OCR and FTC Team Up Against Transfers of Health Information Through Online Tracking Technologies

On July 20, 2023, the Office for Civil Rights (OCR) at the Department of Health and Human Services and the Federal Trade Commission (FTC) jointly issued a warning letter to approximately 130 hospitals and telehealth providers regarding the risks of sharing consumer health data with third parties through the use of online tracking technologies.

This joint action builds on previous enforcement activity and guidance from both agencies, including:

• OCR’s December 2022 bulletin on HIPAA applicability to tracking technologies (see our earlier post, Cookies May Be Bad for Your Health)
• FTC enforcement actions against GoodRx, BetterHelp, and Easy Healthcare/Premom

Previous FTC Enforcement Actions

GoodRx ($1.5 Million Settlement)

The FTC took action against GoodRx for sharing sensitive health information with advertising platforms including Facebook, Google, and Criteo. The settlement required GoodRx to pay a $1.5 million civil penalty, the first FTC enforcement action under the Health Breach Notification Rule.

BetterHelp ($7.8 Million Consumer Redress)

The FTC settled with online mental health platform BetterHelp for sharing mental health data with Facebook, Snapchat, Criteo, and Pinterest for advertising purposes. The settlement required $7.8 million in consumer redress.

Easy Healthcare/Premom ($100,000 Civil Penalty)

The period tracking app Premom was required to pay a $100,000 civil penalty and comply with the Health Breach Notification Rule after sharing users’ health data with advertising services.

Significance of the Joint OCR/FTC Letter

The joint letter signals an intensified coordinated enforcement approach between the two agencies. By writing directly to specific hospitals and telehealth providers, rather than issuing general guidance, OCR and the FTC are putting covered entities on notice that specific practices identified in the letter are under scrutiny.

Organizations receiving the letter, and those who did not, should treat this as a call to action to evaluate their tracking technology practices and ensure compliance with both HIPAA and FTC requirements.

Recommended Action Items

1. Audit current tracking technologies: Identify all tracking technologies used on your website and mobile apps
2. Assess PHI disclosure: Determine whether disclosed information constitutes PHI based on the OCR guidance
3. Review vendor agreements: Ensure BAAs are in place with all vendors receiving PHI
4. Evaluate FTC obligations: Assess obligations under the FTC Act and Health Breach Notification Rule, even if not HIPAA-covered
5. Update breach notification practices: Account for potential breach notification obligations when tracking technologies disclose PHI without proper authorization