FTC Prohibits Alcohol Addiction Firm from Sharing Consumer Data with Third Parties

Posted by Steve Alder

The Federal Trade Commission (FTC) has ordered the alcohol addiction treatment firm Monument to stop disclosing consumers’ health data to third parties for advertising purposes without obtaining affirmative consent. A $2.5 million civil monetary penalty has also been imposed but the penalty has been suspended due to the inability of Monument to pay.

The FTC’s proposed order settles FTC charges that Monument disclosed consumers’ personal and health information to third parties such as Google and Meta between 2020 and 2022 without obtaining consent. The data disclosed revealed that customers were receiving help with alcohol addiction when Monument had informed its customers that their data would remain 100% confidential.

When customers sign up for Monument’s services, they disclose sensitive information including their name, email address, date of birth, phone number, address, information about their alcohol consumption, medical history, copies of their government-issued IDs, and their IP address and device IDs are collected. According to the complaint, between 2020 and 2022, Monument informed consumers on its website and in communications that the personal and health information provided to the company would be 100% confidential and would not be disclosed to third parties without user consent. Monument also claimed that it was compliant with the Health Insurance Portability and Accountability Act (HIPAA).

However, Monument added tracking technologies to its website, also known as pixels and application programming interfaces (APIs), which were used to collect information that allowed it to target ads for its services to new consumers and current customers who had signed up for the lowest-cost memberships. Monument classified website interactions under standard and custom events, with the latter given descriptive titles such as “Paid: Weekly Therapy” or “Paid: Med Management,” when a user signed up for a service.

The “custom events” information was disclosed to advertising platforms along with users’ email addresses, IP addresses, and other identifiers, that allowed individuals to be identified and associated with the custom events. The descriptions confirmed that the individuals were receiving treatment for alcohol addiction. Monument did not track the disclosures nor maintain an inventory of the information it collected and disclosed to third parties; however, according to the FTC, as many as 84,000 of its users had their information disclosed to third parties without consent.

These disclosures were deemed to constitute unfair and deceptive practices that violated the FTC Act and the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA). The $2.5 million civil monetary penalty will have to be paid if the company is found to have misrepresented its finances. Monument must also identify the user data it has sent to third parties and instruct them to delete the data, implement a comprehensive privacy program with strong safeguards to protect consumer data and address the issues the FTC identified in its complaint, and inform consumers whose information has been disclosed to third parties for advertising purposes. The FTC order now awaits approval from a District Court judge.

“This action continues the FTC’s work to ensure strict limits on how firms handle sensitive health data, rather than putting the onus on consumers to protect themselves,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Following on the heels of actions against GoodRx, BetterHelp, and Premom, the market should be getting the message that consumer health data should be handled with extreme caution.”

The FTC has also recently taken action against the mental health telehealth company Cerebral and has ordered the company to pay a $7.1 million penalty.

The post FTC Prohibits Alcohol Addiction Firm from Sharing Consumer Data with Third Parties appeared first on HIPAA Journal.

What Is The Best HIPAA Compliance Software?

Posted by Ian

The best HIPAA compliance software is an effective compliance management tool that helps a covered entity navigate the complexities and stringent requirements of  HIPAA compliance.

The vast majority of healthcare organizations in the USA do not employ a professional compliance officer and HIPAA compliance falls to an administrator or practice manager. This guide is aimed at these people. If you are a compliance professional then please see our guide to Healthcare Compliance Software (Ian add hyperlink).

What Are The Benefits Of HIPAA Compliance Software?

  • Remove the complexities and stress of compliance
  • Reduce risk
  • Increase patient loyalty and the profitability of your business

What To Consider When Purchasing HIPAA Compliance Software?

There are three aspects to consider when purchasing a HIPAA compliance software solution.

  1. Key Features or Functionality
  2. Key Components
  3. Commercial Considerations

This guide is divided into three sections covering these separate aspects requiring consideration. By following this buyer’s guide framework, the organization can make a thorough assessment of available HIPAA compliance software options and select the most suitable solution to support their compliance efforts effectively.

1. What Are The Key Features Of HIPAA Compliance Software?

The software helps healthcare providers to implement robust measures, such as encryption, access controls, auditing, and regular risk assessments. By centralizing and automating the compliance process, HIPAA compliance software optimizes data protection efforts, mitigates potential breaches, and fosters a culture of compliance within the healthcare industry.

  • Security risk assessment
  • Gap identification
  • Remediation plans
  • Proper storage of HIPAA policies and procedures
  • Employee training
  • Business Associate Agreements
  • Breach incident reporting
  • Risk assessment tools
  • Policy and procedure management
  • Access controls and user management
  • Incident response and breach management
  • Audit logging and reporting capabilities
  • Encryption and data protection measures

What other features should you consider for  your HIPAA compliance solution?

A lot goes into a healthcare compliance program, and our solution helps automate the process. Whether you need HIPAA, OSHA, SOC 2, or all three, your compliance program is fully customizable.

Our software has everything you need for compliance: templated policies and procedures, risk assessments, comprehensive training for your entire staff, vendor management, incident reporting, and more. No matter your needs, our software provides guided action items to meet your requirements with ease.

Solve healthcare compliance challenges quickly and confidently with simplified software. . Endorsed by top medical associations, clients can be confident in their compliance program.

2. What Are The Key Components Of HIPAA Compliance Software?

Scalability and Flexibility

Considerations regarding the scalability of the software to accommodate the organization’s growth and evolving compliance needs.

Integration Capabilities Examination of the software’s ability to integrate with existing IT infrastructure and other third-party applications used within the organization.

 

3. What Are The Commercial Considerations When Choosing HIPAA Compliance Software?

Do they offer comprehensive help setting up their HIPAA compliance software for you?

Do they offer a free trial period?

Do they offer discounts? For example, for an association you may belong to already.

Vendor Reputation and Support:

  • Research on the vendor’s reputation within the healthcare industry and their track record in providing reliable software solutions.
  • Availability and responsiveness of customer support services, including training resources, technical assistance, and ongoing maintenance.
  1. Cost Considerations:
    • Transparent breakdown of pricing structures, including initial setup costs, licensing fees, and any additional charges for support or updates.
    • Comparison of pricing models (e.g., one-time purchase vs. subscription-based) and considerations of long-term affordability.
  2. Case Studies and Customer References:
    • Review of case studies or testimonials from other healthcare organizations that have successfully implemented the software.
    • Requesting references to directly speak with existing customers about their experiences with the software and vendor.

 

The post What Is The Best HIPAA Compliance Software? appeared first on HIPAA Journal.