Over a year ago the FTC fired the first warning shot – the FTC health breach notification rule would be used as the basis for enforcement actions where sites and apps shared health information without a user’s permission. Following suit, a few months ago, OCR announced guidance of its own that expanded the class of websites and apps governed by HIPAA. (You can read our coverage of both moves here and here.) Combined, these two moves restrict the sharing of health data with third parties –specifically when that data is shared with online advertisers.
The FTC is finding that old rules can bear new fruit. In the first settlement since announcing new guidance, the FTC has settled with GoodRx for violations of the Health Breach Notification rule. The FTC cited numerous failures by GoodRx when it came to protecting privacy, including: failure to limit third party use of personal health information, misrepresentations around HIPAA compliance, and insufficient policies to protect personal health information.
Under the settlement, GoodRx is required to:
- No longer share health data for advertising purposes
- Obtain consent prior to sharing certain health data
- Take steps to delete date already shared
- Limit data retention
- Implement a comprehensive privacy program
Similar to other recent settlements, the conditions show that the FTC is willing to go beyond monetary damages to enforce consumer privacy. Namely, we are increasingly seeing affirmative obligations to limit data sharing and retention, and claw back data that’s already been shared.
In addition, the guidance takes aim at GoodRx, not the tracking technologies operating on the site (e.g., the Meta pixel). The message is clear – if you own the site or app, you can be liable for how those technologies behave.
OCR Guidance and Private Parties
Making matters more complicated, the recent OCR guidance may have opened the floodgates for private parties to pursue litigation based on the types of technologies that covered entities place on their websites. For example, a class action was filed on January 20, 2023 in Ohio state court alleging that the defendant, Christ Hospital, unlawfully disclosed the class members’ sensitive medical information to third parties, including Meta (formerly Facebook), without notice or consent.
The base of the claim is that Christ Hospital maintains a website through which existing patients can access a patient portal to view their medical records, test results, and previous or upcoming appointments. Another portion of the website enables new or existing patients to search for available doctors by location and specialty to book appointments or learn about specific services. The Hospital allegedly embedded a Meta Pixel, which is a Meta-owned tracking device, on the website that would communicate information from the patient portal to Meta and other third parties. Importantly, the Complaint as written does not seem to distinguish between the “MyChart” section of the website and other areas of the website that allows new prospective patients to search for doctors or look for appointments. In support of its claim, the Complaint sites the new OCR guidance stating that: “HHS has expressly stated that Defendant has violated HIPAA Rules by implementing the Meta Pixel without the required notice to, and written authorization from, its patients, including Plaintiff and Class Members. See Doe v. The Christ Hospital, Case: 1:23-cv-00031-DRC at¶ 88.
Of course, it has always been the case since HIPAA came into effect that covered entities were prohibited from disclosing protected health information without consent. The key takeaway here is that the use of tracking technologies alone, even if the purpose of using the specific technology is site maintenance or metrics, may be enough to constitute disclosure of PHI requiring HIPAA authorization or business associate agreement. Also, sections of the website that merely allow website visitors to search for doctors and available appointments also now appear to fall under HIPAA’s scope.
While we wait to learn how this case will unfold, one thing is clear: the use of tracking technologies on certain websites may mean a new wave of litigation in the healthcare space.
Entities operating in the healthcare space need to pay close attention to how their websites and apps process and share consumer data- whether they’re covered by HIPAA or not. Indeed, the combined actions of the FTC and OCR show increasing pressure to limit and even outright ban the sharing of health data. Therefore, while the GoodRx settlement may be the first, it is certainly a harbinger of what’s to come.
Moreover, the recent guidance from OCR seems to have emboldened private parties to seek redress for alleged violations of the guidance. While HIPAA does not itself have a private right of action, it is commonly cited in consumer actions that allege misuse of protected health information.
All told, if you are processing health information, even information that may seem innocuous (e.g., hosting a page where individuals can locate a practice or appointment), take a second and maybe a third look at your data handling and sharing practices particularly when it comes to third party tracking technologies.