BetterHelp is an online therapy service that connects clients to counselors for web-based interactions. BetterHelp has come under fire recently for sharing patient data with third parties like Facebook and Snapchat. Understanding BetterHelp's compliance allows users to decide whether the service fits their privacy comfort level.
BetterHelp and HIPAA compliance
During an investigation by the Federal Trade Commission (FTC), it was discovered that BetterHelp's questionnaire, which collects sensitive patient information, promised that this data would remain confidential between the healthcare provider and the patient. On their website, BetterHelp states that they have secure privacy measures and "is certified by HITRUST - one of the most recognized data security certification programs in the health industry."
However, the FTC investigation revealed that BetterHelp failed to implement adequate policies and procedures to safeguard patient data. This finding raises concerns about the platform's level of data protection and privacy measures.
BetterHelp and the FTC
The FTC released a policy statement emphasizing the Health Breach Notification Rule in relation to health apps and connected devices. It clarifies that health app developers are considered healthcare providers under the rule and therefore obligated to comply. The rule applies to vendors of personal health records containing identifiable health information created or received by healthcare providers.
This was followed by the subsequent investigation by the FTC into BetterHelp's distribution of private data to third parties. The investigation revealed that data was shared without patient consent and sold to parties such as Meta for advertising purposes.
The FTC imposed fairly typical requirements associated with privacy and security consent decrees, such as the requirement for a privacy program and external assessments. Additionally, the consent decree requires BetterHelp to get "express affirmative consent" for any future disclosure of persistent identifiers such as cookie IDs or IP addresses. This means that BetterHelp has to obtain opt-in consent for any future operation of cookies, which is far beyond current legal requirements for most entities. There is also a $7.8 million penalty which was used to reimburse the users that were affected.
Related: BetterHelp fined $7.8M and banned from sharing sensitive data
BetterHelp and class actions
Following the FTC investigation, BetterHelp is facing two class action lawsuits.
The first lawsuit, filed on March 7, accuses BetterHelp of repeatedly violating its promise to protect users' private information and instead using the data to target customers with advertising for its services.
The second lawsuit, filed on March 11, alleges that BetterHelp's intention when sharing user data with third-party advertisers was not to benefit patients but to enhance its market share and maintain relationships with social media sites. Both lawsuits claim that BetterHelp's actions violated privacy rights and various legal doctrines.
The lawsuits claim that BetterHelp's privacy promises meant little, and the company extensively used users' data for profit. BetterHelp allegedly spent millions on marketing and advertising, including through Facebook, which contributed to its significant user growth. The lawsuits also criticize BetterHelp for entrusting a junior marketing analyst with decision-making authority over data usage without adequate training or experience.
Individuals considering using BetterHelp's services need to be aware of these findings and make informed decisions regarding protecting their personal information. Additionally, there are new discoveries relating to BetterHelps treatment of PHI which requires users to be aware of the uses of their patient data.
Although BetterHelp claims they are certified by HITRUST, sharing users' data may not be within HIPAA guidelines.
Related: HIPAA Compliant Email: The Definitive Guide
Kirsten Peremore
