Heeding FTC, HHS warnings on online health information tracking

As patients embrace and health systems adopt digital health services, the federal government is sending warnings about the potentially unforeseen risk of sharing health information online.

Earlier this summer, the Federal Trade Commission (FTC) and the Office for Civil Rights (OCR) sent a letter to dozens of unnamed hospital systems and telehealth providers warning about technologies that track users’ online behavior. The main culprits, according to the agencies, are Facebook pixel and Google Analytics.

The issue, as stated in the latter and emphasized in a blog post: “HIPAA regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to third parties or any other violations of the HIPAA [Privacy, Security, and Breach Notification] Rules.”

Under the hood, tracking technologies gather users’ identifiable information as they navigate a website or mobile application, “often in ways which are not avoidable by and largely unknown.” Even if the companies developing this technology aren’t technically covered by HIPAA, FTC and OCR said in a statement, they nonetheless “still have a responsibility to protect against the unauthorized disclosure of personal health information,” or PHI.

The joint letter had been many months in the making. It followed FTC enforcement action against numerous vendors for previously undisclosed breaches. These include a proposed $8 million settlement with online counseling service BetterHelp, which shared information with Facebook and Snapchat, along with a $1.5 million fine for GoodRx for sharing data with Facebook and Google and similar settlements with fertility and ovulation tracking services Easy Healthcare and Flo Health.

Additionally, OCR parent agency the Department of Health and Human Services (HHS) issued a bulletin in December 2022 outlining how the use of tracking technologies applies to HIPAA covered entities, pointing specifically to the permissions required for the disclosure of information. Meanwhile, the FTC issued a research note in March unpacking the pixel-tracking technology at the heart of the BetterHelp and GoodRx cases – technology used largely for targeted marketing and “invisibly embedded within web pages” without consumers’ knowledge or consent.

These privacy and security risks pose a particular challenge in light of the popularity of digital health apps, which nearly 90 million Americans now use to manage their health and wellness outside the traditional care setting. To that end, health systems should take several steps to ensure PHI remains private and the applications their patients use don’t pose a security risk.

First, review what data is being collected across all websites and mobile applications, as well as with whom data is being shared. Next, make sure proper consent or authorization has been obtained if health information is being shared, and assess whether sharing is happening in a compliant way.

It’s important to note that there’s a difference between personal and consumer health information, according to the law firm Manatt, Phelps & Phillips, LLP; the latter is subject to the FTC Health Breach Notification Rule, under which both GoodRx and BetterHelp were recently fined.

It’s also worth evaluating whether it’s possible to reduce or even eliminate the use of tracking technology, the law firm Akerman LLP said. While this may require changes to which applications clinical teams recommend to patients, updates to consent policies, or modifications to entire sections of a website, the key benefit – a reduced risk of impermissible data disclosure – may outweigh the consequences of a breach, a fine, and bad publicity.