The trend: The Federal Trade Commission (FTC) is investigating how digital health companies are protecting health data. It’s targeting advertising practices with social media platforms—but also looking for any inferred or explicit promises to keep that data private.

How we got here:

• In February, the FTC fined GoodRx $1.5 million for sharing users’ personal health data with social media platforms like Facebook and Google. FTC commissioners also issued a joint statement on Amazon’s acquisition of One Medical that warned the entities against using patient health data for advertising purposes, despite explicit statements to consumers that wouldn’t happen.
• In early March, Teladoc-owned BetterHelp was hit with a $7.8 million fine based on data sharing with social media platforms for advertising purposes—and for statements that the patient’s data would remain private between the patient and an assigned counselor.

Why it matters: The FTC doesn’t have jurisdiction over HIPAA violations. It enforces Section 5 of the FTC Act, which prohibits “deceptive acts or practices . . . relating to the privacy and security of personal information that apps collect, use, maintain, or share.”

Marketers are often untrained in regulations surrounding sensitive healthcare data. BetterHelp was cited for giving a junior marketing analyst carte blanche to decide which data to upload to Facebook and how to use that information. The person joined BetterHelp in 2017, but didn’t receive training on how to protect consumers’ health information until 2021, per the FTC.

The FTC is using consumers—not policy experts—as a gauge to decide if a company is telling the truth about data privacy. In the notice to Amazon and One Medical, FTC commissioners stated that “whether the companies’ privacy representations are deceptive will turn on the perspective of a reasonable consumer rather than the perspective of a HIPAA expert.”

Our take: It’s what is on the website that matters, not what’s buried in an online privacy policy. Digital health companies are justifiably under increasing scrutiny for sharing patients’ health data with third parties, without their users’ specific consent.

But they’re also being held accountable for making statements that any intelligent visitor would understand to mean their data wouldn’t be shared anywhere else. That includes promises like “HIPAA-compliant” or “100% confidential.”

This article originally appeared in Insider Intelligence's Digital Health Briefing—a daily recap of top stories reshaping the healthcare industry. Subscribe to have more hard-hitting takeaways delivered to your inbox daily.

• Are you a client? Click here to subscribe.
• Want to learn more about how you can benefit from our expert analysis? Click here.