The Significance of Not Obtaining Patient/Consumer Consent Before Poaching Data

Practice Management

The Significance of Not Obtaining Patient/Consumer Consent Before Poaching Data
On May 23, 2016, the Federal Trade Commission (FTC) announced that it approved a final order with Henry Schein Practice Solutions, Inc. (HS) to resolve allegations that HS falsely advertised the level of encryption it provided to protect patient data. The consent order requires HS to pay $250,000 and prohibits it from "misleading customers about the extent to which its products use industry-standard encryption or the extent to which its products help ensure regulatory compliance or protect consumers' personal information."

Fast forward to 2022. On March 8, 2022, the U.S. Department of Justice (DOJ) announced its first settlement under its Civil Cyber-Fraud Initiative. In the interest of full disclosure, I represented the only whistleblower who raised allegations about Comprehensive Health Services LLC (CHS), which did "fail to disclose to the State Department that it had not consistently stored patients' medical records on a secure EMR system. When CHS staff scanned medical records for the EMR system, CHS staff saved and left scanned copies of some records on an internal network drive, which was accessible to non-clinical staff." 

In October 2022, a major health system, Aurora Health, gave patients, the media, and the United States Department of Health and Human Services (HHS) notice that protected health information (PHI), including sensitive personally identifiable information, may have been exposed to Google, Meta, and other third parties without their knowledge or consent. The Health Insurance Portability Act of 1996 (HIPAA) has long had provisions related to prohibited marketing and selling of PHI. 

Now, in 2023, the FTC announced two consent orders related to the prohibited poaching and use of PHI by known third parties and the DOJ announced another settlement under its Civil Cyber-Fraud Initiative. 

The take-away is fundamental. The illicit taking and utilization of patient/consumer data without knowledge or consent can result in government action. 


The FTC's enforcement authority is derived from Section 5 - The Federal Trade Commission Act of 1914 as amended. 

Two recent enforcement action settlements, which occurred between February and early-March 2023, underscore its authority and both are notable for distinct reasons:

  • GoodRx (February 1, 2023) – This was the first case where an enforcement action was taken under the FTC's Health Breach Notification Rule. Here, GoodRx, a telehealth and prescription drug discount provider did "fail to notify consumers and others of its unauthorized disclosures of consumers' personal health information to Facebook, Google, and other companies." Moreover, "In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect." GoodRx paid the government $7.8 million to settle the allegations. 
  • BetterHelp, Inc. (Mar. 2, 2023) – In another first-of-its-kind case, the FTC provided remuneration to customers who were harmed by "online counseling service BetterHelp revealed consumers' sensitive data with third parties such as Facebook and Snapchat for advertising after promising to keep such data private."

The DOJ and whistleblowers utilize the False Claims Act. As the March 14, 2023 DOJ press release illustrates, concerning Jelly Bean Communications Design and its Manager (collectively "JellyBean"), cybersecurity failures and not having the requisite technical, administrative, and physical safeguards are two areas that may form the basis of a False Claims Act cause of action. As a disclaimer, the False Claims Act is a very complex and intricate area of law. 

Some key take-aways from the JellyBean settlement include the following:

  • From January 1, 2014 through December 14, 2020 – a period of over six years – JellyBean failed to provide secure hosting of protected health information (PHI) despite its representations in its agreements and invoices, and put patients, specifically children, and their PHI at risk. 
  • JellyBean created, hosted, and maintained a federally funded Florida children's health insurance website and failed to secure personal information. Over 500,000 applications were hacked and the settlement amount to resolve the allegations amounted to $293,771.
  • "The agreement required that JellyBean provide a fully functional hosting environment that complied with the protections for personal information imposed by the Health Insurance Portability and Accountability Act of 1996" (DOJ Press Release).
  • The government alleged that numerous outdated and vulnerable software applications were being utilized and fundamental patches were not being done. 


Compliance officers and counsel alike should learn from these recent actions. One fundamental step that should be included as part of any HIPAA Risk Analysis is the evaluation of the ingress and egress of patient/consumer data, whether or not patient consent is required in order for the information to be taken and utilized, and whether the third-party has the appropriate safeguards in place. Cultivating a culture of compliance that is genuine and can pass legal muster is something that should also be considered. Cybersecurity risk management is not going away and it would behoove everyone to re-evaluate their risk tolerance. 

Rachel V. Rose, JD, MBA, is an Attorney at Law, in Houston, TX. Rachel advises clients on healthcare, cybersecurity, securities law, and qui tam matters. She also teaches bioethics at Baylor College of Medicine. She has been consecutively named by Houstonia Magazine as a Top Lawyer (Healthcare) and to the National Women Trial Lawyer's Top 25. She can be reached at rvrose@rvrose.com. www.rvrose.com

Comparative Billing Reports (CBRs): What Are They, and What Do We Do With Them?


Comparative Billing Reports (CBRs): What Are They, and What Do We Do With Them?:CMS (Centers for Medicare and Medicaid) is always implementing various programs and initiatives aimed at reducing fraud, waste, and abuse.  One such initiative is Comparative Billing Reports (CBRs).  In this article, an overview of CBRs, their purpose, and how they can benefit coding professionals, auditors, and practice managers will be discussed.
Seven Measures Developed by the HHS Office of Inspector General (OIG) to Identify Potential Telehealth Fraud

Practice Management

Seven Measures Developed by the HHS Office of Inspector General (OIG) to Identify Potential Telehealth Fraud:n September of 2022, the Office of Inspector General (OIG) released a report, "Medicare Telehealth Services During the First Year of the Pandemic: Program Integrity Risks," in which they identified that approximately two in five Medicare beneficiaries used telehealth services within the first year of the pandemic to receive healthcare services from a Medicare provider. This is approximately 88 times more often than beneficiaries engaged through telehealth services prior to the pandemic.
2023 release of ICD-10-CM - Effective April 1, 2023


2023 release of ICD-10-CM - Effective April 1, 2023:The FY2023 ICD-10-CM codes are to be used from April 1, 2023 through September 30, 2023.  
New ICD-10-PCS procedure codes - Effective April 1, 2023


New ICD-10-PCS procedure codes - Effective April 1, 2023:To download all of the new files, go to this CMS website:  https://www.cms.gov/medicare/icd-10/2023-icd-10-pcs or see below.
Keys to Correct Embolization Coding: CPT® Codes 37241-37244


Keys to Correct Embolization Coding: CPT® Codes 37241-37244:It is no secret that interventional radiology is one of the most difficult specialties for coders and auditors to master.  In particular, coding correctly for embolization procedures can be tricky due to the multiple coding considerations involved. This article provides tips that will have you coding and auditing some of the most common embolization procedures like a pro! 
PSQIA, PSWP, and HIPAA Compliance


PSQIA, PSWP, and HIPAA Compliance:This article addresses patient confidentiality and security related to patient safety evaluation systems, investigations, root cause analyses, and compliance to rules and regulations.  It is a basic introduction to help understand the importance of appropriately managing this type of privileged information.
The Crucial Role of Negotiating Payer Contracts Every 18 Months for Physician Offices

Practice Management

The Crucial Role of Negotiating Payer Contracts Every 18 Months for Physician Offices:The healthcare landscape is constantly evolving, with changes in technology, patient care, and the business of medicine all occurring at a rapid pace. One area that is often overlooked but is equally critical to the success and sustainability of a medical practice is the negotiation of payer contracts. 
What's Going on With the COVID Vaccines Now?


What's Going on With the COVID Vaccines Now?:Keeping up with the changes to the COVID vaccines has certainly been a rollercoaster ride, and we now have two new twists to this exciting ride. Twist one comes from the FDA who recently pulled the emergency use authorization (EUA) for the monovalent Moderna and Pfizer-BioNTech mRNA vaccines, and instead authorized the bivalent boosters for all doses starting at age 6 months. Twist two is found in the changes taking place as part of the official end to the COVID Public Health Emergency (PHE), beginning May 11, 2023. Buckle up, and let's look at how this changes things.
Revenue Cycle Challenges: The Financial Savior

Practice Management

Revenue Cycle Challenges: The Financial Savior:As consumers, we all face challenging inflationary pressures in our lives, with everything presenting challenges to our budgets. Essential groceries and other items are up significantly, posing tremendous financial obstacles for all consumers. The Consumer Price Index (CPI), a closely watched gauge of inflation, recently showed that price increases continue to slow. 
Is the Violation Right of Access or Information Blocking? Do You Know the Difference?

Practice Management

Is the Violation Right of Access or Information Blocking? Do You Know the Difference?:The right of access and information blocking are both related to the access and exchange of health information, but they are different in several key ways. HIPAA Privacy/Security and Compliance Officers and Health Information Management professionals need to know the difference. It is important to differentiate between Right of Access and Information Blocking to ensure your organization is compliant with both rules, as well as any applicable state privacy regulations.  
Healthcare Compliance: A Unique Opportunity to Impact the Business Side of Medicine

Practice Management

Healthcare Compliance: A Unique Opportunity to Impact the Business Side of Medicine:I have been privileged to make my entrance into the world of healthcare, in medical coding, specifically after my first career as an art historian dissolved way back in 2008 due to the recession. Mind you, I have taken all my research skills, writing, communication, and critical thinking strengths along for the ride.
Medical Necessary Denials


Medical Necessary Denials:In 1988, Samuel and Winona decided to have a baby. Samuel, worked at a small sneaker factory outside of Boston where they treated their employees well by providing health insurance as part of their employment.  The factory was not a government employer, or a church which meant that the health insurance was protected by the Federal law and Federal Regulation known as the Employee Retirement Income Security Act (ERISA). 












Get More - BC Magazine

Subscribe now to access more resources than ever before!

Magazine | CEUs | Webinars