health information but are not under HIPAA.

Although there is no federal legislation yet to tighten laws on data collection and use, some regulatory agencies have noted that existing authorities allow them to take certain actions. For example, in December, the Office of Civil Rights issued a bulletin that expanded the definition of personally identifiable health information protected by HIPAA. This expanded definition includes email addresses, IP addresses, and geographic location information that can be linked to an individual. These pieces of information were likely not considered when HIPAA was created two decades ago, but they hold significant relevance today.