What Every Healthcare Founder Should Know Before Running Ads
I’ve been thinking a lot about how startups can stay out of regulatory hot water, and wrote about the FTC here and an overview of the governing bodies here. I also interviewed Omada Health’s Chief Privacy and Regulatory Officer on the Heart of Healthcare Podcast.
In this post, I asked one of my portfolio founders, Josh Schwartz of Phaselab, to go one step deeper and write a guide to healthcare data privacy, especially when it comes to running ads. Josh is a leading expert on digital analytics, who formerly served as CTO of Chartbeat. His company, Phaselab, is the first fully automated data privacy tool. They automatically map between your data policies and your technical stack to help startups continually identify and fix data gaps before they become compliance issues.
A CTO's guide to healthcare data privacy when it comes to running ads
When I was the CTO of Chartbeat, a leading analytics company, the most stressful day of my career was January 20, 2015. On that day, the Electronic Frontier Foundation (EFF) published an article detailing how Healthcare.gov, the US Government’s healthcare exchange website, was sending personal information to many of its partners, including us.
With no adverse intent from their team and no knowledge from our team, health information was being sent through to our systems. We scrambled to quickly identify and delete this data and put in patches so a situation like this couldn’t happen again. But a headline like this is something no company wants to read about themselves.
This situation highlighted something I’ve seen numerous times in my career in data — that it’s incredibly easy for organizations (even those as careful as the US Government itself!) to accidentally share information they shouldn’t with third parties, especially those in analytics and advertising.
In recent years, this has become a hot button issue for US regulators, with the Federal Trade Commission (FTC) and Department of Health and Human Services (HHS) jointly issuing fines to a number of healthcare startups for inappropriate disclosure of personal information to third parties. In addition to fines, the FTC and HHS warned more than 130 healthcare providers earlier this year about their use of tracking technologies, signaling the continued priority of this issue.
Needless to say, as a startup you do not want to get in trouble with the FTC or HHS. In addition to fines and other penalties, and in addition to bad press and loss of consumer trust, running afoul of the FTC typically means future oversight by them that will slow down every part of business operations for years to come.
In this article, I want to detail what exactly the FTC and HHS are concerned about, why it’s coming up for companies in digital health, some steps you can take to ensure you’re on the right side of the law, and some additional resources to check out.
IP addresses, URLs, and data transmission
Before we get into HHS and the FTC, let’s do a very brief technical interlude to talk through how data is typically transmitted to analytics and advertising partners.
When a user visits a website, any loading of third party code or resources (e.g. analytics services, A/B testing, advertising pixels) will necessarily send the IP address of the user to that third party, and it will typically also send the URL of the page the user is visiting.
If you use third party resources in a client-side application, it will transmit an IP address to that third party because IP addresses are fundamental to how communication happens on the internet.
Still with me? We’ll circle back to why this matters in just a minute.
HHS and FTC’s stance on digital health data
Given the focus regulators have on enforcing privacy requirements, they’ve produced a very useful guide on the issues they’re concerned about. Because the scopes of HHS and the FTC are different, we’ll treat them in turn.
HHS
HHS is specifically concerned about HIPAA-covered entities: providers, insurance companies, and clearinghouses. Whether you’re a HIPAA-covered entity is outside of my area of expertise, but there are detailed guides online to help you figure out your status. For entities that are covered by HIPAA, HHS has a few important guidelines to keep in mind:
First, HHS counts any identifying information, including a user’s IP address, as Personal Health Information (PHI) if it identifies that a user is a patient.
Second, HHS notes that many websites and apps identify users as patients based on the part of the application the user is on.
Putting those two together, if a user is logged into a part of your website or app that can only be accessed by patients, any record that they’ve visited that part of your website counts as PHI. Similarly, if a part of your website or app identifies that a visitor has a particular medical condition, a record that someone visited that page counts as PHI.
This is critical because the transmission of PHI from a provider to another organization typically requires that those companies have a Business Associate Agreement in place. You likely do not have a BPA in place with your analytics and advertising partners, which is where this gets dicey.
FTC
Now let’s turn to the FTC. Unlike HHS, the FTC has jurisdiction over all companies, not just healthcare providers. The FTC enforces the Health Breach Notification Rule (HBNR), which states that customers must be notified if their health data is subject to a breach — either through unauthorized access or through disclosure by the company itself. Leveraging what we’ve learned already from HHS above, that means that even a non-HIPAA-covered entity risks triggering the breach notification rule if it discloses personal health information to a third party like an advertising or analytics partner.
Beyond the HBNR, the FTC enforces the FTC Act, which covers unfair or deceptive practices in the context of commerce. The FTC interprets this to include companies that transmit health data to third parties in violation of their privacy policies. If a company doesn’t disclose that it’s sending PHI to, for example, an advertising partner, it’s potentially in violation of the FTC Act.
Read more in How to Keep Your Healthcare Startup off the FTC’s Naughty List (And a List of Those Who Didn’t)
Tread very carefully when it comes to the use of third party tools
Putting things together… if you’re a company that processes healthcare information — even if you’re not a provider under HIPAA — you should tread very carefully when it comes to the use of third party tools. While the scope of what you should look out for will vary based on your business, here are a few general suggestions:
Make sure you understand which parts of your product identify a user as being a patient, or collect health information.
For any such parts of your product, be very careful about which third party tools are used, especially if you’re a HIPAA-covered entity. It’s easy for third party tools to sneak into your stack under the radar — a marketer adding a retargeting pixel or a product manager adding analytics code might not trigger a privacy review, but this can have catastrophic results for your company. At a minimum, have a tight process for reviewing and approving new third party code. The current state of the art in the privacy world is the use of Content Security Policies to prevent the loading of unauthorized third party code, which provides a line of technical defense against accidental use of unapproved tech.
For any third parties you do use, make sure you have those parties fully documented in your privacy policy.
More resources
To see examples of recent FTC and HHS actions, read their releases about BetterHelp, GoodRx, and Premom.
For guidance from the FTC and HHS about these issues, take a look at the HHS guide for digital health and the FTC’s summary of their responsibilities.
Much of the reporting on these issues has been driven by The Markup and their Blacklight tool. Blacklight can also be a useful tool for monitoring which third parties your site uses.
For more on the technical aspects of Content Security Policies for protecting against unauthorized third party tools, see this recent talk.
Finally, if you’re looking for help tackling your organization’s privacy challenges or want to proactively keep your startup compliant, feel free to reach out to josh@phaselab.co, I’d be happy to chat anytime.