On July 20, 2023, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) sent a joint letter to approximately 130 hospitals, telehealth providers, health app developers, and other healthcare industry companies warning of the “serious privacy and security risks” related to the use of online tracking technologies integrated into their websites and mobile apps. The FTC released a press release about the joint letter here and OCR released a press release about the joint letter here.

In the letter, the FTC and OCR reiterated their concern that companies that use these online tracking technologies tools may gather personal health information—such as health conditions, diagnoses, and medications—from users without their consent. The agencies emphasized that companies that use these online tracking technologies may be making unauthorized disclosures of individuals’ personal health information to third parties in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Health Breach Notification Rule (HBNR).

The letter follows OCR’s December 2022 Bulletin that potentially expanded the types of websites and applications governed by HIPAA. The FTC also reminded companies not covered by HIPAA of their responsibility to protect against the unauthorized disclosure of personal health information, highlighting its recent enforcement actions against GoodRx and BetterHelp.

The letter serves as yet another indication that OCR and FTC plan to be more aggressive in enforcing violations of HIPAA, the HBNR, and other laws and regulations that they allege are occurring through health-related websites’ and mobile apps’ use of online tracking technologies. Combined with the recent onslaught of class action lawsuits filed against hospital systems using online tracking technologies, healthcare companies and health-related websites and mobile apps should closely monitor their practices related to their collection, use, and disclosure of consumers’ personal health information via tracking technologies.1

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning privacy compliance, please contact Haley BavasiTracy ShapiroHale MelnickStacy Okoro, or any member of the firm’s privacy and cybersecurity practice.

[1]Additional information from the FTC about the risks relating to online tracking technologies can be found at this blog post. More information about the FTC’s general concerns around health information can be found at this blog post.