A Tale of Two Breach Notification Rules

By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure#HCdeJure

The early days of February 2023 saw two very different settlements announced related to healthcare data breaches. One arguably follows a well-known course and the other could be a sign of things to come.

New Kid on the Block

After having a health breach notification rule on the books since 2009, the Federal Trade Commission (FTC) had not actually pursued an enforcement action under the rule. The wait is now over. On February 1, 2023, the FTC announced a settlement with GoodRx due to allegations about improper use of healthcare data.

The settlement arose from GoodRx sharing a fair amount of the healthcare information that it collected with companies such as Google and Facebook for marketing purposes. The data could be shared to further target consumers based upon prior purchases.

While many companies likely engage in the exact same behavior, GoodRx created problems for itself by purportedly promising consumers that personal data would not be shared with advertisers or other third parties. Deceptive statements or not living up to self-established standards is a good way to draw the ire of the FTC.

Beyond improperly sharing the healthcare information, the FTC also alleged that the third parties were not restricted in how the data received could be used. That meant the recipient could build the healthcare data into its own databases and use it to influence how the recipient conducted marketing activities. It is highly unlikely that any consumer expected such use or would have wanted such use to occur.

A final item to highlight was GoodRx’s asserting that it complied with the requirements of HIPAA. According to the FTC, a seal making that claim could be found on GoodRx’s website. Given the nature of the allegations, it should be clear that GoodRx did not honor all of the aspects of the HIPAA Privacy Rule. Additionally, GoodRx may not even have been operating in a manner where it needed to comply with HIPAA, making the assertion self-driven. As with another basis for the settlement, telling consumers that a company is behaving in a certain way and then not actually doing it is a classic case of a false and deceptive business practice that falls within the FTC’s purview.

All of the alleged activity resulted in the following quite significant penalties and implications:

  • Payment of $1.5 million, with at least one FTC commissioner saying it should have been a lot more;
  • Permanent prohibition on sharing health information for advertising purposes;
  • Requirement to obtain affirmative express consent before sharing health information for other purposes;
  • Requirement to direct third parties to delete the health information that was improperly shared (the word “direct” is key there because it seems to acknowledge that GoodRx cannot force the other companies to delete, but it should put the other companies on notice that the FTC will likely pay attention to what response they take);
  • Implement limitations on how long personal and health information will be retained; and
  • Put a comprehensive privacy program into place.

The list is fairly extensive, but the permanent prohibition on sharing health information for advertising purposes will probably have the biggest impact. Even if GoodRx gets express consent from a consumer, the advertising activity still cannot occur. It will be worth watching if that gets challenged at some point in the future.

The “Old” Standby

Not to be left behind, the Office for Civil Rights announced a settlement for alleged HIPAA violations on February 2, 2023. The settlement was with Banner Health based upon a cyber attack that was discovered in July 2016. The resolution agreement, as is so often the case, is quite short in details. No information about the reported incident is included, only a listing of the HIPAA provisions that OCR felt were violated.

As a refresher, the cyber attack occurred when a successful attack occurred on the payment processing system of some food and beverage outlets that enabled the attackers to ultimately wend their way through the system to patient data. The data breach previously resulted in a class action lawsuit that was settled for up to $6 million in payments to impacted individuals and other measures.

Back to the new resolution with OCR, it was alleged that the following HIPAA violations occurred:

  • Failure to conduct required risk analysis;
  • Insufficient procedures to regularly review system activity records;
  • Failure to implement procedure to verify identity of person or entity seeking access to PHI; and
  • Insufficient technical security measures to guard against unauthorized access.

The list of alleged violations is actually relatively short compared to other resolutions that OCR has previously pursued. However, Banner was still forced to pay $1.25 million, which yet again reinforces the presumption that OCR bases the settlement amount on an organization’s ability to pay.

Arguably the biggest takeaway from OCR’s settlement is that it will likely take time (sometimes a lot of it) for incidents to be reviewed and assessed by OCR. As noted in the resolution agreement, Banner fairly timely reported the breach to OCR in 2016, but a settlement did not come until over 6 years later. That should create some discomfort for entities reporting big breaches. Just because a few years have passed, it doesn’t mean that the entity is out of the woods.

What Does It All Mean?

The concurrent settlements suggest that no matter how healthcare data are created or who uses it, a government agency will be monitoring what happens and how the data are protected. For some, it could be viewed as a welcome change since so-called non-traditional healthcare data has not received much enforcement attention. If the FTC and OCR will both pursue actions in their adjacent arenas, then it may be possible to drive conscientious use of healthcare information no matter the circumstance until new laws are passed that can readjust the landscape.

The bottom line should be that no matter the type of organization, it is imperative to carefully think about how to secure and protect the information being entrusted to the organization. Current regulations are either mandatory or can be a guide. Regardless of the situation, it is important to clearly understand how privacy needs to be respected and operationalized.

This article was originally published on The Pulse blog and is republished here with permission.