Putting Digital Health Privacy in Perspective: Is the Controversy Warranted?

  • Recent reporting and federal penalties have put digital health marketing in a negative spotlight
  • Digital health companies can help fill in the gaps of the traditional healthcare system, but they need marketing to grow
  • While scrutiny is warranted and reforms are needed, the issues at stake apply to all of healthcare—not just the new and disruptive forces in the industry

Digital health is an increasingly vital and transformative force in our patchwork healthcare system. Many of the companies under its umbrella do groundbreaking work that advances access and quality of care. The field is growing fast: While the industry had been on the rise throughout the decade prior, public awareness and utilization skyrocketed during the COVID-19 pandemic. That led to a groundswell of investment, innovation, and new competition. 

With all this momentum, some scrutiny was inevitable.

In December 2022, a collaborative investigation conducted by STAT and The Markup made an eye-popping assertion. Out of 50 telehealth companies whose websites they examined, the article claimed that 49 were collecting potential protected health information (PHI) and sharing it with advertising platforms like Meta and Google. 

Within the next few months, those sorts of accusations weren’t just being leveled by the press. Earlier this year, the Federal Trade Commission (FTC) accused online pharmacy GoodRx and teletherapy provider BetterHelp of similarly sharing data with third party tech platforms. The agency reached settlements with both, which included fines and other penalties—in GoodRx’s case, that even meant a ban on certain marketing practices. 

As I wrote previously, this newfound media and legal scrutiny should serve as a major wake-up call for digital health. But many of the privacy concerns raised are endemic throughout the wider healthcare industry, reflecting a need for larger conversations and policy changes. Providers, marketing platforms, and regulators need to find new standards that protect PHI without sacrificing the transformative innovation that digital health provides. And most of all, it’s imperative that this moment not turn into a total rebuke of digital health.

Digital Health is A Growing Necessity

Digital health refers to a class of companies that offer care, medical devices, prescription drugs, and other services digitally, in ways that either augment the traditional healthcare market or bypass it. This subcategory sprung up, in-part, because the traditional healthcare industry has been slow to modernize and difficult to navigate.

By harnessing the power of high-speed internet, smartphones, and billions in seed funding, innovative minds set about building healthcare experiences that offer directness and simplicity that brick-and-mortar health institutions simply can’t match. Connecting with a telehealth provider can cut out the intimidating, confusing process associated with finding in-network care through traditional provider networks. Polling finds that patients overwhelmingly prefer telehealth visits for routine care functions. 

These digital health providers do great things. They enhance care and monitoring of chronic conditions without adding more office visits. They can help cut wait times by allowing patients to connect with a wider pool of providers than may exist in their local area. They make it easier for those who may have mobility issues, or a condition they find embarrassing, to seek professional care. They bring more competition, lower prices, and better availability to the prescription market.

The decentralized nature of these services is a double-edged sword. Without physical locations, digital health brands don’t gain a patient base just by being down the street. To succeed, they need to market aggressively, and they’re competing against not just each other, but also traditional models of care. These realities have made digital marketing central to digital health. 

Regulations Weren’t Ready for Digital Health—Let Alone Digital Marketing

In this hyper-competitive landscape, digital health has embraced the same digital marketing tools that have helped other industries flourish. Those include tracking pixels, demographic targeting, remarketing based on website actions, cross-channel marketing, and more. For brands, these techniques have been a boon—though many may not understand the technology well enough to understand how it could be used in ways that violate a web of ever-evolving PHI laws.

The primary law protecting PHI—1996’s Health Insurance Portability and Accountability Act (HIPAA)—was written with no concept of digital health, let alone the future potency and specificity of digital marketing. As pointed out in a great Axios piece on this subject, that law passed Congress more than a decade before the first iPhone hit the market. 

The FTC’s punishments center around its Health Breach Notification Rule, one of many patches lawmakers and agencies have since attempted to paste over HIPAA’s many gaps. The Rule gives the FTC the power to assess civil penalties on providers who fail to notify patients that their data has been breached. 

That law has primarily been enforced in response to cybersecurity attacks against providers, but its language has never ruled out punishment in response to data sharing done by providers themselves. But when the Notification Rule was created in 2009 paid social ads and search engine marketing were hardly the fully-realized forces that they are today. Facebook’s ad suite had only launched two years prior, and Google’s advertising revenue is now ten times higher than it was then. Once again, technology outpaced regulation, and the rule provided little enforcement against marketing-related PHI sharing.

In 2021, however, the FTC indicated a shift. it would take specific aim at digital health, announced that “incidents of unauthorized access, including sharing of covered information without an individual’s authorization, trigger notification obligations under the Rule.” 

Health Privacy Concerns Extend Far Beyond Digital Health 

The enhanced scrutiny that DTC digital health companies face today is no surprise. Its popularity and momentum make it an easy target for criticism, and they also force the government to try to play catch-up and make examples out of violators. But the volume of this conversation should not obscure the harsh reality that patient data is at risk after any medical interaction right now. 

The Department of Health and Human Services (HHS) is another federal agency that owns some HIPAA enforcement. Its Office for Civil Rights (OCR) compiles all known health data breaches on their site, putting the scale of the problem into perspective. Every day, thousands of patients have their PHI compromised in breaches of brick-and-mortar health systems or B2B tech providers. These can range from simple human error—unintentional disclosure, or even a misplaced laptop that contained electronic health records—to malicious and intentional acts, like hacking incidents and malware attacks. 

Incidents also range in scale, from small lapses that expose a few dozen patient records all the way up to breaches against major hospital systems that impact hundreds of thousands. Cerebral—another direct-to-consumer digital health company under federal scrutiny for marketing (and other) behaviors—is on the list. It’s just one of more than 20 breaches in the last two years that allegedly impacted more than a million individuals.

Simply put: American healthcare does a miserable job protecting patient privacy. It’s an industry that was wholly unprepared for its march into digitization over the last two decades. In the very least, marketing data transmitted to a black box at Google may be less likely to result in more grievous harm to the patient, like identity theft—often the motivation behind hacking incidents against health systems. 

And it isn’t as if brick-and-mortar healthcare has disavowed the same marketing behaviors that their digital counterparts are being punished for. The summer before The Markup and STAT published their investigation of telehealth websites, they looked at the websites of the top 100 hospital systems in the US. They found that a third of them were also collecting patient data via Meta pixels, and a number of them even had the pixels installed within their patient portals. 

Digital Health and Digital Marketing Will Innovate—But They Need Support 

These companies aren’t trying to deceive or prey on patients. They’re trying to provide great services that expand access to care and improve patient outcomes. Taking matters into their own hands, some brands have already begun to proactively self-report breaches based on their own past use of tracking pixels. 

But at a certain point, one has to wonder how many mea-culpas need to happen before this is confronted at a systemic level. GoodRx was punished for actions it allegedly committed in 2020, prior to the FTC’s updated enforcement threat in 2021. Companies may be left unsure if they broke any rules, or if self-reporting past use of ubiquitous tools will either save or destroy their reputations.

What’s apparent is that this isn’t exclusively on digital health companies to fix. Healthcare at large does a poor job protecting patient data; regulators have been slow to confront evolving technological concerns; and tech platforms have been trying to have it both ways. If digital health companies are going to develop practices that surpass the dismal cybersecurity standard found throughout the rest of the healthcare industry, they’re going to need clear guidance and understanding from regulators as well as better safeguards from ad platforms.

For marketers in the digital health space, that work is already underway. While many of the methods under scrutiny are considered bedrock digital marketing strategies, they can be altered or avoided to better protect PHI. There are also highly-effective digital marketing approaches—like health-compliant programmatic targeting, contextual ad placements, and paid search—that deliver results without the use of tracking pixels.

If this feels like a fraught time in the industry, it should. We may only be at the very beginning of this saga. But digital health and digital marketing both emerged as major societal forces specifically because of how well they innovate solutions to complicated modern problems. I have no doubt that our industry will continue to build life-changing tools that democratize care while better protecting patient privacy. 


Nothing in this blog should be considered legal advice. This content is for informational use only. Health marketing policy is also evolving quickly, and this blog may not have been updated to reflect any new developments relevant to the situation. If you require legal advice about any of the matters discussed here, we recommend seeking a healthcare privacy attorney.