A recently announced settlement with online alcohol addiction treatment service Monument Inc. demonstrates the Federal Trade Commission’s (FTC) continued focus on the use and disclosure of health data. The proposed settlement follows a string of FTC enforcement actions in this space, including those involving health companies GoodRx and BetterHelp. If approved, the stipulated order would prohibit Monument from disclosing users’ health information for many advertising purposes.

The complaint alleges violations of the FTC Act and the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA), which permits the FTC to seek civil penalties for unfair or deceptive acts or practices with respect to any substance use disorder treatment service or substance use disorder treatment product.

While many of the remedies obtained are not unlike those in similar FTC actions, the case against Monument highlights the FTC’s willingness to invoke additional authorities to obtain civil penalties, in this case under OARFPA. The case also provides some practical reminders with respect to integrating certain technologies into a company’s website and the precise nature of how information is shared with third parties. Finally, while this case did not involve claims under the FTC’s Health Breach Notification Rule, given that the FTC recently announced amendments to that rule that vastly expand its scope, it is unlikely that FTC actions against digital health companies will be slowing down anytime soon.

Complaint Allegations

Representations about privacy practices and HIPAA compliance

The FTC’s complaint alleges that Monument mispresented both the company’s compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the extent to which it would keep individuals’ information private. For example, the complaint alleges that Monument marketed itself in online advertisements as providing “anonymous” and “confidential” services but then made, according to the FTC, contradictory statements in its privacy policy by stating that the company may disclose users’ personal data to various third parties, including for marketing purposes.

The FTC also took issue with Monument’s representations that it was “fully HIPAA compliant,” which the FTC says was deceptive given that a third-party assessor hired by Monument found various gaps in the company’s security practices and overall HIPAA compliance.

Disclosure of health information to third parties

The FTC alleged that the company shared users’ sensitive health information with advertisers through pixels and application programming interfaces (APIs) that were integrated into the Monument website. The complaint highlights technology that tracks a user’s interaction with Monument’s website, and in particular the use of descriptive titles for “Custom Events” that could reveal details of a user’s health status. For example, the FTC alleges that Monument disclosed users’ email addresses, IP addresses and other identifiers along with a Custom Event titled “Paid: Weekly Therapy” that would reveal that a user signed up for the company’s services and engaged in weekly therapy.

As in BetterHelp, the FTC complaint also addresses the use of hashed email addresses in disclosures to third parties. A hashed email address converts an email into a sequence of letters and numbers that renders it indistinguishable from the actual email address. However, while this is a security precaution (the actual email addresses cannot be discovered in transit), the FTC complaint makes clear that this does not render the email address anonymized because the third party may still be able to use the hashed email addresses to re-identify the individual on its platform and target the individual for advertising purposes.

Overall privacy program compliance

The complaint alleges that Monument engaged in various practices that failed to prevent the disclosure of users’ health information via third-party technologies. These practices, which it challenged as unfair, include failing to:

• Audit and assess privacy risks of third-party tracking technologies before incorporating them into its website
• Obtain users’ affirmative express consent to disclose their health information to third parties for advertising purposes
• Contractually limit third parties from using users’ health information for their own purposes
• Internally track the personal information, including health information, it collected from consumers via tracking technologies

The Proposed Order

Among other remedies, the proposed stipulated order:

• Prohibits the company from disclosing users’ health information for many advertising purposes.
• Requires the company to obtain affirmative express consent prior to disclosing health information for other (non-advertising) purposes.
• Prohibits the company from misrepresenting the extent to which it collects, maintains or uses personal information; the purpose for which it discloses personal information to another entity; and the extent to which a customer can maintain privacy or confidentiality when using Monument’s services.
• Requires the company to identify all third parties that accessed, received or acquired covered information from Monument and identify what covered information was disclosed to each third party.
• Requires the company to implement and maintain a comprehensive privacy program to protect individuals’ information.
• Imposes a $2.5 million civil penalty, although the penalty is suspended due to the company’s inability to pay.

Key Considerations

The settlement raises several considerations for any organization that collects health data:

• Is your messaging about privacy practices accurate and consistent? If you are an organization that collects users’ health information (interpreted broadly), the language in your terms of service and privacy policies should align with other affirmative statements (in marketing materials or elsewhere) that your organization makes. Disclosing in your privacy policy that you collect and share personal information may not be enough. Be particularly mindful of claims around HIPAA compliance, and make sure you have the documents and controls to back them up.
• Is your shared data truly anonymous? Just because hashing is an irreversible cryptographic method does not mean a third party cannot still identify an individual with a hashed value. Review your third parties’ terms and privacy policies to understand how they might be able to use data you send them and associate it with data they already maintain.
• Are you monitoring and tracking data flow from the user to you, and from you to any third party? The complaint alleges that Monument failed to inventory the health information it collected via tracking technologies and disclosed it to third parties. Your organization should be able to identify what data you collect from consumers and in turn what data you are sharing with third-party tracking technologies.

• Do you understand your third parties’ terms of service? The complaint lists examples of general terms of service that permitted third parties to use data provided to them to improve the third parties’ own products and services. If your organization uses third-party tracking technologies, determine whether it’s possible to specify the terms of data use in your specific contracts. If the third party’s terms of service state that data provided to the third party may be used to improve the third party’s own products and services, consider providing notice of (or even obtaining your users’ affirmative consent to) such use.

[View source.]