Understanding the FTC Act in Healthcare: Compliance Requirements and Recent Enforcement Trends

FTC Act Overview in Healthcare

What Section 5 covers

The FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce. In healthcare, this reaches digital health apps, telehealth platforms, medical device makers, data brokers, pharmacies, and pharmacy benefit managers that market to consumers.

Deception covers misleading statements or omissions about privacy, security, pricing, or health benefits. Unfairness addresses practices that cause substantial, unavoidable consumer harm not outweighed by benefits, such as covert sharing of sensitive data.

Where HIPAA ends and the FTC begins

Many consumer-facing health services fall outside HIPAA yet still collect sensitive data. The FTC fills that gap through consumer protection enforcement, ensuring accurate disclosures and sound security even when HIPAA does not apply.

The agency also enforces healthcare competition law through merger review and conduct cases, scrutinizing market power, exclusive dealing, and restraints that can raise prices or reduce innovation.

Who is in scope

Most for-profit entities are within the FTC’s jurisdiction. Nonprofits may fall outside, but affiliated for-profit subsidiaries, joint ventures, and vendors serving nonprofits often remain covered. Dual oversight with state AGs and sector regulators is common.

Defining Health Information

Beyond HIPAA’s PHI

For FTC purposes, “health information” is interpreted broadly. It includes data that directly reveals a condition or treatment and data that reasonably infers health status—symptom logs, cycle tracking, mental health assessments, prescription refills, and wearable biometrics.

It also reaches associated identifiers and inferences: precise location data near clinics, ad segments tied to conditions, device IDs linked to wellness profiles, and cross-site tracking that maps user journeys through health pages.

Sensitivity and context

Context matters. A search for insulin copay cards, visits to oncology pages, or joining a fertility support group can all constitute sensitive health information. Claims of “de-identified” status require technical and organizational safeguards that prevent re-identification.

Consumer Privacy Obligations

Core duties under Section 5

• Truthful, not misleading privacy notices—no vague promises or hidden exceptions.
• Purpose limitation and data minimization—collect only what you need, keep it only as long as needed.
• Heightened protection for sensitive data—opt-in consent for uses beyond providing the requested service.
• Security by design—risk assessments, encryption in transit and at rest, access controls, and continuous monitoring.
• Vendor governance—contracts that restrict use, require security, and prohibit secondary monetization without consent.
• Design integrity—avoid dark patterns; present clear choices and easy-to-use deletion and export tools.
• Substantiation—health benefit claims must be backed by competent and reliable scientific evidence.

Operationalizing healthcare data privacy compliance

Map data flows across web, mobile SDKs, pixels, and APIs. Disable tracking technologies on sensitive pages unless you have explicit, informed consent consistent with your disclosures.

Stand up a cross-functional review for new analytics or advertising use cases. Validate that consent travels downstream to vendors and that revocations propagate quickly.

Health Breach Notification Rule

Who is covered

The Health Breach Notification Rule applies to vendors of personal health records (PHRs), PHR-related entities, and their service providers—often including health and wellness apps that are not HIPAA-covered entities.

When a breach occurs

A reportable “breach” includes unauthorized acquisition of unsecured PHR identifiable health information. Disclosing sensitive health data to analytics or advertising partners without appropriate authorization can trigger notification obligations.

What notification requires

• Notify affected consumers without unreasonable delay, with clear details on what happened, what information was involved, and steps they can take.
• Notify the FTC via its designated process; larger incidents may require faster regulatory notice and, in some cases, media notice.
• Service providers must promptly inform the PHR vendor of any breach they discover.
• Maintain incident logs and records to demonstrate compliance and support investigations.

Practical compliance playbook

• Identify whether you are a PHR vendor or related entity and document the basis.
• Implement breach detection and escalation procedures tied to clear timelines.
• Pre-draft consumer-friendly templates that avoid technical jargon and minimize confusion.
• Test your process with tabletop exercises at least annually.

FTC's Healthcare Task Force

How the FTC organizes healthcare oversight

The FTC coordinates healthcare work across the Bureau of Consumer Protection, the Bureau of Competition, and technologists. This cross-bureau approach is often described as a healthcare task force, aligning privacy, advertising, and competition investigations.

Priority areas

• Digital health data flows—tracking technologies, SDKs, and data brokers handling sensitive information.
• Transparency in pricing and benefits—insulin pricing transparency and the role of pharmacy benefit managers in prescription drug costs.
• Telehealth and remote monitoring—security, marketing claims, and subscription practices.
• Interoperability and portability—claims about access, switching, and data lock-in.

What this means for you

Expect parallel scrutiny: privacy practices and competition conduct may be reviewed together. Align legal, compliance, and product teams to produce consistent disclosures, claims substantiation, and antitrust-safe contracting.

Recent Enforcement Actions

Common themes

• Improper sharing of health data with adtech or analytics, despite promises of anonymity.
• Misrepresentations about HIPAA compliance or “HIPAA-compliant” technologies without substantiation.
• Inadequate security leading to exposure of sensitive records.
• Dark patterns that hinder cancellation or obscure material fees in telehealth subscriptions.
• Competition cases challenging deals or conduct that may raise prices or reduce access.

Remedies and orders you should expect

• Data deletion, bans on using sensitive data for advertising, and algorithmic disgorgement of models trained on unlawfully obtained data.
• Comprehensive privacy and security programs with independent assessments and board-level reporting.
• Monetary relief where authorized, along with consumer notice and redress programs.
• Structural and conduct remedies in mergers or conduct matters affecting healthcare markets.

Emerging Enforcement Trends

Trends to track

• Pixels and SDKs on patient portals and disease-specific pages—expect a strict view of consent and necessity.
• Reproductive, mental health, and addiction data—heightened sensitivity and low tolerance for secondary uses.
• Claims of de-identification—greater scrutiny of re-identification risk and data linkage.
• Location and mobility data around clinics—geofencing and sensitive-site targeting are high risk.
• AI in health contexts—explainability, training data provenance, and bias controls are becoming baseline expectations.

Competition and drug pricing focus

Healthcare competition law enforcement is intensifying around vertical integration, exclusive dealing, and data-driven entrenchment. Pharmacy benefit managers and insulin pricing transparency remain recurring priorities as regulators examine rebates, formulary design, and network effects.

Programmatic takeaways

• Move from notice-and-choice to purpose-built safeguards: minimize, silo, and audit sensitive data.
• Build substantiation files for every claim touching health outcomes, savings, or clinical equivalence.
• Stand up antitrust compliance for contracting, rebates, and information exchanges.

Conclusion

The FTC Act in healthcare demands rigorous truthfulness, respectful data practices, and competitive conduct. By minimizing sensitive data, securing it end to end, obtaining meaningful consent, and vetting deals and claims with evidence, you reduce enforcement risk while building consumer trust.

FAQs

What entities are subject to the FTC Act in healthcare?

Most for-profit healthcare participants are covered, including digital health developers, telehealth providers, medical device and wellness manufacturers, pharmacies, pharmacy benefit managers, labs, data brokers, and advertisers. Nonprofits may be outside direct jurisdiction, but affiliated for-profit vendors and joint ventures typically remain subject to the FTC Act.

How does the FTC define health information?

Broadly. It includes information that reveals or reasonably infers a person’s health status, treatment, or interest in care—symptom logs, cycle or glucose tracking, wearable metrics, precise clinic-related location, and ad segments tied to conditions. Identifiers and inferences linked to a person or device are covered.

What are the requirements of the Health Breach Notification Rule?

Vendors of personal health records, related entities, and their service providers must notify affected consumers, the FTC, and in some cases the media after discovering a breach of unsecured PHR identifiable health information. They must investigate quickly, document decisions, provide clear notices, and maintain incident records; service providers must alert the vendor without delay.

What recent enforcement actions has the FTC taken in healthcare?

Recent matters have targeted deceptive privacy promises, undisclosed sharing of sensitive health data with advertising or analytics platforms, inadequate security, and dark patterns in subscription healthcare. On the competition side, the agency has challenged transactions and conduct that may harm patients, with continued attention to pharmacy benefit managers and insulin pricing transparency.