What to Expect from New FTC Leadership on Digital Health Care

March 19, 2025

Digital health care companies have navigated a wave of new developments at the Federal Trade Commission (FTC) over the past few years. With new leadership in the Trump Administration, the FTC may be poised to change some of its approach to digital health issues, though many critical compliance issues involving privacy, security, and advertising are likely to remain unchanged. Below, we outline developments under the previous Administration and consider likely future developments in the coming years.

Understanding the FTC’s enforcement priorities is particularly important for digital health service providers, because the FTC can allege that many practices violate its Health Breach Notification Rule (HBNR), which authorizes civil penalties up to $53,000 per violation. Companies should review their compliance approaches to align actual data sharing practices with terms of service and privacy policies and obtain consumers’ consent before sharing their health data with third parties for advertising.

The Biden FTC expanded regulation and potential liability of digital health care apps, over Republican Commissioner dissents.

A key regulation on digital health apps is the HBNR, which the FTC originally enacted in 2009. The Rule was issued pursuant to a congressional directive in the American Recovery  and Reinvestment Act, and it was designed to require certain companies to notify the FTC of breaches that exposed personal health records. The rule lay dormant for more than a decade. But with rapid changes to the digital healthcare industry, the FTC previewed Rule enforcement in 2021 and followed through in 2023.

In September 2021, the FTC issued its HBNR Enforcement Policy Statement. That statement “clarified” the agency’s view that when health care apps disclose “sensitive health information without users’ authorization,” that constitutes a breach under the Rule, which requires disclosure to the FTC. The policy statement was approved in a 3-2 partisan vote, including dissenting views that “the policy statement significantly expands both the covered universe of entities and the circumstances under which the Commission will initiate enforcement.”

In 2023, the FTC brought its first two enforcement actions under the HBNR. The first action was a 4-0 bipartisan vote to enforce against a telehealth and prescription drug discount provider for allegedly sharing consumers’ personal health information with advertising partners without consumers’ authorization. The second action brought similar claims against a company offering an ovulation and menstrual cycle tracking app. In addition to claims under the HBNR, both actions also alleged deception in violation of the FTC Act. And both actions alleged that it is an unfair practice, in violation of the FTC Act, to share consumers’ health information for advertising purposes without consumers’ affirmative express consent.

Shortly after announcing the second action, the FTC issued a notice of proposed rulemaking to amend the HBNR. The amendments were finalized in 2024 and effectively codified the 2021 policy statement.

The final HBNR rule amendments in 2024 were approved by a partisan 3-2 vote, with a dissent from Republican Commissioners Melissa Holyoak joined by Andrew Ferguson, who is now the FTC’s Chairman. The dissenters argued that the definitions of “covered health care provider” and “health care services and supplies” were “capacious,” and noted that even “health-adjacent” apps are likely covered under the rule. Although the rule contained a limiting principle providing that apps are covered only if they are “more than tangentially relat[ed] to health,” the dissenters outlined arguments that the limiting principle was improperly added after the public comment period closed, and therefore violated FTC rulemaking requirements.

The Trump Administration FTC is likely to continue to focus on health-related claims and data.

Notwithstanding the partisan fight over recent Rule amendments, there has been bipartisan support for taking enforcement actions when sensitive data – including personal health data – is involved. As noted above, Republican Commissioners have endorsed an HBNR enforcement action under the original Rule. Thus, enforcement scrutiny around health data is likely to continue.

Notably, given Chairman Ferguson’s dissenting vote from the recent Rule amendments, HBNR enforcement appears more likely where the conduct would have implicated the HBNR even before the amendments. As one example, the current FTC may be more likely to look at apps that receive personal health information from sources other than the consumer. Commissioner Holyoak and then-Commissioner Ferguson have taken the position that FTC’s initial HBNR enforcement action was lawful, in a case where the company received identifiable personal health information (about prescription medications) from pharmacy benefit managers and pharmacies, rather than just from consumers themselves. This would align with former Commissioner Christine Wilson’s argument that the HBNR should mirror an analogous rule from the U.S. Department of Health and Human Services that “applies to patient information maintained by doctors’ offices, hospitals, and insurance companies, but not to wearables, apps, or websites like WebMD.”

Additionally, given Chairman Ferguson’s statements that enforcement against deceptive and fraudulent practices are priorities for his administration, the FTC is particularly likely to scrutinize statements by health providers, including those related to both data practices and substantiation of any health-related claims. For example, if a healthcare app that helps consumers track blood glucose levels also advertises or makes claims about diabetes remedies, the FTC may scrutinize whether that claim was substantiated.

Finally, in addition to bringing HBNR claims, the FTC can bring claims for deception or unfairness under the FTC Act, as it did in both of its HBNR cases. In a third case against an online counseling service, the FTC brought only unfairness and deception claims, without an HBNR claim. In that case, the FTC alleged that the company shared consumers’ sensitive mental health information for advertising, without consumers’ consent and in violation of the terms of service. In that case, without a rule violation to trigger civil penalty liability, the FTC obtained a $7.8 million judgment to return money to consumer victims.

***

Wiley’s Privacy, Cyber & Data Governance and Digital Health teams assists clients with a full spectrum of privacy, cybersecurity, and data governance issues, including in the area of health applications. Please reach out to any of the authors with questions.

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek