Track at your peril: FTC and OCR issue joint letter warning about privacy and security risks from online tracking technologies

On July 20, 2023, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the Federal Trade Commission (FTC or Commission) jointly notified 130 hospital systems and telehealth providers that online tracking technologies may be operating on their websites or mobile apps and collecting health information in violation of the Health Insurance Portability and Accountability Act (HIPAA) or the FTC’s Health Breach Notification Rule (HBNR or Rule)[1] (Joint Letter). The Joint Letter “strongly encourages” recipients to review applicable legal requirements and “take actions to protect the privacy and security of individuals’ health information.”

Review of applicable guidance

The Joint Letter builds upon guidance on the disclosure of health and other sensitive information through online cookies and trackers from the FTC’s recent enforcement actions,[2] FTC policy statement in September 15, 2021,[3] guidance in January 2022,[4] and OCR’s December 2022[5] bulletin (2022 Bulletin) on the use of online tracking technologies by HIPAA covered entities and business associates (Regulated Entities). Driven by concerns about the disclosure of health and other sensitive information to marketing and analytics firms, and a desire to protect reproductive data in a post-Dobbs environment, OCR and the FTC are highly focused on the use of common advertising and analytics tracking technologies.

In recent guidance on complying with the HBNR, the FTC advised that the “statute…requires that a “personal health record” be an electronic record that can be drawn from multiple sources…[which occurs when] apps…[collect] a combination of consumer inputs and application programming interfaces (APIs). For example, an app is covered if it collects information directly from consumers and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker. Similarly…if a blood sugar monitoring app draws health information only from one source (eg, a consumer’s inputted blood sugar levels), but also takes non-health information from another source (eg, dates from your phone’s calendar), it is covered under the Rule.”[6]

Moreover, the FTC considers a breach of the HBNR to have occurred when a consumer’s individually identifiable health information is impermissibly disclosed through online advertising and analytics trackers to social media platforms – not just when there is a cyber security incident. Each violation of the HBNR is subject to a civil penalty of up to $50,120 per violation.

As further background, the Joint Letter refers to the 2022 Bulletin where OCR articulated a broad view of Protected Health Information (PHI) that includes individually identifiable health information (IIHI) such as an individual’s home or email address, dates of appointments, IP address, geographic location and any unique identifying code on a Regulated Entity’s website or mobile app. OCR asserted that this IIHI “generally is PHI, even if the individual does not have an existing relationship with the [R]egulated [E]ntity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services. This is because, when a Regulated Entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the Regulated Entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or health care or payment for care.”

OCR further stated in its 2022 Bulletin that where the entities are assisting with the covered entity’s health care operations, HIPAA covered entities need to treat third-party tracking companies as HIPAA business associates and put in place Business Associate Agreements (BAAs) that limit the secondary use and disclosure of PHI (something that most popular tracking companies have refused to do). If instead the disclosures of PHI are for marketing purposes, the 2022 Bulletin provides that covered entities should secure HIPAA compliant authorizations. OCR clarified that "website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization” and that it is not adequate under HIPAA simply for marketing and analytics firms to remove or de-identify PHI after collection.

Key takeaways

The Joint Letter, in combination with recent guidance, including new guidance[7] released on July 25^th as well as enforcement activity, illustrates the novel focus of federal agencies on the common use of online tracking technologies and sharing or disclosure of health or other sensitive information.

Healthcare companies engaging in digital advertising and analytics on their websites or mobile apps should consider taking the following actions:

• Take special note of these developments and stay up to date on FTC and OCR enforcement activity.
  
  
• Determine whether or not they are a Regulated Entity and/or whether their webpages and mobile apps are covered by HIPAA versus the HBNR.
  
  
• Assess whether or not the information shared with third parties could be considered health or other sensitive information.
  
  
• Evaluate how their advertising practices align or depart from applicable guidance and consider changes to such practices to reduce legal risk to their business.

For more information about these developments, contact your DLA Piper relationship partner, the authors of this alert, or any member of our Data Protection, Privacy and Cybersecurity or Healthcare teams.