The Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) recently published a warning letter that they jointly sent to more than 130 hospital systems and telehealth providers during the summer of 2023. The letter warned recipients about the privacy and security risks related to the use of "online tracking technologies" that may be integrated into websites or mobile apps and may be "impermissibly disclosing consumers' sensitive personal health information to third parties." According to the letter, the use of "tracking technologies" may facilitate unauthorized disclosures of "sensitive" health information, including protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) and other kinds of health data regulated by other federal laws that the FTC enforces. The letter cautioned in particular that companies' use of online tracking technologies may violate the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, as well as the FTC Act and FTC Health Breach Notification Rule.
This joint effort by OCR and the FTC follows a December 2022 bulletin that OCR published related to use of online tracking technologies in the context of HIPAA. That guidance explicitly stated that "[r]egulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules." Additionally, recent FTC enforcement actions surrounding health-related information, such as actions against GoodRx and BetterHelp, demonstrate that the agency has started to use its authority under Section 5 of the FTC Act and the Health Breach Notification Rule to closely scrutinize companies' consumer privacy notices and practices regarding health-related information, particularly when such information is used or disclosed for advertising purposes.
While the OCR/FTC joint letter was mainly aimed at providers of healthcare like hospital systems and telehealth providers, entities that offer online tracking technologies such as pixels or cookies to the marketplace or that facilitate digital advertising could experience repercussions from the increased scrutiny of providers of healthcare. For example, companies that provide adtech functionalities or other advertising services may encounter new diligence requests from existing and potential customers related to health data practices. Advertising vendors could also witness an increase in clients demanding that they sign Business Associate Agreements and otherwise comply with HIPAA requirements for Business Associates. The OCR/FTC joint letter "strongly encouraged" recipients to review the laws cited in the letter and "take actions to protect the privacy and security of individuals' health information."
About Venable. Venable's Privacy and Data Security Group offers a suite of privacy and data-strategy services that empower organizations to understand, manage, and operationalize their privacy requirements, including assisting clients in completing HIPAA assessments, supporting clients with state privacy law assessments related to health data, and providing general "health checks" on companies' privacy and security practices to facilitate legal compliance.