FTC

We usually don’t recommend reading other people’s mail, but even if you weren’t one of the approximately 130 companies that received a recent joint letter from the FTC and HHS’ Office for Civil Rights (OCR), anyone in the health arena – hospitals, other HIPAA-covered entities, telehealth providers, health app developers, etc. – should take the letter to heart and consider a privacy and security check-up at their business.

The joint letter alerts recipients to the risks that tracking technologies – including Meta/Facebook pixel and Google Analytics – pose to the privacy and security of consumers’ personal health information. As users interact with websites or mobile apps, technologies are often tracking their online activities and gathering personal data about them. Much of this happens behind the scenes with consumers utterly unaware they’re being tracked and unable to avoid what’s happening.

The nature of the data these technologies are gathering without consumers’ consent – for example, health conditions, diagnoses, medications, and visits to healthcare providers – is uniquely confidential. And impermissible disclosure can lead to identity theft, financial loss, discrimination, stigma, mental anguish, and other injurious consequences.

You’ll want to read the letter for OCR’s perspectives on tracking and personal health information, but here’s a sentence worth highlighting: “HIPAA regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to third parties or any other violations of the HIPAA Rules.” The letter also cites a December 2022 OCR bulletin with an overview about how HIPAA applies to the use of online tracking technologies.

But even if a company isn’t covered by HIPAA, the letter is a reminder that it still has obligations under the FTC Act and the FTC’s Health Breach Notification Rule to protect against the impermissible disclosures of personal health information. Citing recent FTC law enforcement actions against Easy Healthcare, BetterHelp, GoodRx, and Flo Health, the letter establishes that it's “essential to monitor data flows of health information to third parties via technologies you have integrated into your website or app.” What if you had someone else design your site or app? The compliance buck still stops with you. Furthermore, your company is legally responsible even if you don’t use the data obtained through tracking technologies for marketing purposes.

In addition to underscoring that both agencies are watching developments in this area, the letter ends with this admonition: “To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.”

That’s sound advice for companies that received the joint letter – and for other businesses, too.

Check out more health privacy resources from the FTC.

Tags: