In a previous blog, we discussed the Federal Trade Commission’s (“FTC”) proposed changes to its Guides Concerning the Use of Endorsements and Testimonials in Advertising (the “Endorsement Guides”). The Endorsement Guides are intended to help businesses ensure that their endorsement and testimonial advertising conforms with Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce,” including false advertising. We specifically highlighted the FTC’s proposed changes related to social media platforms and their users, deceptive endorsements by online “influencers,” businesses’ use of consumer reviews, and the impact of advertising on children. Now, approximately one year later, and after receiving and considering public comments on its proposed changes, the FTC has issued its final rule adopting revisions to the Endorsement Guides. See Guides Concerning the Use of Endorsements and Testimonials in Advertising, 88 Fed. Reg. 48092 (July 26, 2023) (to be codified at 16 C.F.R. pt. 255). In issuing its final revised Endorsement Guides, the FTC stated that the changes are intended to “reflect the ways advertisers now reach consumers to promote products and services, including through social media and reviews.” We summarize below the FTC’s final revisions to the same sections of the Endorsement Guides covered in our earlier blog.
The 21st Century digital age has provided women with numerous sexual and reproductive health tools that track periods, ovulation, and pregnancy. By simply plugging certain health data inputs into these apps, women can now accurately track the most intimate moments of their lives. But is this sensitive health information secure?
A recent enforcement action by the Federal Trade Commission (“FTC”) against 1Health.io—which sells “DNA Health Test Kits” to consumers for health and ancestry insights—serves as a reminder that the FTC is increasingly exercising its consumer protection authority in the context of privacy and data protection. This is especially true where the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) does not reach. The FTC’s settlement with 1Health.io highlights a wide-range of privacy and security issues companies should consider relating to best practices for updating privacy policies, data retention policies, configuration of cloud storage and vendor management, especially when handling sensitive genetic data.
On May 18, 2023, the Federal Trade Commission (FTC) filed a Notice of Proposed Rulemaking and Request for Public Comment (“NPRM”) seeking to amend the Health Breach Notification Rule (“HBNR”). We previously wrote about the FTC’s policy statement, in which the FTC took the position that mobile health applications that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are covered by the HBNR. In our post, we highlighted concerns raised in dissent by commissioner Noah Joshua Phillips that the FTC’s interpretation of “breach of security” was too broad. Commissioner Phillips has since resigned.
In the absence of a federal law directly aimed at regulating artificial intelligence (AI), the Federal Trade Commission (FTC) is seeking to position itself as one of the primary regulators of this emergent technology through existing laws under the FTC’s ambit. As we recently wrote, the FTC announced the establishment of an Office of Technology, designed to provide technology expertise and support the FTC in enforcement actions. In a May 3, 2023 opinion piece published in the New York Times entitled “We Must Regulate A.I. Here’s How,” Lina Khan, the Chairperson of the FTC, outlined at least three potential avenues for FTC enforcement and oversight of artificial intelligence technology.
On February 17, 2023, the Federal Trade Commission (“FTC”) announced the creation of the Office of Technology (the “OT”), which will be headed by Stephanie T. Nguyen as Chief Technology Officer. This development comes on the heels of increasing FTC scrutiny of technology companies. The OT will provide technical expertise and strengthen the FTC’s ability to enforce competition and consumer protection laws across a wide variety of technology-related topics, such as artificial intelligence (“AI”), automated decision systems, digital advertising, and the collection and sale of data. In addition to assisting with enforcement matters, the OT will be responsible for, among other things, policy and research initiatives, and advising the FTC’s Office of Congressional Relations and its Office of International Affairs.
On February 1, 2023, the FTC announced a proposed $1.5 million settlement with GoodRx Holdings, based on alleged violations of the Federal Trade Commission Act (“FTC Act”) and Health Breach Notification Rule (“HBNR”) for using advertising technologies on its websites and mobile app that resulted in the unauthorized disclosure of consumers’ personal and health information to advertisers and other third parties. On the same day, the U.S. Department of Justice, acting on behalf of the FTC, filed a Complaint and Proposed Stipulated Order detailing the FTC’s allegations and the terms of the proposed settlement.
The success of an artificial intelligence (AI) algorithm depends in large part upon trust, yet many AI technologies function as opaque ‘black boxes.’ Indeed, some are intentionally designed that way. This charts a mistaken course.
The Federal Trade Commission (“FTC”) recently issued guidance clarifying protections applicable to consumers’ sensitive personal data increasingly collected by so-called “health apps.” The FTC press release indicated it has approved a policy statement by a vote of 3-2 offering guidance that organizations using “health applications and connected devices” to “collect or use” consumers’ personal health information must comply with the cybersecurity, privacy and notification mandates of the Health Breach Notification Rule (the “Rule”).
The ...
Earlier this summer, Ethan P. Davis, Principal Deputy Assistant Attorney General for the Civil Division of the U.S. Department of Justice (DOJ) delivered remarks addressing DOJ’s top priorities for enforcement actions related to COVID-19 and indicating that DOJ plans to “vigorously pursue fraud and other illegal activity.”[1] As discussed below, Davis’s remarks not only highlighted principles that will guide enforcement efforts of the Civil Fraud Section under the False Claims Act (FCA) and of the Consumer Protection Branch (CPB) under the Food, Drug, and Cosmetic Act (FDCA) and the Controlled Substances Act (CSA) in response to the COVID-19 public health emergency (PHE), they also provide an indication of how DOJ might approach enforcement over the next few years.
DOJ'S KEY CONSIDERATIONS & ENFORCEMENT STRATEGY FOR COVID-19
Davis highlighted two key principles that would drive DOJ’s COVID-related enforcement efforts: the energetic use of “every enforcement tool available to prevent wrongdoers from exploiting the COVID-19 crisis” and a respect of the private sector’s critical role in ending the pandemic and restarting the economy.[2] Under that framework, DOJ plans to pursue fraud and other illegal activity under the FCA, which Davis characterizes as “one of the most effective weapons in [DOJ’s] arsenal.”[3]
However, as DOJ pursues FCA cases, it will also seek to affirmatively dismiss qui tam claims that DOJ finds meritless or that interfere with agency policy and programs.[4] DOJ also plans to collect certain information from qui tam relators regarding third-party litigation funders during relator interviews.[5] DOJ’s emphasis on qui tam cases—cases brought under the FCA by relators or whistleblowers—for COVID-related enforcement highlights the impact such matters have on DOJ’s enforcement agenda.[6]
- DOJ will consider dismissing cases that involve regulatory overreach and are not otherwise in the interest of the United States.
Although Davis emphasized that the majority of qui tam cases would be allowed to proceed, in order to “weed out” cases that lack merit or that DOJ believes should not proceed, DOJ will consider dismissing cases that “involve regulatory overreach or are otherwise not in the interest of the United States.”[7] This is consistent with the principles reflected in the 2018 Granston Memo that instructed DOJ attorneys to consider “whether the government’s interests are served” when considering whether cases should proceed and listed considerations for seeking alternative grounds for dismissal of FCA cases.[8] Davis gave examples throughout his speech of actions DOJ might consider dismissing:
- Cases based on immaterial or inadvertent mistakes, such as technical mistakes with paperwork
- Cases based on honest misunderstandings of rules, terms, and conditions
- Cases based on alleged deviations from non-binding guidance documents
- Cases against entities that reasonably attempted to comply with guidance and “in good faith took advantage of the regulatory flexibilities granted by federal agencies in the time of crisis.”[9]
DOJ litigators have been advised to inform relators of the possibility of dismissal.[10] Additionally, qui tam suits based on behaviors temporarily permitted during the COVID-19 pandemic, particularly in circumstances in which agencies exercised discretion to waive or not enforce certain requirements, might
“fail as a matter of law for lack of materiality and knowledge.”[11]
- DOJ will now include a series of questions during relator interviews to identify third-party litigation funders.
During each relator interview, DOJ has instructed line attorneys to ask a series of questions to identify whether the relator or their counsel has a third-party litigation funding agreement,[12] which is an agreement in which a third party—such as a commercial lender or a hedge fund—finances the cost of litigation in return for a portion of recoveries.[13] Under the new policy detailed in Davis’s speech, if a third-party funder is disclosed, DOJ will ask for the following:
- the identity of the third-party litigation funder,
- information regarding whether information of the allegations has been shared with the third party,
- whether the relator or their counsel has a written agreement with the third party, and
- whether the agreement between the relator or their counsel and the third party includes terms that entitles the third-party funder to exercise direct or indirect control over the relator’s litigation or settlement decisions.
Relators must inform DOJ of changes as the case proceeds through the course of litigation.[14] While Davis characterizes these changes as a “purely information-gathering exercise for the purpose of studying the issues,” the questions are in furtherance of DOJ’s ongoing efforts to uncover the potential negative impacts third-party litigation financing may have in qui tam actions. [15] The questions Davis referenced in his remarks reflect DOJ’s concerns with third-party litigation funding as expressed by Deputy Associate Attorney General Stephen Cox in a January 2020 speech.[16] Davis emphasized that DOJ particularly sought to evaluate the extent to which third-party litigation funders were behind qui tam cases DOJ investigates, litigates, and monitors; the extent of information sharing with third-party funders; and the amount of control third-party funders exercised over the litigation and settlement decisions.[17] While the Litigation Funding Transparency Act of 2019 has remained inactive since its introduction in February 2019 by Senator Grassley[18] and the 2018 proposal by the U.S. Court’s Advisory Committee on Civil Rights’ Multidistrict Litigation Subcommittee to require disclosure of third-party litigation funding remains under consideration,[19] DOJ’s plans to include this line of questioning potentially signals DOJ’s intention to take more concrete and significant steps to address third-party litigation funding in the future.
The market for direct-to-consumer (“DTC”) genetic testing has increased dramatically over recent years as more people are using at-home DNA tests. The global market for this industry is projected to hit $2.5 billion by 2024. Many consumers subscribe to DTC genetic testing because they can provide insights into genetic backgrounds and ancestry. However, as more consumers’ genetic data becomes available and is shared, legal experts are growing concerned that safeguards implemented by U.S. companies are not enough to protect consumers from privacy risks.
Some states vary ...
On October 26, 2018, the Federal Trade Commission (FTC) announced that it will hold four days of hearings between December of 2018 and February of 2019 to examine the FTC’s authority to deter unfair and deceptive conduct in data security and privacy matters.[1] The two days of December hearings will focus on data security, while the two days of February hearings will focus on consumer privacy. This announcement comes as part of the agencies Hearings on Competition and Consumer Protection in the 21st Century, an initiative that has already scheduled hearings on closely related ...
Recent comments by the Federal Trade Commission (FTC) Commissioner Rohit Chopra should have companies on notice for increased enforcement actions across the board. During the “Privacy. Security. Risk.” Conference in Texas last week, Chopra made comments regarding his views on increasing enforcement, including the imposition of greater civil monetary penalties. “I’ve already raised concerns about settlements we do with no monetary penalties. I want to see monetary consequences for egregious breaking of the law” said Chopra as reported by the IAPP during a live ...
On October 2, 2018, FDA Commissioner Scott Gottlieb released a statement announcing new agency actions to further deter “gaming” of the generic drug approval process through the use of citizen petitions. Among these actions, the most significant was the issuance of a revised draft guidance on citizen petitions subject to Section 505(q) of the Federal Food, Drug, and Cosmetic Act (“FDCA”), published on the same day. The stated goal of this revision was to create a more efficient approach to 505(q) petitions and to allow the Agency to focus reviewer resources on scientific ...
Effective June 11, 2018, all Department of Veterans Affairs (“VA”) health care providers will be able to offer the same level of care to all beneficiaries regardless of the beneficiary’s or the health care provider’s location. In its recently released final rule, the VA stated that in December 2016 Congress mandated that the agency provide veterans with a self-scheduling, online appointment system, and that the agency meet the demands for the provision of health care services to veterans, regardless of whether such care was provided in-person or using telehealth ...
In an Advisory Opinion dated October 20, 2017, to Crouse Health Hospital ("Crouse Hospital"), the Federal Trade Commission ("FTC") agreed that the Non-Profit Institutions Act ("NPIA") would protect the sale of discounted drugs from Crouse Hospital to the employees, retirees, and their dependents of an affiliated medical practice (Crouse Medical Practice, PLLC) ("Medical Practice") from antitrust liability under the Robinson-Patman Act. Significantly, the FTC provided this advice despite the fact that the Medical Practice is a for-profit entity, and is not owned by Crouse ...
The Federal Trade Commission's ("FTC") recently submitted Congressional Budget Justification and Annual Performance Plan and Report contains helpful insight into the FTC's focus and expectations for the coming fiscal year. Of particular note, is a slight shift of funds from activities designed to "protect consumers" to activities intended to "promote competition." High on the FTC's list of actions designed to promote competition is continued scrutiny of the health care industry. And to that end, the FTC reiterated its intention to, among other things:
Take action against ...
The Federal Trade Commission ("FTC") and the Antitrust Division of the Department of Justice ("Antitrust Division") released their respective year-end reviews highlighted by aggressive enforcement in the health care industry. The FTC, in particular, indicated that 47% of its enforcement actions during calendar year 2016 took place in the health care industry (including pharmaceuticals and medical devices). Of note were successful challenges to hospital mergers in Pennsylvania (Penn State Hershey Medical Center and Pinnacle Health System), and Illinois (Advocate Health ...
Surprisingly amidst the Federal Bureau of Investigation (FBI) uproar, President Trump today signed an executive order addressing cybersecurity for the federal government and critical infrastructure, along with international coordination and cyber deterrence. The substance of the order, which is about to be made public, comes from various press releases and interviews with administration officials. The order is composed of three sections on cybersecurity and IT modernization within the federal government, protecting critical infrastructure, and establishing a cyber ...
Executive Order Delay Trumps Administration Policy Development
President Trump's first hundred days did not produce the event that most people in the cybersecurity community expected – a Presidential Executive Order supplanting or supplementing the Obama administration's cyber policy – but that doesn't mean that this period has been uneventful, particularly for those in the health care space.
The events of the period have cautioned us not to look for an imminent Executive Order. While White House cybersecurity coordinator Robert Joyce recently stated that a forthcoming ...
Recently, the Federal Trade Commission ("FTC") faced major losses in challenging hospital mergers. However, it is clear that the FTC is not backing down, especially given its tendency to conclude that proposed efficiencies do not outweigh the chance of lessening competition.
In July of this year, the FTC abandoned a challenge to the proposed merger of St. Mary's Medical Center and Cabell Huntington Hospital in West Virginia after state authorities had changed West Virginia law and approved the merger despite the FTC's objections. This year as well, the FTC failed to enjoin the Penn ...
West Virginia recently took a bold step to set the stage to shield an in-state hospital merger from further antitrust scrutiny by the Federal Trade Commission (FTC). Certain healthcare stakeholders are likely watching these developments with some excitement and with some thought toward pursing similar initiatives in their respective states. Although this may have some positive effects for healthcare mergers (depending upon one's point of view) it is not altogether clear that state review processes that might shield a merger from federal antitrust enforcement will necessarily ...
On October 26, 2015, the Federal Trade Commission ("FTC") and the Antitrust Division of the U.S. Department of Justice ("DOJ") (collectively the "Agencies") issued a joint statement to the Virginia Certificate of Public Need ("COPN") Work Group encouraging the Work Group and the Virginia General Assembly to repeal or restrict the state's certificate of need process. The Virginia COPN Work Group was tasked by the Virginia General Assembly to review the current COPN process and recommend any changes that should be made to it.
Thirty-six states currently maintain some form of ...
At the International Association of Privacy Professionals ("IAPP") Global Privacy Summit in Washington, D.C. on March 5th and March 6th, the Federal Trade Commission ("FTC") was clear in its message that privacy was a top priority for the agency. The FTC had a strong presence at the conference. Three of the five Commissioners and the Director of the Bureau of Consumer Protection (Jessica Rich) all spoke at the conference and relayed a message of the importance of consumer privacy and security. In that regard, the FTC speakers stressed the importance of:
- informing consumers of the ...
As a lawyer practicing in the telemedicine space, I am rarely surprised these days. But every once in a while I will read or hear something that stops me in my tracks. That is exactly what happened when I read a blog post by an FTC Commissioner which, among other things, calls for government policies that help facilitate greater adoption of telemedicine. The post was part of a broader piece about the FTC's role in promoting competition and innovation in health care.
By way of quick background, the Federal Trade Commission is the federal agency charged with protecting ...
In the healthcare industry we often associate information privacy and security enforcement with HIPAA and state privacy laws. However, a lesser known but in some cases just as significant regulator of information privacy is the Federal Trade Commission (“FTC”). This is especially true with regard to mobile health applications, which depending on how they function and collect personal information, may not be regulated by HIPAA. Regardless of whether or not you have to comply with HIPAA, if you run applications or software that can access personal information, then the FTC’s ...
While tech companies looking to provide health solutions must figure out early on whether they are HIPAA-regulated, HIPAA is not the be-all and end-all of privacy law. Even entities not regulated under HIPAA must abide by other privacy rules, including a wide array of state privacy laws. On December 6, 2012, in the state’s first legal action under its online privacy law, California Attorney General Kamala Harris filed a lawsuit against a major airline for not including a privacy policy in its smartphone app. The complaint alleges violation of California’s Online Privacy ...
by Jeffrey M. Landes, Susan Gross Sholinsky, Steven M. Swirsky, and Jennifer A. Goldman
On January 25, 2012, the Federal Trade Commission ("FTC") sent warning letters to three companies that market, in total, six mobile phone applications ("Apps") that provide users with background check reports. In the warning letters, the FTC states that the Apps may violate the Fair Credit Reporting Act ("FCRA"). According to a press release issued by the FTC on February 7, 2012, the FTC cautioned the Apps' marketers that, if they have reason to believe that the background reports provided will be ...
by Patricia M. Wagner and Ross K. Friedberg
On April 19, 2011, the “Proposed Statement of Antitrust Enforcement Policy Regarding Accountable Care Organizations Participating in the Medicare Shared Savings Program” (“Proposed Statement”) was published in the Federal Register. As noted in the Proposed Statement, the antitrust enforcement agencies (the Department of Justice Antitrust Division and the Federal Trade Commission issued the Proposed Statement in response to a perceived preference by potential accountable care organization (“ACO”) participants to ...
Blog Editors
Recent Updates
- As the Window for Comments Closes on ONC/ASTP’s HTI-2 Proposed Rule: What’s in HTI-2 and What Does It Mean for You?
- Unpacking Averages: Assessing FDA’s Postmarket Surveillance Under Section 522
- Video: New State Legislation Increases Oversight of Health Care Transactions – Thought Leaders in Health Law
- Video: New HIPAA Final Rule - Key Changes to Reproductive Health Care Privacy – Thought Leaders in Health Law
- Post-AB 3129, California Sponsored MSOs Must Focus on Compliance, Strategic Growth, and Exit Planning