The Federal Trade Commission and US Dept. of Health and Human Services Office for Civil Rights sent 130 hospital system and telehealth providers a letter reminding them of their responsibilities related to processing health data, both under HIPAA and other laws. The Departments issued not one, not two, but three press releases highlighting the letter. The letters aimed to focus on the
serious privacy and security risks related to the use of online tracking technologies that may be present on your website or mobile application….
The Departments note that online tracking technologies, such as cookies and pixels, may end up disclosing protected health information or other health data to third parties in an impermissible manner. HIPAA covered entities and business associates should remember that HIPAA doesn’t just apply to PHI collected electronically or on paper – it also applies to PHI collected and disclosed in the context of online tracking. The HHS’s December, 2022 bulletin on HIPAA and online tracking is a helpful primer on navigating this space.
Even if a company does not process PHI regulated by HIPAA, if it processes other health data, the letter notes that:
The disclosure of such information without a consumer’s authorization can, in some circumstances, violate the FTC Act as well as constitute a breach of security under the FTC’s Health Breach Notification Rule.
So, steering clear of PHI does not earn you a pass when handling health data. The letter then contains a footnote with a laundry list of recent enforcement actions in this space. The FTC clearly does not want anyone to forget about its recent activity.
And just one more reminder – these rules don’t just apply to websites. They also apply to apps. So, a quick check of what your sites and apps are doing with health data may be a good regular practice to adopt.