By Sheila Sokolowski and Kate Black
In a joint letter sent to 130 hospital systems and telehealth providers, the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services (HHS) warned health care providers, both those covered by HIPAA and those not, about their potential to violate the HIPAA Rules, FTC Act and FTC Health Breach Notification Rule (HBNR) when they use technology that tracks users’ activities on their websites and apps. Specifically, the letter highlighted:
That tracking technology was likely found on the websites of the hospital systems and telehealth providers contacted,
The risks of impermissible disclosures of health information to tracking technology providers, including to Meta/Facebook and Google (the letter named these two companies as examples), and
The resulting risk of harm to an individual whose health information has been disclosed.
The letter reflects the compliance issues raised by the FTC’s recent guidance and enforcement actions as well as concerns highlighted in HHS's bulletin on the subject from December 2022. Read Hintze’s summary the of FTC actions against GoodRx and BetterHelp, and 5 Operational Lessons for Implementation to learn more.
All HIPAA regulated entities, entities subject to the HBNR and those subject to the FTC Act that collect health information should take steps to understand and manage the flow of health information to third parties whose tracking technologies they integrate into their websites and apps.
Sheila Sokolowski is a Partner at Hintze Law and the Lead Co-Chair of the Health & Biotech Group.
Kate Black is a Partner at Hintze Law and Co-Chair of the Health & Biotech Group.
Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, AI, and mobile industries in all aspects of privacy and data security.