Telehealth is nothing new now, but think back to before COVID-19! In March 2020, the majority of behavioral health practitioners were thrown into the deep end of the pool and had to learn to swim. Now we must face the increased interest in how telehealth vendors and practitioners protect and use health data. Policymakers and regulators must propose and implement policies to address the type of information collected, how it’s used, and what needs to be disclosed to the patients (informed consent). While part of this discussion is related to the concerns over privacy and protection of reproductive health information, several recent actions taken by federal agencies have focused on the use of collected data for marketing purposes.
The Federal Trade Commission (FTC) has already taken action against dubious data-sharing practices. In February 2023, the FTC imposed a fine on GoodRx after discovering that the company had shared consumer health data with third-party firms such as Google and Facebook after it had said it would not share such data. GoodRx was fined $1.5 million, and the FTC deemed their behavior as “unfair and deceptive” practices.
Similarly, in March, the FTC fined BetterHelp, an online therapy company, for sharing consumer data for advertising purposes with Facebook and Snapchat. Customer email and IP addresses, health questionnaire responses, and whether or not customers had been in therapy before were shared after BetterHelp had told patients it would not share personal information. The fine imposed on BetterHelp was $7.8 million. The FTC noted that these were unfair and deceptive business practices, as well as violations of the FTC’s health breach notification rule, which covers those entities that are not under HIPAA but still collect personally identifiable health information.
Last December, the Office of Civil Rights issued a bulletin that expanded the definition of personally identifiable health information, which is protected by HIPAA. This expanded definition included email addresses, IP addresses, and geographic location information that can be tied to an individual. These are all pieces of information that were likely not considered when HIPAA was created two decades ago but hold significant relevance today when online corporate therapy groups, such as BetterHelp, are dominating the counseling scene. Furthermore, the use of mental health apps and artificial intelligence must face the same scrutiny.
Protection of patient data provided online is still a developing area so we can expect to see more action on both the federal and state levels as policymakers struggle to catch up with what data needs protection and the best way to go about it. In the meantime, practitioners must look into their data collection methods and determine if they are, even inadvertently, contributing to the problem.HIPAA protect,protect