New Enforcement Actions Are a Wake-Up Call For Digital Health

  • The FTC recently punished two digital health companies that it claims shared patient PHI with advertising platforms like Google
  • Some commonplace digital marketing strategies are permissible outside of healthcare, but aren’t HIPAA-compliant
  • Many of the alleged violations are avoidable, and it’s still possible to run effective digital marketing without compromising PHI

Digital health companies already face a tough marketing environment: Costs are high and competition is stiffer than ever. In recent months, the threat of legal jeopardy has added even more complexity to their growth efforts. 

In the past, the nexus of digital marketing, direct-to-consumer (DTC) digital health, and healthcare privacy had prompted some media scrutiny—but little in the way of legal intervention. That is, until recently. 

In Q1 2023, the Federal Trade Commission (FTC) announced back-to-back enforcement actions against GoodRx and BetterHelp based on how they collected and shared potential protected health information (PHI) with advertising platforms like Meta and Google. Companies were fined millions of dollars, and many believe this is just an opening salvo.

This reckoning shouldn’t come as a surprise, nor should it shock brands into backing away from digital marketing entirely. Instead, it should be welcomed as a call to action. Digital health needs to take a hard look at its marketing practices and commit to compliant data collection and targeting strategies. 

In this blog, we’ll outline the marketing practices that drew the government’s ire and we’ll explain how digital health companies can continue to market effectively without running afoul of policies meant to protect patients’ privacy. 

Looking into Alleged HIPAA Violations 

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996—but despite updates and amendments, legislators and enforcement bodies have been badly outpaced by digital health and digital marketing technology. They’re starting to catch up, however, and digital health marketers are rightly concerned.

When the FTC levied its action against GoodRx in February, 2023, it highlighted several practices that it claimed violated HIPAA’s Health Breach Notification rule:

  • Sharing PHI with Facebook, Google, Criteo, and other companies
  • Using PHI, including personal and medication-specific data, to target users with advertising based on user lists it compiled
  • Failing to limit third-party use of said PHI by allowing those third parties to “use that information for their own internal purposes”
  • Misrepresenting its own HIPAA compliance by “displaying a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with [HIPAA]”
  • Generally failing to protect PHI, stating that the company had “no sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place” prior to 2020

This may have alarmed many in the industry, given that a few of these actions are pretty run-of-the-mill digital marketing behaviors. Some things that companies may not think are PHI on the surface—like whether a user visited a landing page with a condition name in the URL—can become PHI when synthesized with other data (like their name or IP address). When that data is transmitted to a tech company like Meta or Google (which specifically declares that some services are not HIPAA compliant), the FTC argues that it constitutes a breach.

But there are ways to avoid these situations entirely using existing techniques and settings. Forward-thinking digital health companies are already building programs that are both compliant and capable of still delivering powerful marketing results. 

Many of the Alleged Violations are Avoidable

While scrutiny of these actions may hit close to home for many advertisers in the space, the issues can typically be avoided to enhance patient data security without sacrificing marketing power. 

Pixels Can Be Customized to Avoid PHI

Both high-profile press articles and the FTC filing against GoodRx pay particular attention to tracking pixels, the snippets of code that companies place on their websites to transmit relevant user and behavioral data to advertising platforms like Google and Meta. 

Brands can customize what data their pixels track and transmit, meaning that the sharing of PHI via pixels can and should be prevented. In GoodRx’s case, they allegedly configured their Meta pixel to automatically share information like first and last name, email address, phone number, zip code, city, state, and gender. That’s simply too much information for a digital health company to be using for marketing, and it’s avoidable. Pixels can also be set to require consent, meaning brands can easily notify users of the presence of a pixel and allow them the ability to still opt-out of any data collection, even if it’s non-PHI.

Labeling and URLS Matter

Another major area of focus for the FTC may seem innocuous at first blush: the naming conventions and URLs used in marketing campaigns. But according to the FTC, GoodRx’s Facebook pixel was configured so certain URLs embedded the very PHI—like names and email addresses—that it should not have been collecting in the first place. Worse, their site URLs already contained the drug names (such as “Lipitor”), and conversion actions that indicated a patients’ order (“30-day supply” for instance). 

By failing to limit what data their pixel could collect and combining that with data that clearly labeled drugs and conditions by name, they were sending a holistic and invasive amount of information to the advertising platforms. This indicates that brands and advertisers should create distinct labeling systems that anonymize any condition, treatment, or symptom data—in URLs as well as in their audiences, campaign names, and conversion labels.

Transparency is Vital

A lack of transparency is central to the criticism aimed at the industry. The Markup’s investigation found that the privacy policies employed by many leading telehealth companies suffer from “inscrutable language” that makes it “difficult for consumers to know what data would qualify as protected, and when.” Others, they found, promise HIPAA compliance without any verifiable backing for that claim, and despite the presence of pixels on their websites that may have been transmitting PHI to noncompliant entities like Meta and Google. 

Misrepresentation can have consequences. One of the allegations levied by the FTC against GoodRx was that the company misrepresented its adherence to the Digital Advertising Alliance’s “Sensitive Data Principle.” The agency, based on the charges laid prior, found that to be untrue—and thus a punishable offense. 

It’s paramount that digital health companies take every step to avoid transmitting PHI, and to craft clear privacy policies that accurately represent those efforts. It seems like a no-brainer, but health brands shouldn’t be making statements they can’t prove. And a failure to understand the capabilities of current digital marketing technology will not be treated as a defense or excuse. 

Platform Changes Could Also Be on the Horizon

When it comes to protecting patient health data, the onus is on everyone in the field to adapt and be better. That includes digital health companies, advertisers, and even the big tech platforms—who currently exist in a gray area. Companies like Google and Meta haven’t spent much time in the federal crosshairs yet for facilitating invasive practices. But that could be changing, too.

In late 2022, Meta was hit with a class-action lawsuit on behalf of California patients whose hospital was found to have a Meta pixel on their patient portal page. The federal judge in that case seems skeptical of Meta’s “well, we told you not to give us health info” defense. The judge said that they think “it’s a big problem that there is not a specific consent for health data,” and that Meta’s generalized disclosures don’t go far enough in clearly alerting users as to what information their pixels collect. 

Legal challenges could encourage major digital marketing engines like Meta and Google to implement stricter platform-level safeguards—or even bar health advertisers from utilizing certain marketing features. That would be yet another curve that would force digital health brands to adapt their marketing approach. It’s vital that DTC health brands remain aware of the changes that could be on the horizon. 

An Expert Marketing Partner Can Help You Stay Compliant

All of these new considerations may seem daunting. If your team keeps itself informed and willing to adapt, however, they don’t have to be. Working with a marketing partner that’s fully immersed in the field can help, too.

ADM is the growth agency for digital health, and that means compliance is front-and-center to our efforts. Everyone on our team is trained to adhere to the strict standards necessary to protect PHI. Account managers know what audiences can and cannot be used, along with how to name audiences, campaigns, and conversion events in an anonymous manner. Our Data and Analytics team also offers HIPAA Compliance Checks on analytics and tagging infrastructure to ensure that no PHI is being sent to ad platforms. 

We’re always monitoring the latest technological and legal developments that impact our clients’ ability to run successful marketing programs. Rather than a mortal threat to the industry, we see them as an invitation to continually innovate better strategies that help our digital health clients flourish while remaining compliant. 

If you’re concerned about the state of your brand’s digital marketing practices, or just want to learn more about staying compliant in a rapidly-shifting landscape, don’t hesitate to reach out to us.

DISCLAIMER

Nothing in this blog should be considered legal advice. This content is for informational use only. Health marketing policy is also evolving quickly, and this blog may not have been updated to reflect any new developments relevant to the situation. If you require legal advice about any of the matters discussed here, we recommend seeking a healthcare privacy attorney.