August 2023

Why Is the FTC Worried About Your Medical Data Sharing? 

For twenty years, our healthcare technological processes have improved, helping streamline major systems and patient care. Of course, using these systems is not without some growing pains. While there’s an assumption and trust from patients to their doctors or hospitals that HIPAA protects patient confidentiality, the advances of stored patient data online and in apps is far from being reconciled or enforced. 

For the past few years, it’s fallen through the cracks of exactly who’s job it is to make sure health and wellness platforms are using data responsibly. In the time it’s taken to begin to regulate data usage, the technology has exponentially outpaced any efforts. And now, platforms that don’t even fall under a health or wellness HIPAA umbrella like ChatGPT can pretty accurately infer someone’s medical status if they decide to ask it health questions. Also long outside the scope are wellness wearble trackers that collect data on everything from heart rate, activity levels, weight, sleep patterns, diet tracking, ovulation, and pregnancy. Pregnancy as a life event is typically a time of the biggest changes, making it the most desirable demographic for marketers to target. 

Also of note is the sharing of data from mental wellness apps, often targeted towards teens. Many of these apps have been sued or reprimanded for selling teens prescription drugs without proper consultation or follow ups. Another example would be the chatbot that was being used on a suicide prevention site (which is now the national suicide hotline 988) was learning from users and that data was being used to strengthen customer service chatbots on retail sites. 

This year it’s been the FTC to crack down on digital health platforms, and expand the language in HIPAA to apply to medical data being mined across all platforms. Most noticeably the FTC sued GoodRX for sharing medical data with Meta, Google, and most of the other majors through pixel trackers. These pixel trackers are often embedded in a “submit” button or something similar and in the case of GoodRX enabled Facebook to connect individual profiles with prescriptions and then advertise accordingly.  GoodRX countered, and unfortunately they aren’t wrong, the same pixel trackers are often in hospital’s software used to collect and store what should be HIPAA protected information. Often hospital systems aren’t aware of the trackers in the software they’re using. 

In response to the array of increasing patient rights being violated by data collection, the FTC is proposing changes to it’s “Health Breach Notification Rule, that would clarify its ability to regulate digital health companies and their use of health data.” Currently almost no major data collector is concerned about the FTC or anybody suing, but this proposal is almost a warning that that can change soon. 

According to STAT News, “I almost feel like the FTC is saying ‘fine, we’ll do this,’” said Proctor. “We didn’t want to be the people coming in and hitting people over the head with this. We really thought that by now something else would make the federal government act.”