On July 20, 2023 HHS and the Federal Trade Commission (“FTC”) issued a joint letter to approximately 130 companies regarding their online data collection processes.  The letter follows the much discussed December 1, 2022, Bulletin that expanded the kinds of websites and applications governed by HIPAA (you can read about our analysis of the bulletin here).  This action is another clear signal that both agencies are prioritizing this area for enforcement.

What the Letter Says

The letter, which can be found here, was sent to companies that use online tracking technologies that disclose sensitive personal health information to third parties- potentially in violation of HIPAA or the FTC Health Breach Notification Rule. In the letter, the OCR and FTC emphasize that that use of certain tracking technologies in ways that are unavoidable and unknowable to the user may constitute an impermissible disclosure of information. Finally, the letter makes clear that both agencies are “closely watching developments in this area” and warns businesses to take protective actions to shield individuals’ health information.

What the Letter Means for Healthcare Companies

Ultimately, the concerns raised in the letter relate to the way tracking technologies gather health information about consumers without consent. When users visit health websites or apps, they are often compelled to provide information about appointments, diagnoses, and medications without realizing the level of detail potentially shared with third parties via these technologies.

Another important takeaway from the letter is that the guidance applies to more than just HIPAA covered entities. Even if a company is not subject to HIPAA, the collection of sensitive health information may still fall under the purview of the FTC because of its Health Breach Notification Rule. The letter refers to several recent FTC law enforcement actions related to the use of technologies on websites and applications , underscoring that all companies operating websites or applications in the health and wellness space need to be paying attention.

Steps Healthcare Companies Should Take

While this letter may be an indication that enforcement actions are in the pipeline, we urge any company in the healthcare space to:

  1. Determine what websites and mobile applications you maintain that collect health information.
  2. Assess which trackers are on those websites and mobile applications and if they are developed by your or whether they are offered by a third party
  3. Evaluate what regulatory regime applies and how to bring use of those trackers in line with regulatory requirements. In some cases, that may require user consent or disabling the use of certain tracking technologies.