Covered entities, business associates, and any entities that collect health information about consumers online should carefully review the latest joint letter from the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC). On July 20, 2023, the agencies sent a joint letter to approximately 130 hospital systems and telehealth providers warning them about “serious privacy and security risks related to the use of online tracking technologies” such ad Google Analytics and Meta/Facebook Pixel. That letter was subsequently shared publicly and should be reviewed by any entity subject to regulation by either agency.
In the letter, OCR warns that, if covered entities or business associates have such tracking technologies on their websites or mobile apps, they could be impermissibly disclosing consumers’ protected health information (PHI) to third parties. The letter follows OCR’s December 2022 bulletin, which significantly expanded its interpretation of the definition of PHI to include, in some instances, identifiable information gathered by tracking technologies where a user visits a website and does not interact with the entity in any other way (see our prior coverage of the OCR bulletin here).
FTC Act and FTC Health Breach Notification Rule
Further, the letter emphasizes the role of FTC in ensuring privacy protection for consumers’ personal health data. Historically, there has been limited enforcement related to how entities that are not covered by HIPAA use personal health data and share it with third parties. The last several months have upended that enforcement environment. The letter stresses the importance of monitoring data flows of health information to third parties through tracking technologies and highlights the FTC’s recent enforcement actions against Easy Healthcare (Premom), BetterHelp, GoodRx, and Flo Health for violations of the FTC Act and in some cases the FTC’s Health Breach Notification Rule (HBNR). Such enforcement actions have resulted in civil penalties of up to $7.8 million as well as the imposition of significant requirements and prohibitions for each of the companies (see our prior coverage of the GoodRx settlement here). We expect the FTC to continue to bring enforcement actions and follow through on its September 2021 Policy Statement (as we discussed in detail here). FTC is also in the process of updating the HBNR. Comments on the proposed rule (available here) are due on August 8, 2023.
Considering the recent enforcement trends and the growing number of states enacting consumer privacy legislation, any entity that handles patient or consumer health information and has not yet reviewed its use of tracking technologies would be well advised to do so. In particular, companies collecting health information or collecting personal information in connection with providing a health-related product or service should consider the following steps:
- perform data mapping to understand the data collected from consumers, including what identifiable information can be inferred by the data collected using tracking technologies;
- determine whether HIPAA, the FTC HBNR, or similar state laws apply to the organization and if necessary update privacy, security, and incident/breach response policies and procedures;
- ensure public facing statements regarding data privacy and security practices are accurate;
- review agreements with third parties to ensure data sharing provisions align with applicable law, information privacy and security policies and procedures, and public representations; and
- consider whether prior use and disclosure of health information resulted in a reportable breach under HIPAA, the FTC HBNR, or applicable state laws.