From 2016 to 2020, almost 50% of all FTC action on competition was in the healthcare sector, whereas less than 2% of their action on consumer protection was against healthcare companies. But we've already seen the FTC take more aggressive action in 2023. They came down hard on two companies for sharing sensitive consumer health information with other organizations and warned Amazon and One Medical that they would take action if they shared sensitive health data with each other.

There are three indicators that point to the FTC's willingness to take an even larger role here moving forward, a trend which brings long-term implications for new and incumbent stakeholders alike.

February 1st, 2023: The first time the FTC successfully acted against a company for violating the Health Breach Notification Rule.

Over a decade after the FTC first issued the Health Breach Notification Rule (HBNR), which requires health apps to inform users when there has been an infringement on their information, the FTC took action against GoodRx — and is also putting other companies on notice.

Samuel Levine, Director of the FTC's Bureau of Consumer Protection said the following regarding the GoodRx complaint: "Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information … The FTC is serving notice that it will use all of its legal authority to protect American consumers' sensitive data from misuse and illegal exploitation."

This is likely the first action of many around HNBR now that the precedent for using it is established, especially considering how common it is for healthcare apps and companies to sell consumer data.

62: The number of new FTEs the FTC is requesting join its Bureau of Consumer Protection.

Lina Khan, current head of the FTC, has been clear about the administration's aggressive stance on both anticompetitive business practices and consumer protection and data privacy. The recent budget request states that the FTEs will help ensure compliance, rulemaking, and supporting enforcement investigations.

Although this is a request for the 2024 budget and not the final budget, the language shows that the FTC is serious about expanding its consumer protection reach — which we've already seen play out in the start of 2023 regarding sensitive consumer health data.

'The misuse of mobile location and health information – including reproductive health data – exposes consumers to significant harm': The FTC's post-Roe v. Wade statement, doubling down on protecting reproductive health consumer data that isn't covered by HIPAA.

HIPAA's health data protections have failed to keep up with the rapid growth of the health technology sector, but some regulative authority could come from the FTC. The Health Insurance Portability and Accountability Act (HIPAA) protects sensitive health information where health insurers and doctors are concerned, but it does not protect health data in apps or in written communication between individuals. This gap in protection is especially concerning in a post-Roe world, where prosecutors can access and use unprotected reproductive health data to enforce anti-abortion laws.

While the FTC has limited legal jurisdiction when it comes to protecting health data or changing legislation, the agency could pursue action against companies that deceive customers when it comes to privacy or buying and selling health data. In 2021, the FTC finalized a settlement requiring Flo Health Inc, a fertility-tracking app, to receive clear consent from consumers before sharing personal health data.

Nearly a third of American women using cycle tracking apps. We expect reproductive health data to become a bigger and more politically charged battleground for consumer protection.

Winners

• The FTC and Biden Administration: After limited success with blocking anti-competitive actions, the FTC has had some big wins on the consumer protection side while pushing the boundaries and setting new precedent in uncharted territory. The FTC tried and successfully settled its first case using the Health Breach Notification Rule. The administration also settled with Flo and BetterHelp for sharing sensitive health information with large technology companies.

Losers

• Big Tech, smaller tech vendors, and anyone else who makes money selling consumer data: Big tech already faces market entry barriers in the healthcare industry, and now it will face increased FTC scrutiny regarding compliance with patient data privacy rules. Smaller tech vendors will be caught in the crosshairs, where they will need to ensure alignment with FTC policy. This has the potential to decrease revenue, and also stunt innovation and disruption in an industry that has already been traditionally slow to adopt technology and data analytics when compared to other industries.

Somewhere in the middle

• Incumbent health plans and providers: All incumbent players will need to ensure they know where their data is going and how it is being used. They will need to complete even more thorough due diligence to properly vet their tech vendors, partners, and also any organizations they are considering merging with or acquiring. Additionally, more data protection enforcement could exacerbate existing data fragmentation among stakeholders by making it more challenging for stakeholders to share data laterally.
• Patients and Consumers: Patients are ultimately responsible for protecting their sensitive health data. They will need to be cautious about what information they are sharing and with whom. While consumers have the government watching out for them when it comes to data protection, they may lose out on the convenience or low-cost nature of health apps and platforms if some of these platforms are forced to shut down or start charging for their services.