On November 8, 2023, the Senate Health, Education, Labor and Pensions (HELP) Committee Subcommittee on Primary Health and Retirement Security discussed the impact of artificial intelligence (AI) on the healthcare sector in the Committee’s second AI hearing in nine days. The hearing comes as the White House and Congressional leaders seek to quickly respond to AI threats, mitigate its dangers, and harness its potential for American industry. Senators discussed the recent Executive Order issued by the White House to guide AI regulation and innovation across all sectors, including in the health and human services sectors.

Continue Reading Avoiding a Cautionary Tale: Policy Considerations for Artificial Intelligence in Health Care

Last week, the Office for Civil Rights (“OCR”) issued two pieces of guidance on the privacy and security of protected health information (“PHI”) when using telehealth services. One of the documents is intended to help health care providers explain to patients, in plain language, the privacy and security risks of using remote communication technologies for telehealth (the “Provider Telehealth Guidance”). The other provides tips to patients on how to safeguard their PHI when using video apps and other technologies for telehealth (the “Patient Telehealth Guidance”).

Continue Reading OCR Issues Guidance to Providers and Patients on Telehealth Privacy and Security

On September 14, 2023, the U.S. Department of Health and Human Services (“HHS”) published a proposed rule updating Section 504 of the Rehabilitation Act of 1973 (“Section 504”). The new rule entitled Discrimination on the Basis of Disability in Health and Human Service Programs or Activities(the “Proposed Rule”) is the first major regulatory update to Section 504 in nearly 50 years.  Section 504 prohibits discrimination against individuals on the basis of disability in programs and activities that receive Federal financial assistance (“FFA”) or are conducted by a Federal agency.  Section 504 covers all health care and human services programs and activities funded by HHS, from providers, like hospitals and doctors that accept Medicare or Medicare, to state child welfare programs, as well as Medicare Advantage Plans, and Medicaid Managed Care Plans.

Continue Reading HHS Aims to Strengthen Anti-Discrimination Rules for Disabled Patients in New Proposed Rule

On September 1, 2023, the U.S. Department of Health and Human Services, through the Centers for Medicare & Medicaid Services (“CMS”) issued a much anticipated and contested proposed rule that seeks to establish minimum staffing level requirements for nursing homes.  The proposed rule represents the first time the federal government has proposed comprehensive nationwide nursing home staffing requirements, although various states have already enacted their own staffing requirements.

Continue Reading CMS Proposes Minimum Staffing Requirements and Enhanced Facility Assessments for Nursing Homes

On July 21, 2023, the Department of Health Care Access and Information of the California Health and Human Services Agency released a Notice of Proposed Rulemaking (the “Proposed Rule”) with regulations that would implement new financial and ownership transparency requirements for skilled nursing facilities (“SNFs”) in California.

Continue Reading New Transparency Requirements for Skilled Nursing Facilities in California

On June 27, 2023, the Department of Health and Human Services (“HHS”) Office of Inspector General (“OIG”) issued a final rule (“OIG Final Rule”) that implements statutory provisions for its enforcement of the information blocking penalties created by the 21stCentury Cures Act (“Cures Act”) and assessment of civil money penalties (“CMPs”) of up to $1 million per violation of information blocking for certain individuals or entities subject to the information blocking requirements.

Continue Reading HHS-OIG Releases Final Rule Implementing Information Blocking Penalties

On July 25, 2023, the U.S. Departments of Labor, Treasury, and Health and Human Services (the “Tri-Agencies”) released long awaited proposed regulations (the “Proposed Rule”) and a Technical Release, which together propose new requirements for comparative analyses of nonquantitative treatment limitations (“NQTL”) under the Mental Health Parity and Addiction Equity Act of 2008 (“MHPAEA”).  On the same day, the Tri-Agencies released their annual report to Congress on implementation of MHPAEA, as required under the Consolidated Appropriations Act, 2021 (“CAA 2021”). 

Continue Reading New Proposed MHPAEA Rule Builds on NQTL Comparative Analysis Standards

On May 17, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action (“Enforcement Action”) against Illinois-based Easy Healthcare Corporation (“Easy Healthcare”), which operates the Premom application, for allegedly violating Section 5 of the FTC Act and the Health Breach Notification Rule (“HBNR”). Easy Healthcare has developed, advertised, and distributed a mobile application called the Premom Ovulation Tracker (“Premom”) that allows users to input and track various types of personal and health information. In the complaint (“Complaint”), the FTC alleges that Easy Healthcare deceived users by disclosing users’ sensitive health data with third parties and failed to notify consumers of these unauthorized disclosures in violation of the HBNR. The proposed order (“Proposed Order”), which was brought by the U.S. Department of Justice on behalf of the FTC, imposes a civil penalty of $100,000 and prohibits Easy Healthcare from sharing user personal health data with third parties for advertising, among other requirements. As part of a related action, Easy Healthcare has agreed to pay an additional $100,000 to Connecticut, the District of Columbia, and Oregon for violating their respective laws.

Continue Reading FTC Announces Enforcement Action Against Ovulation Tracking App Premom

On January 19, 2022, the U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) published the Trusted Exchange Framework and Common Agreement (TEFCA) for health information exchange. The Trusted Exchange Framework established a set of non-binding, foundational principles for trust policies and practices to help facilitate exchange among health information networks (HINs). The Common Agreement under TEFCA developed the infrastructure model and governing approach for users in different networks to securely share basic clinical information with each other—all under commonly agreed-to expectations and rules, regardless of which network they happen to be in. TEFCA’s main goal is to encourage interoperability across the country by developing uniform policies and technical requirements to regulate data sharing and to ensure that all participants can access real-time health information. For a more detailed breakdown of the structure and function of TEFCA see Crowell’s previous post.

The development of TEFCA was mandated by the 21st Century Cures Act. In 2019, the ONC issued a Notice of Funding Opportunity and ultimately appointed The Sequoia Project, Inc. to serve as the Recognized Coordinating Entity (RCE). About a year after the long-awaited TEFCA publication, ONC held an event on February 13th, 2023 to recognize the first set of applicant organizations that were approved as qualified health information networks (QHINs). The approved HINs consist of CommonWell Health Alliance, eHealth Exchange, Epic TEFCA Interoperability Services, Health Gorilla, Kno2, and KONZA National Network. These six potential QHINs agreed to the same data sharing infrastructure, which allows them to connect to one another and enables their participants, including provides, payers, and public health agencies, to exchange health information nationwide. This first cohort of potential QHINs will undergo onboarding over the course of the year. The ONC plans to announce additional QHINs as they are approved by the RCE.

Since TEFCA participation is voluntary, the extent of its impact is limited by the number of entities that apply for QHIN designation. With widespread network participation, TEFCA is intended to:

  • allow networks to securely share and access data
  • make a core set of data available for networks under the Common Agreement
  • curtail the need for entities to join multiple HINs and agreements which will decrease costs and improve efficiency
  • create a common set of privacy and security requirements for HINs and IT developers to protect patient data

Crowell Health Solutions (CHS) recently hosted “Industry Views on the Trusted Exchange Framework and Common Agreement,” a podcast examining the advancement of information exchange governance in our healthcare landscape, the significance and potential impact of TEFCA, the participation of HINs in TEFCA, and the evolution of data sharing and interoperability in the next 10 years. While TEFCA is still in the early stages, CHS looks forward to tracking the progression of the framework and its impact on health information exchange.

To learn more about TEFCA, recent activities and future implications listen to Industry Views on the Trusted Exchange Framework and Common Agreement here.

On March 2, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action against California-based online counseling service BetterHelp, Inc. (“BetterHelp”) for allegedly sharing consumers’ health information, including sensitive information about mental health challenges, for advertising purposes in violation of Section 5 of the FTC Act.

This latest enforcement action comes just one month after the FTC announced an enforcement action against GoodRx for allegedly violating Section 5 of the FTC Act and the Health Breach Notification Rule (“HBNR”). Where the GoodRx enforcement action marked the first time the FTC enforced the HBNR, the BetterHelp enforcement action similarly sets a new precedent for the FTC: This is the first FTC enforcement action returning funds to consumers whose health information was compromised by BetterHelp’s alleged misdeeds. The proposed order (“Proposed Order”) also sets out extensive requirements to prohibit BetterHelp from disclosing health information for advertising and misrepresenting its information sharing practices. The GoodRx and BetterHelp enforcement actions appear to be part of a larger effort by the FTC to monitor the practices of websites, apps, and connected devices that capture consumer’s sensitive health information.

The Complaint

According to the Complaint, BetterHelp offers online counseling services by matching users with BetterHelp therapists and facilitating counseling via BetterHelp’s various websites and apps. BetterHelp also offers specialized versions of its counseling services for people of the Christian faith, members of the LGBTQ community, and teenagers. To sign up for BetterHelp’s services, consumers must fill out a questionnaire that asks sensitive mental health questions, such as whether they have experienced depression or suicidal thoughts, have previously been in counseling, or take any medications. Consumers also provide their name, email address, birth date, and other personal information. In its press release on the enforcement action, FTC suggests that consumers are “pushed’ to provide this information by “repeatedly showing them privacy misrepresentations and nudging them with unavoidable prompts to sign up for its counseling service.” Consumers are then matched with a BetterHelp counselor and pay between $60 and $90 per week for counseling.

The Complaint alleges that in recognition of the amount of sensitive health information consumers provide, BetterHelp “repeatedly promised” to keep this information “private and use it only for non-advertising purposes such as to facilitate consumers’ therapy.” However, over a period of seven years from 2013 through 2020, BetterHelp purportedly “continually broke these privacy promises, monetizing consumers’ health information to target them and others with advertisements” for BetterHelp’s services. For example, BetterHelp allegedly shared its users’ email addresses and the fact they were in counseling with Facebook, which in turn identified similar consumers and targeted them with BetterHelp advertisements. BetterHelp also allegedly shared its users’ information with other third-party advertising platforms, such as Pinterest, Snapchat, and Criteo. These advertising efforts reportedly brought in “tens of thousands of new paying users, and millions of dollars in revenue” to BetterHelp. BetterHelp also allowed these third-party companies to use BetterHelp users’ information for their own research and product development, further evidence that BetterHelp failed to contractually limit how third parties could use consumers’ health information.

The Complaint also alleges that BetterHelp “failed to employ reasonable measures to safeguard the health information it collected from consumers.” BetterHelp is accused of not training its employees on how to properly protect user information when using it for advertising purposes and not overseeing its staff’s use of user information.

The Proposed Order

The Proposed Order imposes a $7.8 million fine on BetterHelp, to be paid into a fund, to refund consumers who signed up and paid for BetterHelp’s counseling services between August 1, 2017, and December 31, 2020. The FTC reports that this is the first enforcement action seeking to return funds to consumers whose health information was compromised. In addition to the monetary penalty, the Proposed Order prohibits BetterHelp from sharing users’ “individually identifiable information relating to the past, present, or future physical or mental health or condition(s)” with third-parties for advertising or re-targeting previous users. Further, the Proposed Order requires BetterHelp to:

  • Obtain users’ affirmative express consent before disclosing personal information to third-parties for any purpose;
  • Establish, implement, and maintain a comprehensive privacy program that includes strong safeguards to protect consumer information;
  • Direct third parties to delete the consumer health information and other personal information that BetterHelp revealed to them; and
  • Limit how long BetterHelp retains personal and health information according to a data retention schedule. 

Takeaways

Digital health companies and other companies that operate websites, apps, or connected devices that capture consumer’s sensitive health information should take heed of the FTC’s enforcement actions against both BetterHelp and GoodRx. As evidenced by the BetterHelp enforcement action, companies must safeguard user information and not endeavor to leverage this information for advertising opportunities in violation of promises made to consumers. The BetterHelp enforcement action also underscores the need for appropriate user notification mechanisms to obtain user consent before disclosing their information to third parties. Further, companies should recall from the GoodRx enforcement action that even companies that are not subject to the requirements of the Health Insurance Portability and Accountability Act could still be subject to the HBNR. While the FTC did not allege violations of the HBNR by BetterHelp, further enforcement action could still be looming.

The BetterHelp enforcement action is especially noteworthy as it is the first time the FTC has endeavored to redress consumer injuries for those whose sensitive health information was inappropriately used and disclosed. This is the FTC’s second “first” in the area of health information enforcement in the span of just one month, so companies should be on the lookout for more to come.

For more information or advice regarding this enforcement action or data privacy issues in general, please contact the professional(s) listed below or your regular Crowell & Moring contact.