The Matrix

In the letter, the agencies identified the risks they perceive exist from the unauthorized disclosure of an individual’s personal health information to third parties. For example, they claim that the disclosure of such information could reveal sensitive information including health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, and where an individual seeks medical treatment.

The HHS previously highlighted these concerns in a bulletin the agency issued late last year that reminded entities covered by the Health Insurance Portability and Accountability Act (HIPAA) of their legal responsibilities to protect health data from unauthorized disclosure.  Furthermore, the FTC has taken the position that companies not covered by HIPAA also have a responsibility to protect against the unauthorized disclosure of personal health information—even when a third party developed their website or mobile app. The FTC’s recent enforcement actions against BetterHelp, GoodRx and Premom, as well as guidance from its Office of Technology, reveal that the agency expects companies to monitor the flow of health information to third parties that use tracking technologies integrated into websites and apps. The FTC claims that the unauthorized disclosure of such information may violate the FTC Act and could constitute a breach of security under the FTC’s Health Breach Notification Rule.

In addition to the heightened attention from the FTC and OCR, private class actions have been filed against health care entities employing tracking or behavioral advertising technology on their websites, which has been reported to be a prevalent practice.  Therefore, it is advisable for health care entities to conduct a legal review to determine how or whether to utilize third-party tracking technologies on their websites or apps.