FTC and HHS Caution Hospitals and Telehealth Providers on Tracking Tech

Rachel Alexander, Scott Bouboulis, Dorthula Powell-Woodson, Duane Pozza, Kathleen Scott
Wiley Rein LLP
Contact
LinkedIn
Facebook
X
Send
Embed

This month, the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights sent letters warning about privacy and security risks related to online tracking technologies used by hospitals and telehealth providers. These warnings continue the FTC’s increased focus on health data and could indicate further enforcement efforts in this area.

Specifically, on July 20, 2023, the FTC, in conjunction with HHS, sent letters to hospital systems and telehealth providers stating that there are privacy and security risks with online tracking technologies in websites or apps that may be disclosing consumers’ sensitive personal health data to third parties without permission. An accompanying FTC press release is available here.

The letters reiterate that entities covered by the Health Insurance Portability and Accountability Act (HIPAA) must comply with HIPAA privacy, security, and breach notification rules. The letters also explain that entities not covered by HIPAA still have obligations to protect against impermissible disclosures of personal health information under the FTC Act and the FTC Health Breach Notification Rule (HBNR). In particular, the agencies’ letters cite recent FTC enforcement actions against companies that have allegedly disclosed personal and health information to third parties without authorization. For example, the FTC alleged that GoodRX and BetterHelp engaged in such practices, claiming that the alleged actions violate both Section 5 of the FTC Act and the HBNR.

These actions stem from greater FTC scrutiny of health data. In a 2021 policy statement, the FTC stated that the HBNR requires “vendors of personal health records” – which include health apps and connected devices – to notify affected individuals when such entities experience a “breach of security” of covered health-related data. The policy statement explains that a “breach” means acquisition of that information without users’ authorization, and this includes both privacy and security “breaches.” In May 2023, the FTC released a Notice of Proposed Rulemaking that would build on the policy statement and this expanded breach definition.

The joint agency letters signal further potential FTC enforcement related to the unauthorized disclosure of consumer health data, even if not done for marketing purposes. Importantly, the FTC is underscoring that, even if a company is not covered by HIPAA – or it collects health-related data in ways that fall outside of HIPAA coverage – it still has health data privacy and security obligations, including when using a website or mobile app developed by a third party. Additionally, the agencies are working together to address these practices regardless of whether a particular practice falls under the authority of the FTC or HHS. Companies dealing with any kind of health data should ensure that they fully understand and appropriately address the potential disclosure of health information to third parties, including through analytics tracking technologies in their websites and apps.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wiley Rein LLP | Attorney Advertising

Written by:

Wiley Rein LLP
Wiley Rein LLP
Contact
more
less

Wiley Rein LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide