On July 20, 2023, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) and the Federal Trade Commission (“FTC”) sent warning letters to approximately 130 hospital systems and telehealth providers. The letters were intended to warn those entities of the privacy and security risks of online tracking technologies integrated into their websites and mobile applications. The agencies noted that the entities may be impermissibly disclosing consumers’ sensitive personal health information to third parties such as Meta/Facebook pixel and Google Analytics through the use of such online tracking technologies in potential violation of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended (collectively, “HIPAA”), the FTC Act, and/or the FTC Health Breach Notification Rule (“HBNR”).
The warning letters come on the heels of ongoing scrutiny following the release of the December 2022 OCR bulletin entitled, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” that set forth guidance for HIPAA covered entities and their business associates (“regulated entities”) that utilize online tracking technologies on their patient-facing platforms. In the guidance, which was covered in our Alert, OCR takes the position that certain information provided by individuals when using a regulated entity’s website or mobile application—including not only an individual’s medical record number, home or email address, or appointment dates but also IP address, geographic location, or any other unique identifying code—is considered protected health information (“PHI”) under HIPAA and therefore required to be protected under the HIPAA Privacy, Security, and Breach Notification Rules. OCR further warned regulated entities that online tracking technologies should not be used in any manner that would result in the impermissible disclosure of PHI to third parties or any other violations of HIPAA.
The warning letters also follow recent FTC enforcement actions against GoodRx, BetterHelp, and Premom as well as recent guidance issued by the FTC’s Office of Technology entitled, “Lurking Beneath the Surface: Hidden Impacts of Pixel Tracking.” The enforcement actions against GoodRx (which we covered in this Alert), BetterHelp, and Premom (which we also covered in this Alert), along with the proposed changes to the HBNR, were in connection with the unauthorized disclosure of personal health information to tracking technology vendors. The FTC emphasizes in the warning letters that companies not otherwise subject to HIPAA must still carefully monitor and track the flow of health information to third parties that use tracking technologies integrated into their websites and mobile applications to protect against the unauthorized disclosure of such personal health information. Absent appropriate notice and consent, such disclosures could violate the FTC Act, and also constitute a breach of security under the HBNR.
The warning letters highlight that the use of online tracking technologies by health care entities continues to raise significant risks and remains an enforcement priority for OCR and the FTC. Emphasizing OCR and the FTC’s commitment to “ensuring that consumers’ health privacy remains protected,” the warning letters “strongly encourage” entities using online tracking technologies to “review the laws cited in the letter and take actions to protect the privacy and security of individuals’ health information.”
In light of the foregoing, we strongly recommend that health care entities take the following steps:
- Conduct an evaluation as to whether your organization has tracking technologies deployed on its websites or mobile applications that access PHI or consumer health information, which may require the engagement of technical experts.
- Analyze whether the information disclosed to tracking technology vendors is compliant with HIPAA, the FTC Act, and HBNR guidance.
- Develop a pathway to ensure that, moving forward, any tracking technologies are implemented in a compliant manner (e.g., under a business associate agreement or by requesting consumer authorization).
If you have any questions concerning this Alert, please do not hesitate to contact one of the authors or your regular Ropes & Gray advisor.