The proliferation of health apps and connected devices that allow individuals to track their health conditions, treatment, medications, fitness, fertility, sleep, mental health, diet and other vital areas has led to increased regulatory scrutiny. Recent regulatory guidance and enforcement actions with multimillion-dollar remedies are clarion calls for health technology companies to ensure that they are properly using internet tracking technologies on their digital properties.
OCR Guidance on Use of Tracking Technologies
The Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA), recently released guidance
warning that a HIPAA-regulated entity’s use of internet tracking technologies on its websites and apps is subject to HIPAA’s Privacy Rule. These tracking technologies include commonly used analytics and advertising tools, such as tracking pixels used for remarketing, web beacons and session replay scripts. OCR advises that these technologies fall within HIPAA rules because the types of data they collect, including IP address, geographic location, device ID, advertising ID or other unique identifiers, can tie an individual website or app user to a HIPAA-regulated entity even in the absence of a patient relationship. Accordingly, this data “relates to the individual’s past, present, or future health or health care or payment for care.” For instance, when a covered entity (such as a hospital or healthcare provider) places a tracking pixel on its appointment scheduling page, the pixel shares the patient’s IP address with the pixel provider. According to the OCR guidance, the covered entity must ensure that it shares the IP address with the pixel provider in a HIPAA-compliant manner.
FTC Enforcement of Its Health Breach Notification Rule
OCR is not the only regulator focused on the use of tracking technologies on health websites and apps. On February 1, 2023, the Federal Trade Commission (FTC) settled an enforcement action against a digital healthcare platform for violating Section 5 of the FTC Act and the FTC’s Health Breach Notification Rule, 16 C.F.R. Part 318 (the FTC Rule). The FTC Rule applies to businesses that are not subject to HIPAA, but that collect or maintain identifiable health information of consumers in the form of personal health records. The FTC Rule requires businesses to notify individuals within at least 60 calendar days of the unauthorized access to their personal health records. In 2021, the FTC issued a Policy Statement advising that any sharing of personal health information—including intentional disclosures—without the authorization of the individual to whom it related violated the FTC Rule. The FTC also warned that violations of the FTC Rule could result in civil penalties of up to $43,792 per violation per day.
This case was the FTC’s first enforcement of the FTC Rule. The FTC alleged that the company violated the FTC Rule and Section 5 of the FTC Act by sharing personal and health information of its users with (1) advertising platforms, such as Facebook, Google and Criteo; and (2) other third parties like Branch and Twilio, without notifying or getting the consent of its users. The FTC also found the practices were contrary to promises the company made in its privacy policies that it would not share its users’ health information. Under the terms of the settlement, the FTC levied a $1.5 million civil penalty and permanently banned the company from disclosing health information to third parties for advertising purposes.
BetterHelp, Inc. FTC Enforcement
Just a month later, in March 2023 the FTC brought an enforcement action alleging that BetterHelp, an online mental health counseling service, shared information identifying its users with advertisers contrary to its privacy promises on its website and intake questionnaire. The complaint alleges that BetterHelp allowed advertisers to use information about its users to create look-alike pools of individuals for advertising. A consent order, if approved, will required BetterHelp to refund up to $7.8 million to consumers who paid for BetterHelp subscriptions. The proposed FTC order requires BetterHelp to (1) obtain affirmative express consent before disclosing personal information to certain third parties for any purpose; (2) implement a comprehensive privacy program; (3) direct third parties to delete consumer health and other personal information; and (4) implement a data retention schedule for consumer health and personal information.
Practical Takeaways for Digital Health Clients
All digital health clients who use targeted advertising and online tracking technologies on their websites and mobile apps need to assess and be clear about what laws they may be subject to: HIPAA, Section 5 of the FTC Act (prohibiting unfair or deceptive acts or practices in or affecting commerce) and/or the FTC Rule. The FTC has made available an interactive tool to help developers of mobile apps that in any way relate to health information determine which laws and rules may apply.
Are you a covered entity or business associate subject to HIPAA? If so, you will need to:
- Assess what online advertising tools (cookies, pixels, web beacons) you are using on your digital properties, such as your websites or mobile applications.
- Determine where these online advertising tools are placed on your digital properties, noting increased scrutiny on web pages where sensitive health information may be collected (for instance, on an appointment scheduling page where conditions or symptoms could be entered).
- Assess what data is shared with third-party providers of these tools, noting that even IP addresses are considered protected health information (PHI) under the OCR’s new guidance.
- Determine whether you have the necessary agreements in place with the tool providers, such as a business associate agreement or subcontractor agreement.
- Weigh the benefits of using these online advertising tools against the added cost of complying with OCR’s new guidance. Continued compliant use of these tools will likely require companies to obtain prior authorization or consent from users (including website visitors, even if no patient relationship is formed) for disclosure of their PHI to providers of these online advertising tools.
If you collect personal health information, but are not a HIPAA covered entity or business associate:
- If your site or app collects identifiable health information on an individual from multiple sources, such as through a combination of consumer inputs and APIs, you are subject to the FTC Rule. And like HIPAA regulated businesses, Section 5 of the FTC Act requires statements to consumers about how you use and share their health information must not be misleading.
- Assess what third-party advertising providers you are using, if any.
- Conduct an internal audit to determine what personal information you share with third-party advertising providers, if any.
- Review all statements and promises that you have made about the use and disclosure of personal and health information in the client intake questionnaires, in your privacy policies, on your websites and mobile applications, and in other public forums and platforms (e.g., Twitter), and remove any privacy guarantees or representations that do not accurately reflect the Company’s practices.
- Obtain Affirmative Express Consent before disclosing health information to third-party providers of advertising technologies. Affirmative Express Consent must be specific and separate from the business’s general terms.
- Train employees on privacy and security best practices for handling or making decisions about sharing personal or health information.
- Contractually limit advertisers’ use of personal information for their own independent business purposes, including their own research and development and ad optimization.
- Consider developing and implementing internal policies governing personal and health information sharing, including requiring prior legal review and approval of any data sharing with third-party providers of online advertising tools.