In July of 2023, the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) published a joint letter cautioning hospitals, health app developers, and telehealth providers about the privacy and security risks related to the use of online tracking technologies integrated into their websites or mobile apps that may be impermissibly disclosing consumers’ sensitive personal health data to third parties. Additionally, the two agencies sent the joint letter to approximately 130 hospital systems and telehealth providers to remind them of the regulatory risks associated with using such technologies.

While the “Model Letter” was published by FTC and OCR in July of 2023, the agencies have now published the letters addressed to each of the 130 recipients.

The letters explain and reiterate the risks posed in connection with the use of third-party tracking technologies and the unauthorized disclosure of an individual’s personal health information to third parties. In addition to underscoring that both agencies are watching developments in this area, the letter ends with this admonition: “To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.”

The joint letter is just another indication that OCR and FTC plan to be more aggressive in enforcing violations of HIPAA, the FTC’s Health Breach Notification Rule (HBNR), and other laws and regulations that may be occurring in connection with the use of third-party tracking technologies on health-related websites and mobile apps. Combined with the recent onslaught of class action lawsuits filed against healthcare providers and hospital systems using third-party tracking technologies, organizations should closely monitor their practices related to the collection, use, and disclosure of consumers’ health information via tracking technologies.

Furthermore, it seems quite undeniable that, while the agencies sent their letter to 130 specific entities, it is the intent of both the FTC and OCR to ensure their warning is heard, unmistakably, and far beyond just those 130 recipients.

Third-Party Tracking Technologies Background

As previously discussed within this blog, the widespread use of third-party tracking technologies on hospital websites and the corresponding risk of impermissible disclosures of protected health information (PHI) prompted OCR to issue guidance on the use of such technologies for HIPAA-regulated entities in a December 2022 bulletin. The bulletin makes it clear that HIPAA-regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to third parties or any other violations of the HIPAA Rules.

The types of information disclosed through the use of third-party tracking technologies is dependent upon where the technologies are implemented within an organization’s web environment. For example, within an appointment scheduling application or behind the authenticated pages of a patient portal, the tracking technologies could collect highly sensitive information with respect to the individual user visiting each such page. This information may include specific health conditions, diagnoses, medications, treatment information, treatment locations, frequency of visits, and more, along with identifiers that could reasonably link the information to individual website users. A primary concern addressed by OCR in the December 2022 bulletin is that, if disclosed, any of this information could be used by third-parties for advertising purposes and could result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others.

Additionally, organizations that are not regulated by HIPAA still maintain a responsibility to protect against the unauthorized disclosure of personal health information. Through its recent enforcement actions against BetterHelp, GoodRx, and Premom, as well as recent guidance from the FTC’s Office of Technology, the FTC has put companies on notice that they must monitor the flow of health information to third parties that use tracking technologies integrated into websites and apps. The unauthorized disclosure of such information may violate the FTC Act, and could constitute a breach of security under the FTC’s Health Breach Notification Rule.

When asked about the July 2023 joint letter, the Director of the FTC’s Bureau of Consumer Protection took a firm stance on the issue, stating, “When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties. The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.”

Recent Developments

Whether as a result of the joint warning issued by the agencies or not, in recent months a growing number of healthcare organizations have reported data breaches involving the use of third-party tracking technologies, such as Google Analytics and Meta Pixel, to collect information from their websites, apps and patient portals. 

Many of these same entities also face proposed class action lawsuits alleging privacy violations and other similar claims involving an unlawful disclosure of individuals’ sensitive health information. For example, Advocate Aurora Health in October 2022 reported to OCR a tracking technology-related HIPAA breach affecting 3 million individuals. In response to a resulting class action lawsuit, Advocate Aurora agreed to pay $12.25 million to settle consolidated claims that the organization invaded patient privacy by using third-party tracking technologies on its website and patient portal.

Certain third-party tracking technology vendors, including Meta and Google, are also facing proposed class action lawsuits involving the use of their tracking technologies on health-related websites and apps which may have resulted in the disclosure and use of sensitive health information in an unauthorized manner.

Practical Takeaways

All recipients of the letters, which include a diverse range of HIPAA-regulated entities and non-HIPAA-covered entities that collect health information, have been advised to review OCR and FTC guidance, assess the extent to which tracking technologies are in use, and ensure they are fully protecting the privacy and security of individuals’ health information. At this point, given the increasing scrutiny with respect to the use of third-party tracking technologies, any organizations using these technologies should assess (and, in some cases) re-assess their web environment to determine what tracking technologies are in use and collecting consumer information.

Taft will continue to monitor developments in this area and will provide updates here and on all our Taft platforms. As always, seek qualified legal counsel whenever making determinations about your company’s legal or compliance obligations. Taft’s Privacy and Data Security Practice (PDS) stands ready to assist you with a risk-based, common-sense approach to your data governance needs. Stay tuned to Privacy and Data Security Insights and don’t forget to download our free mobile app, to give you quick, real-time access to Taft PDS content and updates like this one.