On July 20, 2023, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”), and the Federal Trade Commission (“FTC”) published a joint letter sent to approximately 130 hospital systems and telehealth providers. The FTC/OCR letter warns that certain online tracking technologies that “may be present” on the recipients’ mobile apps or websites could be “impermissibly disclosing consumers’ sensitive personal health information to third parties”.
The letters expressly referenced Meta/Facebook pixels and Google Analytics as tracking technologies which may gather identifiable information in ways that are “unavoidable by and largely unknown to users.” Citing research, news reports, and enforcement actions, the agencies reminded the recipients of the letter that both HIPAA Covered Entities and entities not subject to HIPAA “have an obligation to protect against impermissible disclosures of personal health information.”
The letter comes on the heels of OCR’s December 2022 Bulletin regarding the use of online tracking technologies. HIPAA Covered Entities were instructed to reference this bulletin for guidance about when online tracking technologies may result in unauthorized disclosures of PHI by covered entities.
The letter also follows recent FTC enforcement actions against GoodRx and Easy Healthcare Corp, which this blog analyzed in detail here and here. Entities not subject to HIPAA were pointed to these recent FTC’s recent enforcement actions for guidance on how tracking technologies can implicate the FTC Act and the Health Breach Notification Rule.
In a press release announcing the warning letters , both FTC and OCR leadership emphasized their dedication to protecting consumers’ health data. Samuel Levine, the Director of the FTC’s Bureau of Consumer Protection stated, “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.” Melanie Fontes Ranier, the OCR Director, reinforced OCR’s focus on health data privacy: “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.”
While the letters do not allege that recipients have violated the law, the last line of the letter fires a warning shot to recipients – “To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take action to protect the privacy and security of individuals’ health information.”