On July 20, 2023, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) sent a joint letter to approximately 130 hospital systems and telehealth providers to alert them to the “serious privacy and security risks” stemming from the use of online tracking technologies integrated into their websites and mobile apps.
The agencies cautioned that entities could be impermissibly disclosing consumers’ sensitive personal health data to third parties through the use of such technologies—in potential violation of the Health Insurance Portability and Accountability Act (HIPAA), the FTC Act and/or the FTC Health Breach Notification Rule. The letter specifically calls out use of the Meta Pixel and Google Analytics, two exceedingly common third-party web tracking technologies that offer targeted advertising and analytics services. Here are some key takeaways:
Continued Federal and State Focus on Consumer Health Privacy
The letter echoes recent OCR and FTC warnings that the use of tracking technologies by websites and mobile apps may violate privacy restrictions if the activity is not sufficiently disclosed and, in some cases, is subject to consent or other protections. The letter demonstrates that this activity has become a top enforcement priority of the OCR and FTC following earlier warnings and enforcement activity regarding web-based tracking.
The letter follows the OCR’s bulletin released late last year reminding entities covered by HIPAA of their responsibilities to protect against impermissible disclosures of personal health information, and warning that certain website data may be subject to HIPAA. Specifically, the OCR’s bulletin highlighted that certain tracking data collected from the websites of HIPAA-regulated entities is considered protected health information (PHI) and, as such, must be protected by the HIPAA Privacy and Security rules.
The letter also follows the FTC’s recent enforcement actions regarding alleged unauthorized disclosures of consumer health data by digital health companies. Through those actions, and in the recent letters, the FTC has warned that the unauthorized disclosure of such information may violate the FTC Act and could constitute a breach of security under the FTC’s Health Breach Notification Rule, which requires health apps and other devices that collect, use or share personal health information to notify customers of any breach or unauthorized use of data.
The letter also tracks with the agencies’ February announcements that each would be expanding operations to enforce laws and regulations related to technology, privacy and cybersecurity. For instance, the OCR’s Health Information Privacy Division (HIP) was rebranded as the Health Information Privacy, Data, and Cybersecurity Division (HIPDC) to better align with the OCR’s “work and role in cybersecurity.” Meanwhile, the FTC created a new Office of Technology to “strengthen the FTC’s ability to keep pace with technological challenges in the digital marketplace,” including to “strengthen and support law enforcement investigations and actions.”
Beyond the OCR and FTC, consumer health data continues to be a topic of serious interest at the federal and state levels in 2023. Lawmakers in Washington state recently passed the expansive My Health, My Data Act, which represents a highwater mark in protections of these data sets and will go into effect next year. Comprehensive privacy laws in California, Virginia, Colorado and Connecticut are now currently effective, all of which require disclosures and other protections as to health-related personal data. And more states have passed similar laws in recent months, including Delaware, Indiana, Iowa, Montana, Oregon, Tennessee and Texas.
This is not the first time the OCR and FTC have articulated concerns over the use of online tracking technologies in the health space as they relate to HIPAA-regulated PHI and FTC-regulated consumer health data, respectively. While the two regulated data sets are not overlapping, the joint letter arguably signals that the two regulatory bodies have aligned on their approach to these data sets.
Although HIPAA does not include a private right of action, plaintiffs’ attorneys are using a wide range of legal theories in litigation against health care providers, including hospital systems. These include violations of state and federal privacy and unfair business practices laws, such as Illinois’ Biometric Information Privacy Act, California’s Confidentiality of Medical Information Act (CMIA), California’s Invasion of Privacy Act (CIPA), and similar anti-wiretapping laws in states like Florida and Pennsylvania, and the Federal Wiretap Act. To date, these lawsuits have focused a significant amount of attention on the health care industry as a whole.
Entities across the health care industry must evaluate how they are collecting, using and sharing health data, taking care to consider the potential breadth of data that the OCR, FTC, and other federal and state regulators may deem health related. First, they should review what data is being collected via tracking technologies operating on their websites and mobile apps (including of both unauthenticated and authenticated users) and with whom that data is shared. Legal counsel should determine whether any such data could constitute PHI subject to HIPAA, and if PHI has been disclosed, determine appropriate steps to respond to such disclosure and mitigate future risks.
As to PHI, entities covered by HIPAA have responsibilities to protect personal health information from unauthorized disclosure. And health apps and digital platforms that are not covered by HIPAA have obligations to protect against impermissible disclosures of personal health information under the FTC Act and the FTC Health Breach Notification Rule. Where such data does not constitute PHI, legal counsel should assess whether the data collected could constitute consumer health information under recent FTC guidance. If it does, it is critical to evaluate whether existing disclosures in privacy policies and at the point of collection are consistent with FTC guidance.
Finally, if you are in receipt of an OCR-FTC letter, you should contact counsel with specific experience in these complex issues at the intersection of health care, privacy and data security immediately. Manatt’s combined strength in its Privacy and Data Security and Health Care practices offers unique advantages to clients on these issues, which includes technical capabilities to evaluate website tracking environments. Manatt has deep privacy and security knowledge under health care and consumer-focused privacy laws, and has assisted clients with reviewing their data use and collection processes, including how data is collected and shared on their websites. We also assist clients with cross-walking those data collection and sharing activities against relevant federal and state privacy laws and identify, if necessary, mitigation solutions to ensure compliance while helping clients achieve their business objectives.