The Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) sent 130 healthcare companies letters warning that they may be non-compliant with HIPAA, citing the use of technologies like Google Analytics and the Meta/Facebook pixel. Get the details in this post.
What’s Happening?
On July 20th, the Federal Trade Commission, in partnership with the Office of Civil Rights from the Department of Health and Human Services, issued letters to 130 healthcare companies warning of the use of online tracking technologies such as Google Analytics and the Metal pixel. (Read the FTC press release.)
The letter states that these technologies pose “serious privacy and security risks” that may be present on the companies’ website or app because they “impermissibly [disclose] sensitive personal health information to third parties.” The letter drives home that these technologies “gather identifiable information about users as they interact with a website or mobile app, often in ways which are not avoidable by and largely unknown to users.”
The letter is a clear warning: These types of disclosures result in “a wide range of harms,” and companies are obligated under law to protect against impermissible disclosures or face enforcement. It is essential for health-related companies to monitor data flows of health information to third parties via these technologies: The responsibility and consequences belong to the company, period.
What’s the Privacy Landscape Context that’s Led Up to These Warnings?
Following a slate of lawsuits in the summer of 2022 targeting healthcare companies over alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), the Department of Health and Human Services issued a bulletin on the use of online tracking technologies.
In that bulletin, companies were reminded that they have obligations under HIPAA, such as requiring a Business Associate Agreement (BAA) or ensuring that one of the standards for de-identification is met prior to sending personal health information to external parties. (Read our related post, “Is There a Cure for Google Analytics in Healthcare?”) The bulletin also reminded health-related companies that they may be subject to the FTC’s Health Breach Notification Rule, even if they are not a HIPAA-covered entity.
The recent letter doubles down on this stance by directly reaching out to major healthcare providers and telecommunication health companies, warning them of potential harm to people and impending enforcement risk.
This continues the recent surge of enforcement activity against health companies that began at the start of the year. Already, the FTC has reached settlements with several companies such as GoodRx, Flo Health, BetterHelp, and 1Health with corrective actions ranging from fines to a complete ban on using user data for advertising.
Always be up to date with the Further Data Privacy Newsletter
Why These Warnings are Important
- As the second, and more targeted, warning over online tracking, this will likely be the final warning before the organizations that received letters become subject to potential enforcement actions.
- Consent decrees from enforcement settlements tend to be exceptionally strict and long-lasting. In addition to mandating meeting legal requirements and fines, the corrective actions can affect existing revenue streams and marketing strategies.
- Companies subject to enforcement also face public relations issues and loss of consumer trust, which is critical in the healthcare space.
How Further Can Help
You can work with our privacy team to conduct an audit of any tracking technology for the website(s) that may be in use. We will flag any technology, locations, or data collection types that may pose a risk. We can also assess marketing and reporting processes and strategies to create a roadmap of any potential tracking technology changes.
Once you have a plan, we can help you activate it, whether you need help implementing critical systems, such as Consent Management Platforms, creating centralized records of consent with your CDP, or migrating to HIPAA-compliant platforms such as Adobe Customer Journey Analytics (CJA).