Tracking technologies (pixels, cookies, etc.) are invisible and everywhere. Offered by
Who is tracking what now?
Most of us understand very little about what kind of personal information companies' websites collect, how these companies use that information, and how and with whom they share it. Digital health platforms, in particular, often collect sensitive and private personal information about website users. Regulators believe (and their policies reflect) that this heightens the need for transparency and privacy protections.
Who is enforcing rules related to tracking technologies?
The Department of Health and
Here are some recent actions that indicate heightened scrutiny of tracking technology usage:
- Starting in
December 2022 , OCR published a bulletin advising regulated entities of potential noncompliance with HIPAA (e.g., not having a Business Associate Agreement in place with advertisers that use tracking technologies). OCR advised that regulated entities should ensure all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, these entities disclose only the minimum necessary PHI to achieve the intended purpose. OCR also advised that regulated entities should establish BAAs with tracking vendors that meet the definition of a "Business Associate". Lastly, OCR recommended addressing the use of tracking technologies in a regulated entity's internal risk management protocol. - In early 2023, the
FTC levied two enforcement actions (againstGoodRx and BetterHelp) resulting in millions of dollars in fines for failing to alert customers that tracking technologies were being used without their consent and for failing to comply with the HBNR (e.g., privacy policies that did not mention the use of tracking technologies). - In
July 2023 ,FTC and OCR published a joint letter cautioning hospitals and telehealth providers about the privacy and security risks related to online tracking technologies integrated into their websites or mobile apps that may impermissibly disclose consumers' sensitive personal health data to third parties.
What does that mean for my digital health business?
Tracking technologies collect personal information about digital health website users for marketing purposes. This information may include basic demographic information, more sensitive health-related data, and IP addresses and location data. If the digital health company is a Covered Entity or Business Associate without a Business Associate Agreement (BAA) with the tracking technology company, every instance of data collection may violate HIPAA. Penalties for violations of this nature can reach up to
If the digital health company is not subject to HIPAA, they may be subject to
How do I remain compliant when using tracking technologies?
First, you need to determine if the information you collect on your website (and share with tracking technology vendors) is subject to HIPAA or the HBNR. This is not always obvious, but a good rule of thumb is that if you're collecting personally identifiable information on behalf of a healthcare payor or a healthcare provider (e.g., telehealth network) that submits claims to payors, then you're likely subject to HIPAA. **This is the case even if your company does not collect any health-related information.** A simple name and email address combo can be PHI. Even an IP address on its own may be considered PHI in some circumstances.
If you're not subject to HIPAA, you may still be subject to the HNBR. The FTC HBNR requires healthcare entities to notify consumers following a breach involving unsecured, individually identifiable health information. If a service provider/ IT vendor to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The
HIPAA Compliance Checklist
If you're subject to HIPAA, take these steps immediately:
Sign BAAs - Execute BAA with any tracking technology vendor that meets the definition of a "business associate"; OR
De-identify Before Sharing - Use a de-identification service that de-identifies PHI on the website before disclosing it. Data stripped of identifiers is not PHI subject to HIPAA. Note:
Patient Disclosure & Authorization - Inform users that you share PHI with third parties, including tracking technology vendors, for the purpose of advertising and marketing. Include this in your privacy policy, web site disclaimers, and terms of use documentation. If you plan to sell this information, obtain explicit HIPAA-compliant authorization from patients to do so.
FTC Compliance Checklist
If you're not subject to HIPAA, but you're collecting and sharing health information with tracking technology vendors, take these steps:
Beef up Your Privacy Policies - Publish and maintain accurate privacy policies on all consumer-facing websites, patient portals, and mobile applications. Disclose your intention to share information for the purposes of advertising with third parties. The
HBNR Compliance - Establish a mechanism to report any potential breaches of consumer health data under HBNR requirements.
Key Takeaway
Three Steps to Get Started
- Review consumer-facing privacy policies to ensure they accurately describe your use of tracking technologies in marketing and advertising. Also, verify that your privacy policy describes how consumer information is used in marketing.
- Engage with tracking technology vendors to discuss the possibility of signing a BAA with sufficient safeguards for using PHI. Also, evaluate your arrangement from a technical standpoint to determine whether tracking technologies are being used on your website. In the alternative, you may find a vendor who can de-identify the information before it is transferred to a tracking vendor.
- Ensure the internal privacy compliance program adequately addresses protocols for data loss, breaches, and other unauthorized dissemination of consumer health information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Ms
Richmond
URL: www.nixongwiltlaw.com
© Mondaq Ltd, 2024 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source