How to Keep Your Healthcare Startup off the FTC’s Naughty List (And a List of Those Who Didn’t)
Disclosure: I am not a lawyer and this is not legal advice. I wrote this for informational purposes only. If you have a healthcare startup, I highly recommend getting a good regulatory lawyer.
As a founder, there's lots to worry about, especially for those working in healthcare. Developing the product, securing funding, acquiring customers, managing a team—the list seems endless. What you most certainly do not need is an added layer of headache in the form of a costly, protracted entanglement with the Federal Trade Commission (FTC).
Falling afoul of FTC regulations is not only financially damaging but can erode the hard-earned trust that is so important in healthcare. To help you avoid this unwelcome scenario, I put together this article which covers:
What is the job of the FTC?
Does the FTC enforce HIPAA?
How to stay off the FTC naughty list (including a list of 8 rules you should know about)
Digital health companies that have been on the FTC naughty list
this article will delve into the essential FTC rules that digital health companies must adhere to for both compliance and peace of mind. We'll also look at some cases of companies that strayed into murky regulatory waters, providing you with actionable insights on how to remain in the clear.
What is the job of the FTC in the first place?
Established in 1914, the FTC is tasked with the protection of consumers and the promotion of competition in the marketplace. With the proliferation of digital health products and apps and the ubiquitous data generated, this role has expanded to include the safeguarding of consumer privacy online. By holding companies to account for the misuse of consumer health data along with misleading claims, the FTC serves as a vanguard for privacy rights and ethical business practices.
Does the FTC enforce HIPAA?
It's a common misconception that the FTC plays a direct role in enforcing the Health Insurance Portability and Accountability Act (HIPAA). In reality, the HIPAA Privacy, Security, and Breach Notification Rules are under the jurisdiction of the Office for Civil Rights (OCR) within the U.S. Department of Health & Human Services (HHS). These rules apply to covered entities like health plans and most healthcare providers, as well as business associates who handle protected health information (PHI) on their behalf. Enforcement, including breach notifications, falls squarely on the shoulders of OCR.
That said, the FTC isn't entirely absent from the healthcare privacy landscape. More and more we’re seeing the FTC step up to protect consumers when it comes to health data privacy. The FTC regulates digital health companies under its broader consumer protection mandate, particularly when it comes to unfair or deceptive practices. So, a digital health company that misrepresents its privacy practices could find itself with a letter from the FTC.
So even if your digital health app or service is neither a covered entity nor a business associate and falls outside the purview of HIPAA, you may still attract the watchful eye of the FTC.
How to stay off the FTC naughty list
First and foremost, know the laws
You’ll need a comprehensive understanding of the laws governing both the healthcare and technology sectors. Ignorance is not an acceptable excuse; make sure you and your legal team are well-versed in these laws and others that pertain to your specific service or product.
The FTC operates under a framework of rules and acts specifically tailored to oversee various industries, including digital health. These regulations all revolve around consumer protection, but can largely be categorized into two primary domains: those that pertain to the privacy and security of health data, and those that mandate truthful and accurate advertising. Here are a couple that every founder should know:
Section 5 of the FTC Act
Section 5 of the FTC Act prohibits "unfair or deceptive acts or practices." In the context of digital health, this means that any false or misleading statements about a product's effectiveness, or any deceptive data collection or sharing practices, are subject to enforcement actions. Violations can result in civil penalties, remedial measures, or even criminal sanctions.
Health Breach Notification Rule (HBNR)
Digital health companies that deal with personal health records are subject to the Health Breach Notification Rule. If unauthorized access to these records occurs, the company must promptly notify affected individuals, the FTC, and in certain cases, the media. The objective is to mitigate harm by enabling consumers to take timely protective measures.
Truth in Advertising
Companies must ensure that all claims, particularly those related to health benefits, are supported by reliable scientific evidence. The FTC has taken action against companies that make unsupported or exaggerated claims about their products' health benefits, thereby breaching the standard for truth in advertising.
COPPA
The Children’s Online Privacy Protection Act (COPPA) may also come into play if your product is aimed at children under 13 or knowingly collects data from this demographic. In such instances, companies must provide clear privacy policies and obtain verifiable parental consent before data collection.
Endorsement Guidelines
If you use influencers, consumer testimonials, or celebrity endorsements to market your product, you should be aware of the FTC's Endorsement Guidelines. This also applies to companies with online review programs. These guidelines stipulate that endorsements and reviews must reflect honest opinions and that any connection between an endorser and the company should be disclosed.
Negative Option Marketing
The FTC's Negative Option Rule stipulates that sellers offering subscription-based services or products must clearly disclose the terms of the offer, obtain explicit consumer consent, and provide a straightforward way to cancel the service, thereby aiming to protect consumers from unintended charges.
CAN-SPAM Act
The CAN-SPAM Act regulates commercial emails. If your digital health company sends marketing emails, you need to understand and comply with this law, which, among other things, requires that your messages contain a way for consumers to opt out of receiving future emails.
Opioid Addiction Recovery Fraud Prevention Act
For digital health companies involved in the prevention, treatment (or referrals to treatment) of any substance use disorder treatment, the Opioid Addiction Recovery Fraud Prevention Act provides a specific set of guidelines around unfair or deceptive acts or practices.
Visit the FTC website for a full list of rules.
Second, start building your compliance programs, like yesterday
Let's get real—if you're an early-stage founder, you likely don’t have the luxury of a full-fledged legal team. But compliance isn't something you can afford to push to the back burner. Now’s the time to start crafting your compliance program. Here's what you could to be doing:
Consider bringing in an expert, even if it's just for a consultation. They can guide you on what specifically applies to your company and how to avoid common pitfalls.
Start working on your standard operating procedures (SOPs). These will be your go-to guidelines for everything from data protection to advertising claims. Build this into your onboarding process. Make sure everyone on your team knows where to find them and what they contain.
Schedule regular audits—quarterly is a good rule of thumb—to make sure you're actually following your own rules and to catch potential issues before they escalate.
Compliance is not a "set it and forget it" enterprise. It requires ongoing diligence. Your company should routinely monitor advertising campaigns, data security measures, and all other aspects pertinent to FTC regulations. This proactive approach can help preemptively identify issues before they escalate into problems that capture the FTC’s attention.
Doing this groundwork early on sets the foundation for a scalable compliance program that can grow with your business and help you avoid costly, embarrassing violations.
Third, be transparent and honest in all dealings
Transparency is the linchpin of consumer trust, especially in sectors as sensitive as healthcare. All advertising claims must be substantiated by credible scientific evidence. Likewise, data collection, storage, and sharing practices need to be made transparent to the consumer. Disclose any affiliations, particularly when endorsements are involved, to avoid running afoul of the FTC's guidelines.
Digital health companies that have been on the FTC naughty list
Let’s look at some cases of digital health companies that strayed into murky regulatory waters, which hopefully provides you with actionable insights on how to remain in the clear. These companies not only faced fines, but also suffered varying levels of reputational damage that, in some instances, far outweighed any penalties.
Benefytt Technologies
Penalty: $100M in refunds to customers, plus two former executives are banned from selling or marketing healthcare products
Violation: the FTC Act, the Telemarketing Sales Rule (TSR), and the Restore Online Shoppers Confidence Act (ROSCA)
What happened: Benefytt Technologies operated a series of deceptive websites like “Obamacareplans.com” that targeted consumers who were searching for comprehensive health insurance plans qualified under the ACA. They lied and tricked online customers about their healthcare plan, bundled and charged junk fees for unwanted products without consent, and made it nearly impossible for customers to cancel their plans.
Source: FTC
BetterHelp
Penalty: $7.8M in refunds to customers
Violation: Section 5 of the FTC Act
What happened: BetterHelp, an online therapy app, used and disclosed consumers’ email addresses, IP addresses, and health questionnaire information to Facebook, Snapchat, Criteo, and Pinterest for retargeting ads, despite promising consumers that it would only use or disclose personal health data for limited purposes. This case was remarkable because BetterHelp was the first FTC action returning funds to consumers whose health data was compromised.
Source: FTC
Hubble Contacts
Penalty: $3.5M in penalties and redress
Violation: Endorsement Guidelines and the Contact Lens Rule
What happened: Hubble Contacts, an online seller of contacts, got in trouble for a few things. They broke the FTC Act rules around endorsements by compensating people for reviews and having employees write reviews. They also violated the Contact Lens Rule in several ways including by failing to obtain prescriptions and to properly verify prescription information, and by substituting Hubble lenses for those actually prescribed to consumers.
Source: FTC
Lumosity
Penalty: $2M in refunds to customers
Violation: Truth in advertising
What happened: Lumosity, the brain game company, got in trouble for making claims they couldn’t back up. “Lumosity preyed on consumers’ fears about age-related cognitive decline, suggesting their games could stave off memory loss, dementia, and even Alzheimer’s disease,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “But Lumosity simply did not have the science to back up its ads.”
Source: FTC
GoodRx
Penalty: $1.5M civil penalty (fine)
Violation: Section 5 of the FTC Act and the Health Breach Notification Rule
What happened: GoodRx violated the Health Breach Notification Rule by failing to notify consumers, the FTC, and the media about the company’s unauthorized disclosure of individually identifiable health information to Facebook, Google, Criteo, Branch, and Twilio.
Source: FTC
Kurbo (Weight Watchers)
Penalty: $1.5M penalty
Violation: COPPA
What happened: Kurbo marketed a weight loss app for use by children as young as eight and then “illegally harvested their personal and sensitive health information” without parental permission.
Source: FTC
Easy Healthcare (Premom)
Penalty: $100,000 civil penalty
Violation: Section 5 of the FTC Act and the Health Breach Notification Rule
What happened: Easy Healthcare, maker of the fertility app Premom, deceived users by sharing their sensitive personal information with third parties, including two China-based firms, disclosed users’ sensitive health data to AppsFlyer and Google, and failed to notify consumers of these unauthorized disclosures in violation of the Health Breach Notification Rule.
Source: FTC
1Health.io
Penalty: $75,000 in consumer refunds
Violation: Section 5 of the FTC Act
What happened: 1Health.io, formerly known as Vitagene, a genetic testing company, was the first FTC case focused on both the privacy and security of genetic information. The company put users’ sensitive data at risk by storing unencrypted health, genetic, and other personal information in publicly accessible data buckets.
Source: FTC
MelApp
Penalty: $17,963 disgorgement (disgorgement is a remedy requiring a party who profits from illegal or wrongful acts to give up any profits they made)
Violation: Truth in advertising
What happened: The app instructed users to photograph a mole with a smartphone camera and then purported to calculate the mole’s melanoma risk as low, medium, or high. The FTC alleged that the marketers deceptively claimed the apps could determine melanoma risk but they lacked adequate evidence to support these claims. Another app, Mole Detective, saw the same fate.
Source: FTC
Flo Health
Penalty: Flo Health was required to notify affected users about the disclosure of their health information and instruct any third party that received users’ health information to destroy that data
Violation: Truth in advertising
What happened: Flo shared sensitive health data from millions of users of its Flo Period & Ovulation Tracker app with marketing and analytics firms, including Facebook and Google.
Source: FTC
The high stakes of regulatory fidelity
The mandate for digital health founders is clear: knowledge, vigilance, and ethical commitment are the linchpins that hold the fragile edifice of consumer trust. In an age when data has become the lifeblood of nearly every business, maintaining its sanctity is not just a regulatory requirement but a categorical imperative for sustainable business.
The goal of the FTC is ultimately to protect consumers. Its enforcement measures serve not as a punitive arm but as a governance structure, designed to instill best practices and maintain a level playing field for businesses and consumers alike.
Digital health offers an incredible opportunity to transform healthcare as we know it, but that promise is predicated on our sector’s ability to earn and maintain public trust.
Digital health offers an incredible opportunity to transform healthcare as we know it, but that promise is predicated on our sector’s ability to earn and maintain public trust. It starts with being well-versed in the FTC’s frameworks and rules, building robust internal compliance structures from day 1, and being transparent and honest with your customers. Anything less can undermine the great work you aim to do.
Bookmark these resources:
Aiming for truth, fairness, and equity in your company’s use of AI
FTC Warns About Misuses of Biometric Information and Harm to Consumers
Read more on my blog:
🎧 Listen to Heart of Healthcare Episode 066 “Your Health Data is for Sale”
with Lucia Savage, Chief Privacy and Regulatory Officer at Omada Health