What Healthcare Companies Need to Know and Do About Ad Tracking Technologies

6 minute read | March.14.2023

Healthcare companies track visitors to websites and mobile apps with third-party technologies like cookies and pixels, but that widespread practice now comes with steadily growing risk.

The Federal Trade Commission is zeroing in on how companies use tracking technologies to collect and share consumer health information, as a recent enforcement action makes clear. The Department of Health and Human Services’ Office for Civil Rights (OCR) recently warned organizations subject to HIPAA about third-party tracking technology. And a new wave of consumer class action litigation has taken aim at healthcare companies using tracking technologies, including for alleged violations of wiretapping laws.

What to Do: 8 Steps Healthcare Companies Can Take to Reduce Risk

Healthcare companies that touch consumer health data should consider the following steps to reduce risk and increase compliance:

Review Websites and Apps to Identify Trackers, and Consider Carefully if Any Web Pages or Apps Collect Potentially Sensitive Information. Take an inventory of tracking technologies on your websites and apps and identify data that third-party tracking technology vendors collect. Determine whether third-party trackers on a website or app collect, use, and disclose individually identifiable health information (or other sensitive information). You may want to consider undertaking this assessment under legal privilege and with the help of a technical consultant.
Know What Law Applies. Determine if your company is governed by the FTC and/or subject to HIPAA. In addition to general FTC/OCR oversight, a healthcare company may also be subject to specific FTC and/or HIPAA breach reporting obligations.
Analyze Whether Impermissible Disclosures Are Taking Place. Direct-to-consumer health-care companies should review their privacy notices to ensure they properly disclose the company’s data processing practices in connection with online tracking technologies and health information—but mere consumer notice may no longer be sufficient (see more below). HIPAA-governed entities should determine if a business associate agreement is in place with the third-party tracking technology vendors, or if a HIPAA-compliant authorization has been obtained from consumers (a cookie banner is not sufficient). It is also not enough for a third party to deidentify information once it has been disclosed—the mere fact that identifiable health information was collected may constitute an impermissible disclosure.
Determine Whether You Have Notice Obligations. If impermissible disclosures have taken place under the FTC’s health breach notification rule or HIPAA, you may have an obligation to notify consumers, regulators, and the media.
Decide if You Should Restructure Part of Your Website and Services Agreement. Evaluate the structure of your website and your services agreement to determine whether an overhaul could better ensure compliance. This is especially important for entities that are subject to both the FTC and HIPAA’s breach notification rules.
Review Notice and Consent Obligations. Consider if you need to update your privacy notice, obtain affirmative express consent from consumers for the sharing of health data, and update your user flow. The privacy notice and request for affirmative express consent should be presented prior to collecting the user’s personal health information.
Review Your Public Representations. Healthcare companies also should consider removing representations about HIPAA compliance or data practices if they could be considered deceptive or give consumers false assurances causing them not to read your privacy notice. Ensure that your privacy notice and marketing materials accurately represent disclosure practices and how your company shares health data with vendors.
Develop Guidance for Marketing. Work with counsel to develop guidelines for your marketing department to follow when deciding whether to place tracking technologies on company websites or apps. Perform periodic assessments on the use of ad trackers.

Details on the Recent FTC Enforcement Action on Use of Trackers

The FTC can pursue legal action against healthcare companies under Section 5 of the FTC Act, which prohibits unfair and deceptive acts. Additionally, under its Health Breach Notification Rule, if a company is neither a covered entity nor acting as a business associate, it may be at a risk for civil monetary penalties if it does not timely report a security incident or impermissible disclosure.

The FTC recently announced an enforcement action against BetterHelp, an online counseling service, that provides some important lessons related to the unauthorized disclosure of health information. The FTC alleged that BetterHelp sent consumer health information to social media companies for advertising despite promising consumers it would not use or disclose personal health information except for limited purposes. The complaint:

Faulted BetterHelp for not obtaining affirmative express consent from consumers to collect, use, and disclose health information for advertising, along with failing to restrict the third-party technology vendors from using the information for their own purposes.
- Companies should expect the FTC to keep pushing for “affirmative express consent” from consumers related to the collection, use, and disclosure of health (and other sensitive) information.
Emphasized that sharing a personal identifier constitutes a disclosure of health information when paired with contextual data that a consumer sought and/or received mental health treatment (based on the fact that BetterHelp provides mental health counseling). The FTC alleges that sending an IP address or email address in connection with BetterHelp (e.g., the consumer was using the BetterHelp service or answered the intake form) constitutes a disclosure of health information.
- Companies should pay attention to identifiers, including IP addresses, advertising IDs, and device IDs, they send third parties and determine if those transmissions identify the company as the data source. If so, it may constitute health information, requiring affirmative express consent.
Contended that BetterHelp’s privacy policy link was not conspicuous, and that the organization discouraged consumers from reading its privacy policy by making repeated statements that their health information was secure and would not be shared with third parties.
- Companies should determine whether they are discouraging consumers from reading their privacy notice by making repeated, and potentially inadequate or false statements, about their data practices on their web pages and user flows.

The proposed consent order includes a $7.8 million penalty to go to consumers.

Additionally, in 2021, the FTC made clear that it plans to enforce its breach notification rule that may apply to healthcare companies if they are not subject to HIPAA, and recently levied its first penalty under it.

Details on the OCR Warning About the Use of Trackers

The Department of Health and Human Services’ Office for Civil Rights (OCR) recently warned organizations subject to HIPAA about third-party tracking technology. When companies use that technology in a way that results in the transfer of protected health information, OCR stated the disclosure is subject to HIPAA–and is prohibited without a business associate agreement or individual written authorization.

Importantly, the warning may expand HIPAA’s scope to all pages on a company’s website and its app as OCR defined identifiers to include advertising IDs, in addition to IP address and device IDs, even if they do not include specific treatment or medical billing information. OCR then explained that HIPAA may apply to authenticated websites (like a patient portal) and some unauthenticated websites because the individual’s presence on the website or app is “indicative that the individual has received, or will receive, health care services or benefits from” the entity. In practice, this means that companies subject to HIPAA need to carefully consider how tracking technologies are being used on all of their web pages and apps.

We help clients review their use of tracking technology, assess the impact of the FTC’s recent enforcement action and the OCR Bulletin on their tracking practices, and update their website disclosures and marketing policies in light of regulatory guidance and litigation trends. If you have questions, please contact Orrick for additional guidance.

Authors

Thora Johnson Partner, Cyber Privacy and Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

Practice:

Technology & Innovation Sector
Cyber Privacy and Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Thora Johnson Partner

Washington, D.C.

Thora has extensive experience counseling clients on the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal health privacy and regulatory compliance regimes including:

Office of the National Coordinator for Health Information Technology’s interoperability and information blocking regulations
Centers for Medicare & Medicaid Service’s (CMS’s) interoperability and patient access regulations
Part 2 confidentiality requirements applicable to substance abuse records
State health information privacy laws
Medicare/Medicaid compliance
Mental Health Parity and Addiction Equity Act (MHPAEA)
Genetic Information Nondiscrimination Act (GINA)
Affordable Care Act (ACA) compliance
Regulatory requirements of the Employer Retirement Income Security Act (ERISA), the Internal Revenue Code, HIPAA, and the ACA as they apply to employer health and wellness plans
Price transparency and surprise billing rules applicable to hospitals and health plans

Kyle Kessler Senior Associate, Cyber Privacy and Data Innovation, Global Compliance & Regulatory

Los Angeles

See my bio

M:+1 310 251 5299
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber Privacy and Data Innovation
Global Compliance & Regulatory
Technology Transactions
Technology & Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Kyle Kessler Senior Associate

Los Angeles

Kyle advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, social media and technology on a range of EU and U.S. federal and state privacy laws. Kyle’s strategic counseling advice includes, but is not limited to:

U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)
Consumer health privacy laws, including Washington’s My Health My Data
US data broker laws, including California's Delete Act
Children's Online Privacy Protection Act (COPPA)
Computer Fraud and Abuse Act (CFAA)
Contest and Sweepstakes Laws
Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
Europe (EU) General Data Protection Regulation (GDPR)
EU e-Privacy Directive
UK's Age Appropriate Design Code (Children's Code)
False, Misleading, or Deceptive Acts or Practices
Federal Trade Commission Act (FTC)
Health Insurance Portability and Accountability Act (HIPAA)
Health Information Technology for Economic and Clinical Health Act (HITECH)
Restore Online Shoppers' Confidence Act (ROSCA)
Retail Sales Laws
Advertising and Payment Card Self-Regulatory Frameworks
State Breach Notification and Security Laws
Telephone Consumer Protection Act (TCPA)

Kyle works with clients to develop internal privacy and security compliance programs, including assisting with privacy audits and data mapping, valuating privacy and security risks in corporate transactions, advising companies through the full pre-IPO and post IPO diligence cycle, drafting and negotiating data-related vendor and arrangement contracts, meeting with teams to assist with privacy by design, developing internal and external privacy policies for employees, customers, and contractors, drafting and training on the implementation of consumer rights requests, and developing comprehensive security programs and policies.

She partners with her clients to provide practical business counsel, with an in-house and outside counsel perspective. She regularly counsels startups and tech companies through the funding life cycle, or in connection with the launch of innovative technology, products, or platforms. Kyle's background in marketing, publication relations and communications enhances the consumer protection support she provides clients. She drafts disclosure and consent frameworks in compliance with privacy and consumer protection regulations. Kyle also helps develop, implement, administer regulatory compliance programs for all aspects of promotional and customer-facing activities, including:

Contests and sweepstakes
Direct mail, email, in-store and online, social media and text messaging advertisements and marketing campaigns
Gift cards
Influencer and social media agreements and endorsements
Price comparisons
Print advertisements and product placements
Reward and loyalty programs

Kyle is active in the LGBTQ+ community and helps lead Orrick's LGBTQ+ Attorney Affinity Group. She was also selected to participate in the Leadership Council on Legal Diversity's (LCLD) 2022 Pathfinders Program.

Before joining Orrick, Kyle was an in-house attorney at a company named to Forbes' 100 Largest Private Companies list.

Hannah Levin Senior Associate, Cyber Privacy and Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 339 8610
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber Privacy and Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Hannah Levin Senior Associate

Washington, D.C.

Hannah provides guidance on state and federal regulations, including state data breach laws and notification requirements, the Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act (CCPA), the Federal Trade Commission Act (FTC Act), the Health Insurance Portability and Accountability Act (HIPAA), and the advertising industry’s self-regulatory regimes. She also helps clients navigate consumer protection issues, including the Restore Online Shoppers’ Confidence Act (ROSCA) and federal and state consumer protection statutes.

Hannah also has broad civil and criminal litigation experience. She has worked on complex class action and commercial litigation matters, government enforcement actions and internal corporate investigations. She has represented clients facing liability under a variety of state and federal laws, including federal and state consumer protection statutes.

Prior to entering private practice, Hannah served as a law clerk to the Honorable Lynne A. Battaglia of the Supreme Court of Maryland.

Alyssa Wolfington Managing Associate, Cyber Privacy and Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

New York

See my bio

D:+1 212 506 5000
E: [email protected]

Practice:

Cyber Privacy and Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Alyssa Wolfington Managing Associate

New York

Alyssa navigates clients through privacy programs and policy creation, and provides guidance on compliance with federal, state and international laws and regulations, including the California Consumer Privacy Act (CCPA), the Children’s Online Privacy Protection Act (COPPA), the General Data Protection Regulation (GDPR), the Federal Trade Commission Act (FTC Act), the Health Insurance Portability and Accountability Act (HIPAA) and state data breach notification laws. She advises clients on security incident response and federal and state investigations related to privacy and data security. She also provides assessments of privacy and security practices for companies carrying out due diligence in the context of corporate transactions.