Home Health Law FTC and OCR Difficulty Joint Web site Monitoring Warning Letter

FTC and OCR Difficulty Joint Web site Monitoring Warning Letter

FTC and OCR Difficulty Joint Web site Monitoring Warning Letter


If you’re concerned with any well being info, even in case you are not lined by HIPAA, you need to be conscious of the federal government’s latest place that there could also be severe privateness and severe dangers with use of on-line monitoring applied sciences that could be current on an internet site or cell app that tracks client delicate private well being info.  Final week, the Federal Commerce Fee (“FTC”) and the U.S. Division of Well being and Human Companies’ Workplace for Civil Rights (“OCR”) issued a joint letter (“Joint Letter”) (https://www.ftc.gov/system/recordsdata/ftc_gov/pdf/FTC-OCR-Letter-Third-Social gathering-Trackers-07-20-2023.pdf) to roughly 130 hospitals and telehealth suppliers, warning that on-line monitoring applied sciences built-in into their web sites and/or cell apps could also be improperly disclosing private well being knowledge to 3rd events.

Expertise resembling Google Analytics and Meta/Fb Pixel can observe a person’s on-line actions which, unbeknownst to the person, could collect personally identifiable info. If you’re a lined entity or enterprise affiliate (a “regulated entity”) below HIPAA, you should adjust to the HIPAA Privateness, Safety, and Breach Notification Guidelines, with regard to protected well being info (“PHI”) that’s transmitted or maintained in digital or another kind or medium.  Beneath HIPAA, impermissible makes use of/disclosures are presumed to be a reportable breach until it may be demonstrated that there’s a low chance of compromise when thought-about below the 4 components set forth at 45 C.F.R. 164.402

Impermissibly disclosed info could vary from a client’s shopping historical past on a regulated entity’s webpage, which might not be a reportable breach if a dedication is made that there’s a low chance that the patron’s PHI was compromised, to one thing extra delicate such because the disclosure of a affected person’s well being circumstances, diagnoses, drugs, medical therapies, frequency of visits to well being care professionals, and the place a person seeks medical therapy. Such disclosures may end up in monetary loss, stigma, discrimination, psychological anguish, or id theft, amongst many different potential repercussions. It needs to be famous that in December 2022, OCR issued a bulletin which, amongst different issues, cautioned that regulated entities usually are not permitted to make use of monitoring applied sciences in a way that will end in impermissible disclosures of PHI to monitoring expertise distributors. The Joint Letter serves as a reinforcement of the warnings made final 12 months. The American Hospital Affiliation (“AHA”) submitted feedback to OCR lately asking that they rethink the place taken within the December 1, 2022 Bulletin. Particularly, the AHA believes that the steerage is just too broad and can end in important hostile penalties for hospitals, sufferers and the general public at giant, and that by treating an IP handle as PHI below HIPAA, public entry to credible well being info shall be decreased.

The federal government letter warned that even when an entity is just not lined by HIPAA, it nonetheless has an obligation to guard in opposition to impermissible disclosures of private well being info below the FTC Act. That is true even when a 3rd social gathering developed the web site or cell app and even when the knowledge obtained by way of use of a monitoring expertise is just not used for any advertising and marketing functions. The FTC and OCR strongly urged monitoring of knowledge flows to 3rd events through applied sciences built-in into web sites, and warned that disclosure of such info with no client’s authorization can, in some circumstances, violate the FTC Act in addition to represent a breach of safety below the FTC’s Well being Breach Notification Rule.

You may see Fox Rothschild attorneys’ associated posts right here:

Odia Kagan’s Put up on Third-Social gathering Trackers’ Dangers (July 2022): Watch out for Third-Social gathering Trackers Like Meta Pixel. Ignoring Them Might Be Expensive. | HIPAA & Well being Data Expertise (foxrothschild.com)

Elizabeth Litten’s Put up on OCR’s December 2022 Bulletin (December 2022): OCR Warns Suppliers About Affected person Information Trackers | HIPAA & Well being Data Expertise (foxrothschild.com)

Elizabeth Litten’s Put up on the FTC’s Grievance Alleging that BetterHelp Engaged in Unfair and Unreasonable Privateness Practices (March 2023): Higher Hold Well being Information Personal, FTC Indicators to On-Line Well being Care Suppliers | HIPAA & Well being Data Expertise (foxrothschild.com)



Please enter your comment!
Please enter your name here