Companies Ordered to Pay $145 Million for Alleged Deceptive Health Insurance Marketing

Posted by Steve Alder

The Federal Trade Commission (FTC) has announced settlements with two healthcare companies to resolve claims that they misled consumers seeking health insurance. In both cases, the companies were alleged to have deceived consumers seeking comprehensive health insurance into purchasing plans that did not provide the claimed level of coverage. The companies will pay a total of $145 million to the FTC to resolve the two complaints.

The biggest financial penalty was imposed on Assurance IQ, LLC, a Seattle-based company that sells short-term medical (STM) plans, limited benefit indemnity (LBI) plans, and supplemental healthcare plans, including vision and dental discount plans. According to the FTC complaint, Assurance’s telemarketers overstated the coverage provided by its policies. Most of the plans were sold on behalf of Benefytt Technologies, which was a third-party distributor of healthcare products for various carriers. Assurance received over $100 million in commissions for selling the policies on behalf of Benefytt. The FTC previously filed a complaint against Benefytt alleging deceptive acts and practices, which was resolved in 2022.

Assurance generated leads through its website, offering free quotes for affordable health insurance, as well as obtaining leads from third-party lead generators, and its outbound telemarketers contacted those consumers to sell them insurance products.  The Assurance website stated that its insurance products were equivalent to comprehensive health insurance and that it worked with leading health insurers such as Aetna, Humana, and Kaiser Permanente, but it did not sell any of their insurance products, and the policies sold to consumers did not provide comprehensive insurance coverage.

Its telemarketers were alleged to have misrepresented the features of the plans, leading consumers to believe they were purchasing comprehensive health insurance, when that was not the case. Consumers were also told they had coverage for pre-existing health conditions, when that was not the case, and there were other significant coverage restrictions. Consumers were also told there were no caps on benefits, but the policies had significant restrictions. The $100 million judgment resolves claims that Assurance violated the Telemarketing Sales Rule (TSR). Assurance has been prohibited from making express and implied misrepresentations to consumers and must have competent and reliable evidence to substantiate any claims about coverage.

The second settlement resolves a complaint against Los Angeles, CA-based MediaAlpha, Inc. and its operating subsidiary QuoteLab, which uses websites and online ads claiming to provide health insurance quotes. The leads generated are sold to telemarketers. According to the FTC, MediaAplpha sold 119 million consumer leads in 2024.

The FTC alleged the company used website domains with names that implied they were associated with the government, and claimed consumers could buy low-cost, comprehensive health insurance that complies with the Affordable Care Act. The company hired actors, celebrities, and a doctor for product promotion, including a fictitious government “Health Insurance Give Back Program,” and claimed that millions of Americans qualified for a health plan that cost $1 per day.

MediaAlpha’s partners used robocalls and telemarketing calls, including to people on the Do Not Call Registry, offering comprehensive low-cost health insurance coverage, but the health care plans provided by its partners rarely included the low-cost, comprehensive health insurance plans that consumers were promised.

The FTC alleged that MediaAlpha was in violation of the FTC Act, TSR, and Impersonation Rule, and obtained a $45 million consent judgment. MediaAlpha is prohibited from making misleading and false claims about the products it offers, must hand over the misleading domains it used, must monitor its partners to ensure they comply with the law in the future, and must obtain consent from consumers before selling or disclosing their personal information.

The post Companies Ordered to Pay $145 Million for Alleged Deceptive Health Insurance Marketing appeared first on The HIPAA Journal.

Crisis Pregnancy Centers’ Websites Edited After Scrutiny of HIPAA Claims

Posted by Steve Alder

Back in February, The HIPAA Journal reported on the efforts of the non-profit watchdog organizations the Campaign for Accountability and the Electronic Frontier Foundation (EFF) to prevent crisis pregnancy centers (CPCs) from claiming or implying they are bound by the Health Insurance Portability and Accountability Act (HIPAA) on their websites and intake forms, when they are not HIPAA-regulated entities.

Most CPCs are not licensed healthcare providers and are therefore not bound by the HIPAA Rules, yet CPCs have been identified by the Campaign for Accountability and EFF that imply that they are bound by the HIPAA Rules. Regardless of personal opinions about abortion procedures and reproductive healthcare, implying that personal data is protected by HIPAA when it is not is a deceptive business practice.

Under HIPAA, regulated entities are healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities, and all are required to comply with the HIPAA Rules. One of the requirements of HIPAA is to have a notice of privacy practices, which should be displayed in a prominent position in a physical location and be published on the entity’s website. The notice of privacy practices must clearly state how the entity may use and share health information, individuals’ privacy rights, and how to make a complaint about a potential privacy violation, including the right to file a complaint with the Department of Health and Human Services (HHS).

Investigations by the watchdogs identified CPCs that have a website notice of privacy practices, which indicates compliance with the HIPAA Rules. Some even state in their notice of privacy practices that individuals can file a complaint with the HHS if they feel their privacy has been violated. While anyone can file a complaint with the HHS about a potential HIPAA violation, the HHS will not act on any complaint if it is filed against a non-HIPAA-regulated entity. While a CPC may comply with its published privacy policy, uses and disclosures of personally identifiable health information are not subject to HIPAA protections, and implying or stating that information is protected under HIPAA misleads consumers about privacy protections.

Both the Campaign for Accountability and the Electronic Frontier Foundation filed complaints with several state attorneys general about the alleged deceptive business practices. In 2024, the Campaign for Accountability filed complaints with the state attorneys general in Idaho, Minnesota, Washington, Pennsylvania, and New Jersey, and this year, EFF filed complaints with the state attorneys general in Arkansas, Missouri, Texas, and Florida. The complaints included examples of CPCs in the respective states that were alleged to have engaged in deceptive business practices.

The complaints include numerous statements from CPC websites indicating HIPAA compliance, when those entities are not bound by the HIPAA Rules. For example, some CPCs state “client information is held in strict and absolute confidence, according to HIPAA guidelines,” or that they are subject to oversight by the HHS’ Office for Civil Rights, or that their forms are HIPAA-compliant. In one case, a CPC claimed, “If you receive services through [CPC], federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), also protects your health information.” In each case, the CPC is not a HIPAA-regulated entity.

In a recent update, the EFF confirmed that its efforts are showing some signs of success. While substantive responses have not been received from state attorneys general, other than confirmations that the complaints have been received, some CPCs have responded and have made changes to their messaging. “Of the 21 CPCs we cited as exhibits in our complaints, six have completely removed HIPAA references from their websites, and one has made partial changes (removed one of two misleading claims). Notably, every center we flagged in our letters to Texas AG Ken Paxton and Arkansas AG Tim Griffin has updated its website—a clear sign that clinics in these states are responding to scrutiny,” said EFF legislative activist, Rindala Alajaji. “While 14 remain unchanged, this is a promising development. These centers are clearly paying attention—and changing their messaging.”

The post Crisis Pregnancy Centers’ Websites Edited After Scrutiny of HIPAA Claims appeared first on The HIPAA Journal.