Office for Civil Rights and Federal Trade Commission Renew Warnings of Online Tracking and Health Information
November 2, 2023
Overview
The OCR and FTC have issued renewed warnings regarding the dangers of online tracking technologies and the harm they can pose to the privacy of an individual’s health information. OCR and FTC warn that tracking technologies collect identifiable information, mostly unbeknownst to users, and can lead to violations of three federal laws by regulated entities.
The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC), on September 1, 2023, issued renewed warnings regarding the dangers of online tracking technologies and the harm they can pose to the privacy of an individual’s health information. OCR and FTC warn that tracking technologies collect identifiable information, mostly unbeknownst to users, and can lead to violations of three federal laws by regulated entities.
Tracking Technologies Explained
Online tracking technologies, according to OCR, consist of a “script or code on a website or mobile app” that collect information on users. This user data, it says, is then analyzed by the app or website owner, or third parties, to paint a fuller picture of the user’s online activities. It adds that website tracking technologies frequently include “cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts” and that tracking code is often embedded within an app.
Joint Warning Letters to Hospitals and Telehealth Providers
In the September announcement, OCR—the federal agency charged with enforcing HIPAA—and the FTC published a number of identical letters they sent to certain hospitals and telehealth providers in July of this year. The joint OCR and FTC letters warn of harms to individuals of impermissible disclosures of health information through tracking technologies, including disclosure of highly sensitive health information such as diagnoses and encounters with health care providers. In addition, they warn, impermissible disclosures can lead to financial harm and discrimination.
The letters specifically call out online tracking technologies like Meta/Facebook Pixel and Google Analytics and warn that these and similar technologies, when used by regulated entities, could result in impermissible disclosures and violations of the Health Insurance Portability and Accountability Act (HIPAA), the federal Health Breach Notification Rule and the FTC Act.
HIPAA and Tracking Technologies
HIPAA’s Privacy Rule limits the use and disclosure of protected health information (PHI) by covered entities. Its Security Rule requires covered entities and business associates to ensure the confidentiality of all electronic PHI (ePHI) and to safeguard against reasonably foreseeable threats to ePHI. The HIPAA Breach Rule requires notification in the event of a breach of PHI to affected individuals, OCR and, in larger breaches, the media. The recent joint letters warn that the HIPAA rules may be triggered when covered entities and business associates use tracking technologies or disclose health data to tracking technology vendors. All such activities, they caution, must be consistent with the HIPAA Rules.
Health Breach Notification Rule, FTC Act and Tracking Technologies
Similarly, the Health Breach Notification Rule—enforced by the FTC—requires notification to individuals and the FTC in the event of a breach of certain health information by regulated entities. Failure to comply with the Health Breach Notification Rule, by a regulated entity, is considered an unfair and deceptive practice in violation of the FTC Act. And, misrepresentation or omission of a material fact, such as in relation to how an entity uses sensitive customer data, may constitute a deceptive practice under the FTC Act. The OCR and FTC letters caution that entities not subject to HIPAA may nevertheless run afoul of the Health Breach Notification Rule and the FTC Act if they use tracking technologies that lead to impermissible disclosures of health data. That applies, they warn, even if the entities engage a third party to develop their app or internet site.
Continued OCR and FTC Focus on Tracking Technologies
This latest advisory illustrates a continued focus by OCR and FTC on the dangers of tracking technologies and their potential harm to the privacy of individuals, including with respect to their health information. In December 2022, OCR advised of the dangers to PHI of tracking technology, warning “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures” of PHI to tracking technology vendors or any other violations of the HIPAA Rules. And, in US v. Easy Healthcare Corporation, the FTC, in May 2023, alleged the developer of an ovulation tracker app gathered personal and sensitive data of users of the app and shared that data with third parties contrary to its representations to users in its privacy policies, in violation of the FTC Act and the Health Breach Notification Rule.
The recent joint letter is available on the FTC and OCR websites.
This post was written by Stephen Murphy, Deputy Director, Network for Public Health Law – Mid-States Region
The Network for Public Health Law provides information and technical assistance on issues related to public health. The legal information and assistance provided in this document do not constitute legal advice or legal representation. For legal advice, readers should consult a lawyer in their state.
Support for the Network is provided by the Robert Wood Johnson Foundation (RWJF). The views expressed in this post do not represent the views of (and should not be attributed to) RWJF.