SXSW Dispatch: BetterHelp Is a Disaster, Will It Destroy Teladoc?
The FTC has limited enforcement scope, but is throwing firebombs at bad actors.
“There used to be rules!”
—Junior Soprano.
The Federal Trade Commission (FTC) filed a complaint against BetterHelp. This article details what is revealed in that complaint, why it’s a problem from a consumer protection standpoint, and why it is a much, much bigger problem for its parent company, Teledoc. This is public information in the Federal Trade Commission report, nothing is private. It is already adjudicated.
I am an advocate for well-regulated telehealth. I am occasionally an advocate for well-intentioned telehealth that stumbles badly. I do not think incidental breeches should be grounds for action, per se. But it's really hard to say what will happen in this particular case, given the contents of the federal trade commission report.
Originally, I was going to make this an article about all of the myriad legal implications of the FTC filing, but it would just be too long and difficult to read. I will focus on the issue of protected health information, and the regulatory framework for both civil and criminal liability under the purview of the Department of Health and Human services. Although it should go without saying, it doesn’t: when one is obligated to focus on only one element of the liability of a potentially matter? That is not a good day.
To begin: in what is not itself criminal, they had a variety of branding. They worked hard to appeal to vulnerable populations:
“Respondent BetterHelp, Inc. (“BetterHelp” or “Respondent”), also doing business as Compile, Inc.; MyTherapist; Teen Counseling; Faithful Counseling; Pride Counseling; iCounseling; ReGain; and Terappeuta…”
BetterHelp delegated its decisions around marketing, which— ask anyone in pharmaceuticals—is a highly regulated aspect of healthcare. They delegated it to a crack team of compliance layers, ethics professors, physician-scholars, and encryption experts. I’m kidding, they gave the job to this kid:
“In 2017, Respondent delegated most decision-making authority over its use of Facebook’s advertising services to a Junior Marketing Analyst who was a recent college graduate, had never worked in marketing, and had no experience and little training in safeguarding consumers’ health information when using that information for advertising. In doing so, Respondent gave the Junior Marketing Analyst carte blanche to decide which visitors’ and users’ health information to upload to Facebook and how to use that information. This same individual, who now holds the title “Senior Marketing Analyst,” continues to oversee Respondent’s use of Facebook’s advertising tools.”
What is important to understand, and this individual did not, is that health care information is protected by law in order protect (and this is crucial) vulnerable people. People who are suffering and vulnerable to exploitation by hucksters.
Before somebody argues that the above young person—who is still employed!—was not aware of the importance of privacy, I will reference the representation to its customers around the importance of privacy, and it's intent to protect that privacy:
The most vitally important thing to understand about the above picture is that I didn't add the red oval. That was added by the federal trade commission. They are marking up an official complaint like it was a Twitter 💩 post.1 This misleading text was kept there for many years to facilitate parting customers with their money. Will other regulators argue that the above text on their website demonstrates intent?
Protections for privacy of health information exist at both a state and federal level, and both levels of regulation need to be complied with. Unlike cab medallions and Uber, the protection for psychiatric patients and the protections for cab passengers have different ethical and legal weight. Uber broke all the rules, and then lobbied to change them, because the level of vulnerability involved doesn’t mandate strict protections. Healthcare is different. For example, in NYS, this:
A form, that needs to be filled out to disclose Protected Health Information from a Health Professional:
You will notice that it is very confusing and has those three right-sided specific items:
Mental Health Information
Alcohol/Drug Information
HIV-related information
A very bad state of affairs happens if the health professional or regulated agency in question doesn’t have those three lines initialed by the patient, which includes the need, even if the rest of the consent form is filled out, to remove any information from the medical record that might inadvertently reveal the extra-protected information. This would apply to any BetterHelpers doing work with any patients in NY. The BetterHelp therapists are on the hook, and depending on their employment contracts, that might make BetterHelp on the hook in the absence of those forms existing in all cases of PHI disclosure for clients in NY.
“I’m sorry that my life is only worth a pittance to your megalith. Despite my infinitesimal value to your shareholders, I hope I can occupy a small corner of your corporation’s very large heart.
I have always been quite fond of my personal information, so I hope your algorithms are enjoying my memories as much I do.”
Here is what the FTC report asserts:
“Respondent’s disclosure of that information to a third party would implicitly disclose the consumer’s interest in or use of the Service and therefore constitute a disclosure of the consumer’s health information. For example, because the Respondent obtained a consumer’s email address only when the consumer took affirmative steps to utilize the Service, the Respondent’s disclosure of this information would identify the consumer as associated with seeking and/or receiving mental health treatment.”
Not only does the FTC assert this is protected, but that it falls under extra-protected status in states like New York, in which case any disclosure will only be allowed if the person signed and initialed the above form. BetterHelp made promises to platform users that there would be no breach of their information (again the FTC):
“Recognizing the sensitivity of this health information, Respondent has repeatedly promised to keep it private and use it only for non-advertising purposes such as to facilitate consumers’ therapy.”
This is not what happened (also from FTC complaint):
“From 2013 to December 2020, however, Respondent continually broke these privacy promises, monetizing consumers’ health information to target them and others with advertisements for the Service.”
On a state-by-state and federal level, this might well be considered PHI, according to the Department of Health and Human Services:
Protected Health Information: The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."
Specifically covered includes:
The individual's past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
Keep in mind, as asserted by the FTC, the very fact that people signed up, filled out a survey, and started to pay for care disclosed that the information was protected. Thus, the email addresses and information shared with social media ad departments were by definition protected, at least according to one federal agency. On the screener, they asked breathtakingly personal information:
These questions include whether the Visitor is “experiencing overwhelming sadness, grief, or depression”; whether the Visitor has been having thoughts that the Visitor “would be better off dead or hurting yourself in some way”; whether the Visitor is “currently taking any medication”; whether the Visitor has “problems or worries about intimacy”; and whether the Visitor has previously been in therapy.
Is every one of these cases highlighted by the federal trade commission also (plausibly) a HIPAA breach?
The protections related to mental health make obtaining this sort of information something that some be done with the highest level of adherence to regulatory standards.
The FTC asserts this is not an accident, it's not using some third-party plug-in, it's not a pixel, it's not a marketing tracker, it's specifically using protected health information for the purpose of financial gain for your business.
Were this to be addressed as a HIPAA issue, it might be an extinction level event. The federal trade commission acts only under their regulatory authority regarding trade and marketing, and doesn't get anywhere near the liability that this company danced with under healthcare law.
PiperChat Has a Problem…
Federal COPPA protections, about which an entire Silicon Valley Plot-line is built, cover similar regulatory ground. It is almost impossible to argue that there’s a lack of familiarity around this issue among tech company employees, thanks to this landmark show. I'm not sure how many of the individuals in question are under 12 years old, but the peril faced by Teledoc will be obvious to all Silicon Valley Fans:
The brief recap: in Silicon Valley, the company PiperChat isn't compliant with COPPA, which generates tremendous liability thanks to under-13 users. The problem is solved when they offload the company to Hooli, which is devastated by the fines. In this case, life imitates art, just substitute HIPAA for COPPA.
Dinesh, the fictional Silicon Valley character, had his career destroyed as a CEO by this one regulatory “oops.” The real life fines are steep:
“Established in 1998 and reworked in 2012, the law allows for a $16,000 - $40,654 fine per individual violation. [The $40,654 went into effect in August 2016.]”
Marketing Isn’t a Big Deal?
In Healthcare, marketing is of course allowed, and HHS guidance is as follows:
“Marketing is any communication about a product or service that encourages recipients to purchase or use the product or service.”
And there are some carveouts for covered entities under HIPAA, but at least as a company that began as a direct-to-consumer model company, it won’t benefit from any of those plausible exceptions. And once it started selling into health plans:
“A covered entity must obtain an authorization to use or disclose protected health information for marketing.”
I will note BetterHealth was acquired by Teladoc in 2015. Teladoc can and does contract with employer plans, and makes a billion dollars selling therapy with BetterHelp. Teladoc has doc in the name. And bills insurance…making BetterHelp a covered entity.
What Are the Penalties for a HIPAA violation?
The four categories used for the penalty structure are as follows:
Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules.
Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of willful neglect of HIPAA Rules).
Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation.
Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation within 30 days.
Everyone reading this can do the math from the FTC complaint, and realize that the time between 2013 and 2020 is greater than 30 days. That's right, they had an obligation to report the very breach they were creating.
Further, was it done for personal or financial gain?
Here is the associated fine structure for a > 30 day latency (A.k.a: “Willful Neglect) in reporting:
Minium Fine: $63,973
Maximum Fine: $1,919,173
It is worth noting, the above fines are PER VIOLATION… yikes.
The issue might be: was BetterHelp a covered entity? The moment they sold into employer groups, as part of Teledoc, it could be argued they were.
How bad is this, just looking at the fines (not including civil or criminal liability) under HIPAA privacy breech reporting standards?
“Since its inception, BetterHelp has signed up over 2 million Users, and, today, it has over 374,000 active Users in the United States.”
This adds up to a minimum fine of $127,000,000,000—for the failure to act after the breach is identified. That isn’t even the fine for the breech! Mind-bogglingly, that is even worse, potentially:
Tier 3: Wrongful disclosure of PHI under false pretenses with malicious intent.
The most severe violation is when the individual who commits the crime wrongfully obtains PHI with the intent to sell, transfer, or use the data for personal gain, commercial advantage, or malicious harm.
Maximum penalty: Up to $250,000, ten years of prison time, or both.
Which is exactly what the Department of Justice has prepared, should they choose to act, thanks to this FTC report. The acquisition by Teledoc had an obligation to diligence what is an additional $500 billion in criminal liability, and up to 20,000,000 years in prison, one would imagine?
Will this end up a real life disaster for Teladoc?
Or will their Dinesh find another Gavin Belson to make the problem go away?
—Owen Scott Muir, M.D.
Addendum: For the record, BetterHelp agrees with the above findings of the FTC.
The FTC is definitely in the game, and I've got to give them credit; that is just so unbelievably embarrassing and criminal it beggars belief. Their charter is of course limited, and I strongly suspect that the federal trade commission is well aware of how the above can and should be used by other regulatory agencies and law-enforcement professionals. This is 💯 emoji-level regulatory enforcement documentation, for our modern age.