Take Two: HHS and FTC Warn Providers About Risks of Online Tracking Technology

The warning letter jointly issued by HHS and FTC follows a 2022 OCR bulletin reminding HIPAA-covered entities to protect health data from unauthorized disclosure through these technologies. Additional details of the letter can be found below.

HHS and FTC: Working Together to Prevent Unauthorized Disclosures

The HIPAA regulations apply when the information that HIPAA-covered entities collect through tracking technologies, or disclose to tracking technology vendors, includes protected health information (PHI). Covered entities and business associates may not use these technologies in a manner that would result in a disclosure to the tracker that HIPAA does not allow. For example, PHI disclosures made by a hospital to a tracking technology vendor are not permitted under HIPAA unless a patient provides prior written authorization for the disclosures. The risks posed by unauthorized disclosure include revealing sensitive health information, including medical treatments, diagnoses, and medications.

Companies that HIPAA does not regulate must also use tracking technologies appropriately. Recently, the FTC Office of Technology issued guidance putting these companies on notice that they must monitor the flow of health information to third parties that use such technologies – to protect against unauthorized disclosures. The unauthorized disclosure of such information may violate the Federal Trade Commission Act (FTCA), and could constitute a security breach under the FTC Breach Notification Rule.

HHS and FTC: Warning to Hospitals

The joint HHS and FTC letter was issued to 130 hospitals. The letter cited recent FTC enforcement actions against non-HIPAA entities that failed to protect the privacy of personal health information. These enforcement actions highlighted the risks and concerns about online tracking technologies that can track user activity.

HHS and FTC concluded the letter with a “We’ll be watching you” warning: “OCR and the FTC remain committed to ensuring that consumers’ health privacy remains protected with respect to this critical issue. Both agencies are closely watching developments in this area. To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.”

HHS and FTC: Enforcement Actions and Lawsuits

Companies not covered by HIPAA still have a responsibility to protect against the unauthorized disclosure of personal health information. If they do not protect against this disclosure, the FTC may take enforcement action against them. In the last year, the FTC brought enforcement actions against BetterHelp and GoodRx.

In the BetterHelp enforcement action, BetterHelp agreed to pay $7.8 million for deceiving consumers after promising to keep sensitive personal data private. The FTC found that BetterHelp had revealed consumers’ sensitive data with third parties such as Facebook and Snapchat for advertising after promising to keep such data private. In the FTC Final Order against BetterHelp, the FTC concluded that BetterHelp used and disclosed consumers’ email addresses, IP addresses, and health questionnaire information to Facebook, Snapchat, Criteo, and Pinterest for advertising purposes, despite promising consumers that it would only use or disclose personal health data for limited purposes.

In the GoodRx enforcement action, the FTC noted the egregious conduct that led to its $1.5 million settlement with the popular drug discount company in its Final Order. The FTC found that GoodRx disclosed millions of users’ personal health information to third parties without the users’ authorization, consent, or knowledge. These activities violated the FTC Act’s prohibition on unfair and deceptive trade practices and the FTC’s Health Breach Notification Rules. The Breach Notification Rule requires companies to notify users when a company discloses health information to a third party without a user’s consent.

HHS and FTC: The Premom Case

Easy Healthcare Corporation operates the popular Premom app. This free, downloadable app, used by hundreds of thousands of people, helps users track ovulation and menstrual cycles. Premom also sells ovulation test kits. The app encourages users to input information about menstrual cycles, fertility, and pregnancy. The app also encourages users to import their data from other apps, such as Apple Health.

Recently, the FTC alleged that Easy Healthcare repeatedly and deceptively promised users in its privacy policies that it would not share their health information with third parties without users’ consent. According to the FTC, Easy Healthcare also alleged that any data it did collect was non-identifiable and only used for its own analytics or advertising.

The FTC concluded that Easy Healthcare failed to take reasonable measures to address the privacy and data security risks created by its use of third-party automated tracking tools, known as software development kits (SDKs). The FTC also concluded that Easy Healthcare also shared health information for advertising purposes without obtaining consumers’ affirmative express consent – violating the Federal Trade Commission Act. 

The Premom enforcement action is now before a federal court. FTC, in a proposed order, has requested that the court: 

1. Bar Easy Healthcare from sharing users’ personal health data with third parties for advertising.
2. Obtain users’ consent before sharing health data for any other purpose.
3. Tell consumers how their personal data will be used. 

The proposed order must be approved by the federal court to go into effect.