If you are involved with any health information, even if you are not covered by HIPAA, you should be aware of the government’s recent position that there may be serious privacy and serious risks with use of online tracking technologies that may be present on a website or mobile app that tracks consumer sensitive personal health information.  Last week, the Federal Trade Commission (“FTC”) and the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) issued a joint letter (“Joint Letter”) (https://www.ftc.gov/system/files/ftc_gov/pdf/FTC-OCR-Letter-Third-Party-Trackers-07-20-2023.pdf) to approximately 130 hospitals and telehealth providers, warning that online tracking technologies integrated into their websites and/or mobile apps may be improperly disclosing personal health data to third parties.

Technology such as Google Analytics and Meta/Facebook Pixel can track a user’s online activities which, unbeknownst to the user, may gather personally identifiable information. If you are a covered entity or business associate (a “regulated entity”) under HIPAA, you must comply with the HIPAA Privacy, Security, and Breach Notification Rules, with regard to protected health information (“PHI”) that is transmitted or maintained in electronic or any other form or medium.  Under HIPAA, impermissible uses/disclosures are presumed to be a reportable breach unless it can be demonstrated that there’s a low probability of compromise when considered under the four factors set forth at 45 C.F.R. 164.402

Impermissibly disclosed information may range from a consumer’s browsing history on a regulated entity’s webpage, which may not be a reportable breach if a determination is made that there is a low probability that the consumer’s PHI was compromised, to something more sensitive such as the disclosure of a patient’s health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, and where an individual seeks medical treatment. Such disclosures can result in financial loss, stigma, discrimination, mental anguish, or identity theft, among many other potential repercussions. It should be noted that in December 2022, OCR issued a bulletin which, among other things, cautioned that regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors. The Joint Letter serves as a reinforcement of the warnings made last year. The American Hospital Association (“AHA”) submitted comments to OCR recently asking that they reconsider the position taken in the December 1, 2022 Bulletin. Specifically, the AHA believes that the guidance is too broad and will result in significant adverse consequences for hospitals, patients and the public at large, and that by treating an IP address as PHI under HIPAA, public access to credible health information will be reduced.

The government letter warned that even if an entity is not covered by HIPAA, it still has an obligation to protect against impermissible disclosures of personal health information under the FTC Act. This is true even if a third party developed the website or mobile app and even if the information obtained through use of a tracking technology is not used for any marketing purposes. The FTC and OCR strongly urged monitoring of data flows to third parties via technologies integrated into websites, and warned that disclosure of such information without a consumer’s authorization can, in some circumstances, violate the FTC Act as well as constitute a breach of security under the FTC’s Health Breach Notification Rule.

You can see Fox Rothschild attorneys’ related posts here:

Odia Kagan’s Post on Third-Party Trackers’ Risks (July 2022): Beware of Third-Party Trackers Like Meta Pixel. Ignoring Them Could Be Costly. | HIPAA & Health Information Technology (foxrothschild.com)

Elizabeth Litten’s Post on OCR’s December 2022 Bulletin (December 2022): OCR Warns Providers About Patient Data Trackers | HIPAA & Health Information Technology (foxrothschild.com)

Elizabeth Litten’s Post on the FTC’s Complaint Alleging that BetterHelp Engaged in Unfair and Unreasonable Privacy Practices (March 2023): Better Keep Health Data Private, FTC Signals to On-Line Health Care Providers | HIPAA & Health Information Technology (foxrothschild.com)