OCR and FTC Team Up Against Transfers of Health Information through Online Tracking Technologies
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) are teaming up to raise awareness of “serious privacy and security risks” associated with the disclosure of health information via online tracking technologies employed on websites and mobile applications, and of three agencies’ commitment to protecting consumers’ health privacy. According to a July 20, 2023 FTC Press Release and July 20, 2023 OCR Press Release, the agencies sent a joint letter to approximately 130 hospitals and telehealth providers in which they cautioned of privacy and security risks associated with online tracking technologies that disclose consumers’ health information to third parties. In a July 20, 2023 FTC Business Guidance Blog, the FTC advised, “We usually don’t recommend reading other people’s mail, but even if you weren’t one of the approximately 130 companies that received a recent joint letter from the FTC and OCR, anyone in the health arena–hospitals, other HIPAA-covered entities, telehealth providers, health app developers, etc.–should take the letter to heart and consider a privacy and security check-up at their business.”
This is not the first time OCR has warned entities about risks associated with online tracking technologies. In a bulletin published in late 2022, OCR issued guidance on HIPAA-compliant uses of online tracking technologies by covered entities and business associates.
This bulletin was published shortly before a $1.5 million settlement between the FTC and GoodRx Holdings Inc. (GoodRx) was announced in a February 1, 2023 FTC Press Release. In that enforcement action, the FTC alleged that GoodRx had failed to notify consumers and others of its “unauthorized disclosures” of personal health information to third-party advertising companies and platforms, including Facebook, Google, and Criteo, and other third parties, such as Branch and Twilio, via online tracking technologies. In addition to the $1.5 million civil money penalty and other penalties, GoodRx was permanently prohibited from sharing user health data with applicable third parties for advertising purposes; required to obtain affirmative express user consent before disclosing user health data to other third parties for any other purposes; and mandated to put in place a comprehensive privacy program. In the FTC’s press release, the Director of the FTC’s Bureau of Consumer Protection (Director) warned, “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
Following the GoodRx settlement, FTC enforcement actions focusing on similar practices were brought against BetterHelp and Easy Healthcare Corporation. In the March 2, 2023 FTC Press Release concerning the BetterHelp enforcement action, the FTC expressed serious concern about BetterHelp’s alleged sharing of sensitive personal data with third parties, including Facebook, Snapchat, Criteo, and Pinterest, via tracking technologies used for targeted advertising, and its alleged misrepresentation of privacy practices. This action resulted in, among other penalties imposed (1) an order to pay $7.8 million to consumers whose health data was compromised; (2) a requirement for Betterhelp to obtain affirmative express consent before disclosing personal information to certain third parties for any purpose; and (3) an obligation to implement a comprehensive privacy program. This was the first action by the FTC that resulted in payment to consumers whose health data had been compromised. In this press release, the Director cautioned, “Let this proposed order be a stout reminder that the FTC will prioritize defending Americans’ sensitive data from illegal exploitation.”
In the Easy Healthcare Corporation enforcement action, the FTC alleged that Easy Healthcare Corporation’s Premom app shared sensitive health data with marketing firm AppsFlyer and Google via third-party tracking tools for purposes of advertising, and shared sensitive user data with third-party analytics providers in China without first obtaining the app users’ consent. The FTC also alleged that the Easy Healthcare Corporation failed to notify consumers of such unauthorized disclosures in violation of the Health Breach Notification Rule and violated direct privacy promises to users. That enforcement action resulted in, among other penalties, imposition of (1) a $100,000 civil money penalty; (2) a permanent prohibition on sharing personal health data with third parties for advertising purposes; and (3) a requirement to obtain user consent before sharing personal health data with third parties for other purposes. In the May 17, 2023 FTC Press Release concerning this enforcement action, the Director gave notice that the FTC “will vigorously enforce the Health Breach Notification Rule to defend consumer’s health data from exploitation. Companies collecting this information should be aware that the FTC will not tolerate health privacy abuses.”
Now, OCR and the FTC are teaming up to address privacy risks associated with online tracking technologies. The joint letter sent by OCR and the FTC highlights the agencies’ serious concerns about impermissible disclosures of personal health information through online tracking technologies, and their respective interests in investigating and addressing such impermissible disclosures.
Many organizations use online tracking technologies on their websites and apps. It is relatively simple for an organization (or regulatory agencies such as the OCR and FTC, or “testers” for plaintiffs’ counsel tasked with identifying potential class action litigation targets) to determine the presence of such online tracking technologies. Organizations collecting health information on their websites and/or apps should conduct an online tracking technologies audit to identify the presence of online tracking technologies and determine whether such technologies have been implemented in a compliant manner.
In their joint letter, OCR and the FTC emphasized the importance of monitoring data flows of health information to third parties via online tracking technologies. They alerted recipients that “[t]o the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.”
The language used in the FTC and OCR press releases was clearly intended to sound a warning bell. In the FTC press release, the Director of the FTC’s Bureau of Consumer Protection repeated his GoodRx warning, “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.” And in the OCR press release, the OCR Director warned, “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.”
For more information on the use of tracking technologies and HIPAA compliance, check out our blog on the topic, available here.
Written by Laura Fey and Maddie Level, Associate Attorney