The FTC and OCR at HHS are continuing to scrutinize the use of tracking technologies that may reveal information about a person’s health or health status. Both agencies recently sent a letter to a reported 130 hospitals and telehealth providers warning about the use of tracking technologies and the risks they pose. This follows on the heels of other statements, guidance, and enforcement actions from these regulators about these tools over the past two years.
Last year, OCR highlighted its concerns about the improper disclosure of protected health information through the use of tracking technologies in a bulletin. While there are certain considerations for organizations regulated by HIPAA when it comes to the use of cookies and other tracking tools, companies outside of HIPAA have their own set of requirements to keep in mind. This includes the FTC’s Health Breach Notification Rule (HBNR) (currently under review to amend) and unfair and deceptive practice allegations under Section 5 of the FTC Act. There may be other considerations under state “comprehensive” privacy laws as well.
The FTC first foreshadowed how these considerations apply to non-HIPAA “health information” in 2021 in a case with a popular fertility tracking app. There, a company was inadvertently disclosing information about fertility status via tools used to track analytics events (not marketing). Ultimately, depending on how a company configures the use of a tracking technology on its site and/or apps, the disclosure of “health” information without a consumer’s authorization may violate the FTC Act and the HBNR. Companies regulated by HIPAA are not subject to the HBNR, but could still face FTC Act violations. Additional published resources (here and here) and the recent string of cases against digital health companies this year has further cemented that this remains a key priority for the FTC.
Putting it into practice: This warning letter adds nothing substantively new to the conversation about the use of tracking technologies on sites and apps that collect data revealing information about a person’s health. However, it undoubtedly signals a clear and unequivocal warning to companies to carefully audit the use of tracking technologies (even if for analytics and not marketing) that may convey information about a person’s health and take steps to remediate. The disclosure of personal health information without the data subject’s authorization may violate HIPAA, Section 5 of FTC Act, the HBNR and/or the entity’s privacy notice. While the letter serves as a notice to companies to the extent they are using tracking technologies, it also serves as a reminder of potential civil penalties for using these tools in a way that contradicts agency guidance. The notice also represents another example of the FTC’s strategy to bring joint enforcement actions with other agencies (both state and federal) and to seek civil penalties in light of the the Supreme Court’s AMG Capital decision (which curbed the FTC’s ability to seek certain monetary relief).