On July 20, 2023, the Federal Trade Commission (“FTC”), The U.S. Department of Health and Human Services (“HHS”), and The Office for Civil Rights (“OCR”) issued a joint letter to 130 hospital systems and telehealth providers cautioning them about “serious privacy and security risks” associated with the use of online tracking technologies that may be integrated into their websites or mobile apps. The letter advised that these online tracking technologies, such as Meta/ Facebook and Google Analytics, may impermissibly release consumers’ sensitive personal health information to third parties. Readers should review our blog post on FTC Takeaways for further analysis of how the FTC views sensitive data.

In a press release agencies stated that such technologies “gather identifiable information about users, usually without their knowledge and in ways that are hard for users to avoid, as users interact with a website or mobile app.” Notably, such technologies not only gather personal health information on hospital and telehealth websites but may also track information about consumers as they navigate the web and visit additional sites or apps. Consequently, the FTC plans to crack down on such prohibited tracking using personal health information.

Furthermore, the letter reminds regulated entities of their preexisting requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy, Security, and Breach Notification Rules. OCR, which enforces and administers the rule, warns that “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of Protected Health Information to tracking technology vendors or any other violations of the HIPAA Rules.”

The letter builds on a significant trend at the FTC of protecting the privacy of consumer health data, which has been demonstrated in three related enforcement actions in the first half of 2023.

In March 2023, the FTC claimed BetterHelp “repeatedly pushed people to take an Intake Questionnaire and hand over sensitive health information through unavoidable prompts.” BetterHelp assured customers their sensitive data would remain safe but instead shared such data with advertising platforms, including Facebook, Snapchat, Criteo, and Pinterest. In July BetterHelp and the FTC settled for $7.8M

Next came the FTC’s action against GoodRX, an app which promised users it would ensure the confidentiality of personal health information, but in reality disclosed to third parties through advertising tracking technologies. In February 2023, GoodRX was required to pay a $1.5M settlement for the misrepresentations, and to overhaul its privacy practices.

In May 2023, the FTC brought an action against Premom, an ovulation tracking app, for breaching its privacy promises and the Health Breach Notification Rule by sharing users’ sensitive health data with third-party advertisers. From 2018-2022, Premom collected and shared health data regarding menstrual cycles, reproductive health, fertility, pregnancy, and users’ precise geolocation, in contradiction to the statement’s in Premom’s privacy policy. The FTC fined Premom $100,000 and required an overhaul of its privacy practices.

Takeaways

The aggressive trend among federal regulators means that any entity that handles patient or consumer health information should take note of the following:

  • Review and update your privacy policy. This is especially important if your entity handles anything related to consumer health data. As always, make sure that in your privacy policy, you (1) do what you say, and (2) say what you do.  
  • Prepare for the end of targeted ads using health data. The FTC’s actions against BetterHelp, GoodRX, and Premom, and the Washington My Health My Data Act make clear that regulators appear keen to end the practice of targeted advertising based segments using consumer health data or inferences drawn from such data.