Overview
On Thursday, July 20, 2023, the Federal Trade Commission and HHS Office for Civil Rights issued a rare joint press release announcing that approximately 130 hospital systems and telehealth providers received a letter alerting them to ongoing concerns by these agencies about the risks and concerns about the use of tracking technologies on their websites or mobile apps. OCR and FTC reinforced that both agencies will continue to focus on the protection of health information. Here we summarize the announcement and recent FTC enforcement actions in this space and discuss the importance of taking immediate, practical steps to minimize compliance risks.
In Depth
On July 20, 2023, the Federal Trade Commission (FTC) and US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that they had alerted approximately 130 hospital systems and telehealth providers about the agencies’ ongoing concerns regarding risks stemming from tracking technologies on a website or mobile app (for example, the Meta pixel and Google Analytics). The announcement encourages all companies regulated by either agency to review their current data-tracking practices regardless of whether they received the joint letter from FTC and OCR. While neither agency can create binding law through such sub-regulatory guidance and policy positions, the letter indicates where the agencies stand, their enforcement priorities and how seriously they are taking these issues.
In their announcements, the FTC and OCR shared reminders that companies are responsible for monitoring and tracking the flow of health information on their websites and mobile applications, regardless of whether they rely on third parties for engineering, design assistance or both. OCR referred to similar concerns cited in its December 2022 bulletin, reminding entities covered by the Health Insurance Portability and Accountability Act (HIPAA) of the risks associated with disclosing personal health information (PHI) to tracking-technology vendors without HIPAA-compliant authorization or a business associate contract. FTC highlighted its recent enforcement actions against GoodRx and Premom and others as reminders that the agency may view an unauthorized disclosure as a violation of the FTC Act and a breach of security under the FTC’s Health Breach Notification Rule.
OCR and FTC reinforced that both agencies will continue to focus on protecting health information.
“Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, OCR Director. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.”
Practical Implications
In addition to the OCR and FTC enforcements, all entities that employ tracking or behavioral advertising technology on their websites should be aware of private class action lawsuits recently launched across the country. Those lawsuits generally allege that insufficiently disclosed tracking constitutes unlawful eavesdropping, entitling users to automatic statutory damages.
Regulated entities can take several immediate, practical steps to minimize compliance risks. Even entities with sophisticated internal security and privacy compliance resources may benefit from additional guidance on emerging best practices, analysis of present or historical practices, and key learnings from recent months since the agencies turned their attention to data tracking technologies. If you would like to learn more, please contact your regular McDermott lawyer or any member of the Firm’s integrated data-tracking response team:
Stephen Bernstein | Purnima Boominathan | David Gacioch | Jennifer Geetter | Elliot Golding | Daniel Gottlieb | Ryan Higgins | Amy Pimentel | Alya Sulaiman | Edward Zacharias
ADDITIONAL RESOURCES