Healthcare companies track visitors to websites and mobile apps with third-party technologies like cookies and pixels, but that widespread practice now comes with steadily growing risk.
The Federal Trade Commission is zeroing in on how companies use tracking technologies to collect and share consumer health information, as a recent enforcement action makes clear. The Department of Health and Human Services’ Office for Civil Rights (OCR) recently warned organizations subject to HIPAA about third-party tracking technology. And a new wave of consumer class action litigation has taken aim at healthcare companies using tracking technologies, including for alleged violations of wiretapping laws.
What to Do: 8 Steps Healthcare Companies Can Take to Reduce Risk
Healthcare companies that touch consumer health data should consider the following steps to reduce risk and increase compliance:
- Review Websites and Apps to Identify Trackers, and Consider Carefully if Any Web Pages or Apps Collect Potentially Sensitive Information. Take an inventory of tracking technologies on your websites and apps and identify data that third-party tracking technology vendors collect. Determine whether third-party trackers on a website or app collect, use, and disclose individually identifiable health information (or other sensitive information). You may want to consider undertaking this assessment under legal privilege and with the help of a technical consultant.
- Know What Law Applies. Determine if your company is governed by the FTC and/or subject to HIPAA. In addition to general FTC/OCR oversight, a healthcare company may also be subject to specific FTC and/or HIPAA breach reporting obligations.
- Analyze Whether Impermissible Disclosures Are Taking Place. Direct-to-consumer health-care companies should review their privacy notices to ensure they properly disclose the company’s data processing practices in connection with online tracking technologies and health information—but mere consumer notice may no longer be sufficient (see more below). HIPAA-governed entities should determine if a business associate agreement is in place with the third-party tracking technology vendors, or if a HIPAA-compliant authorization has been obtained from consumers (a cookie banner is not sufficient). It is also not enough for a third party to deidentify information once it has been disclosed—the mere fact that identifiable health information was collected may constitute an impermissible disclosure.
- Determine Whether You Have Notice Obligations. If impermissible disclosures have taken place under the FTC’s health breach notification rule or HIPAA, you may have an obligation to notify consumers, regulators, and the media.
- Decide if You Should Restructure Part of Your Website and Services Agreement. Evaluate the structure of your website and your services agreement to determine whether an overhaul could better ensure compliance. This is especially important for entities that are subject to both the FTC and HIPAA’s breach notification rules.
- Review Notice and Consent Obligations. Consider if you need to update your privacy notice, obtain affirmative express consent from consumers for the sharing of health data, and update your user flow. The privacy notice and request for affirmative express consent should be presented prior to collecting the user’s personal health information.
- Review Your Public Representations. Healthcare companies also should consider removing representations about HIPAA compliance or data practices if they could be considered deceptive or give consumers false assurances causing them not to read your privacy notice. Ensure that your privacy notice and marketing materials accurately represent disclosure practices and how your company shares health data with vendors.
- Develop Guidance for Marketing. Work with counsel to develop guidelines for your marketing department to follow when deciding whether to place tracking technologies on company websites or apps. Perform periodic assessments on the use of ad trackers.
Details on the Recent FTC Enforcement Action on Use of Trackers
The FTC can pursue legal action against healthcare companies under Section 5 of the FTC Act, which prohibits unfair and deceptive acts. Additionally, under its Health Breach Notification Rule, if a company is neither a covered entity nor acting as a business associate, it may be at a risk for civil monetary penalties if it does not timely report a security incident or impermissible disclosure.
The FTC recently announced an enforcement action against BetterHelp, an online counseling service, that provides some important lessons related to the unauthorized disclosure of health information. The FTC alleged that BetterHelp sent consumer health information to social media companies for advertising despite promising consumers it would not use or disclose personal health information except for limited purposes. The complaint:
- Faulted BetterHelp for not obtaining affirmative express consent from consumers to collect, use, and disclose health information for advertising, along with failing to restrict the third-party technology vendors from using the information for their own purposes.
- Companies should expect the FTC to keep pushing for “affirmative express consent” from consumers related to the collection, use, and disclosure of health (and other sensitive) information.
- Emphasized that sharing a personal identifier constitutes a disclosure of health information when paired with contextual data that a consumer sought and/or received mental health treatment (based on the fact that BetterHelp provides mental health counseling). The FTC alleges that sending an IP address or email address in connection with BetterHelp (e.g., the consumer was using the BetterHelp service or answered the intake form) constitutes a disclosure of health information.
- Companies should pay attention to identifiers, including IP addresses, advertising IDs, and device IDs, they send third parties and determine if those transmissions identify the company as the data source. If so, it may constitute health information, requiring affirmative express consent.
- Companies should determine whether they are discouraging consumers from reading their privacy notice by making repeated, and potentially inadequate or false statements, about their data practices on their web pages and user flows.
The proposed consent order includes a $7.8 million penalty to go to consumers.
Additionally, in 2021, the FTC made clear that it plans to enforce its breach notification rule that may apply to healthcare companies if they are not subject to HIPAA, and recently levied its first penalty under it.
Details on the OCR Warning About the Use of Trackers
The Department of Health and Human Services’ Office for Civil Rights (OCR) recently warned organizations subject to HIPAA about third-party tracking technology. When companies use that technology in a way that results in the transfer of protected health information, OCR stated the disclosure is subject to HIPAA–and is prohibited without a business associate agreement or individual written authorization.
Importantly, the warning may expand HIPAA’s scope to all pages on a company’s website and its app as OCR defined identifiers to include advertising IDs, in addition to IP address and device IDs, even if they do not include specific treatment or medical billing information. OCR then explained that HIPAA may apply to authenticated websites (like a patient portal) and some unauthenticated websites because the individual’s presence on the website or app is “indicative that the individual has received, or will receive, health care services or benefits from” the entity. In practice, this means that companies subject to HIPAA need to carefully consider how tracking technologies are being used on all of their web pages and apps.
We help clients review their use of tracking technology, assess the impact of the FTC’s recent enforcement action and the OCR Bulletin on their tracking practices, and update their website disclosures and marketing policies in light of regulatory guidance and litigation trends. If you have questions, please contact Orrick for additional guidance.