If you’re concerned with any well being data, even if you’re not lined by HIPAA, you need to be conscious of the federal government’s current place that there could also be critical privateness and critical dangers with use of on-line monitoring applied sciences which may be current on a web site or cellular app that tracks client delicate private well being data.  Final week, the Federal Commerce Fee (“FTC”) and the U.S. Division of Well being and Human Providers’ Workplace for Civil Rights (“OCR”) issued a joint letter (“Joint Letter”) (https://www.ftc.gov/system/recordsdata/ftc_gov/pdf/FTC-OCR-Letter-Third-Social gathering-Trackers-07-20-2023.pdf) to roughly 130 hospitals and telehealth suppliers, warning that on-line monitoring applied sciences built-in into their web sites and/or cellular apps could also be improperly disclosing private well being information to 3rd events.

Know-how comparable to Google Analytics and Meta/Fb Pixel can observe a consumer’s on-line actions which, unbeknownst to the consumer, might collect personally identifiable data. If you’re a lined entity or enterprise affiliate (a “regulated entity”) underneath HIPAA, you have to adjust to the HIPAA Privateness, Safety, and Breach Notification Guidelines, with regard to protected well being data (“PHI”) that’s transmitted or maintained in digital or every other type or medium.  Underneath HIPAA, impermissible makes use of/disclosures are presumed to be a reportable breach until it may be demonstrated that there’s a low likelihood of compromise when thought-about underneath the 4 elements set forth at 45 C.F.R. 164.402. 

Impermissibly disclosed data might vary from a client’s looking historical past on a regulated entity’s webpage, which is probably not a reportable breach if a willpower is made that there’s a low likelihood that the buyer’s PHI was compromised, to one thing extra delicate such because the disclosure of a affected person’s well being circumstances, diagnoses, medicines, medical remedies, frequency of visits to well being care professionals, and the place a person seeks medical remedy. Such disclosures can lead to monetary loss, stigma, discrimination, psychological anguish, or identification theft, amongst many different potential repercussions. It needs to be famous that in December 2022, OCR issued a bulletin which, amongst different issues, cautioned that regulated entities usually are not permitted to make use of monitoring applied sciences in a way that may end in impermissible disclosures of PHI to monitoring know-how distributors. The Joint Letter serves as a reinforcement of the warnings made final 12 months. The American Hospital Affiliation (“AHA”) submitted feedback to OCR just lately asking that they rethink the place taken within the December 1, 2022 Bulletin. Particularly, the AHA believes that the steerage is just too broad and can end in vital opposed penalties for hospitals, sufferers and the general public at giant, and that by treating an IP deal with as PHI underneath HIPAA, public entry to credible well being data can be diminished.

The federal government letter warned that even when an entity is just not lined by HIPAA, it nonetheless has an obligation to guard in opposition to impermissible disclosures of private well being data underneath the FTC Act. That is true even when a 3rd get together developed the web site or cellular app and even when the knowledge obtained via use of a monitoring know-how is just not used for any advertising functions. The FTC and OCR strongly urged monitoring of information flows to 3rd events by way of applied sciences built-in into web sites, and warned that disclosure of such data with out a client’s authorization can, in some circumstances, violate the FTC Act in addition to represent a breach of safety underneath the FTC’s Well being Breach Notification Rule.

You may see Fox Rothschild attorneys’ associated posts right here:

Odia Kagan’s Publish on Third-Social gathering Trackers’ Dangers (July 2022): Watch out for Third-Social gathering Trackers Like Meta Pixel. Ignoring Them May Be Pricey. | HIPAA & Well being Data Know-how (foxrothschild.com)

Elizabeth Litten’s Publish on OCR’s December 2022 Bulletin (December 2022): OCR Warns Suppliers About Affected person Information Trackers | HIPAA & Well being Data Know-how (foxrothschild.com)

Elizabeth Litten’s Publish on the FTC’s Grievance Alleging that BetterHelp Engaged in Unfair and Unreasonable Privateness Practices (March 2023): Higher Preserve Well being Information Non-public, FTC Indicators to On-Line Well being Care Suppliers | HIPAA & Well being Data Know-how (foxrothschild.com)