Nixon Law Group

View Original

[March 2024 Update] Key Pitfalls to Avoid when using Tracking Technologies for DTC Digital Health and Telemedicine Performance Marketing

Tracking technologies (pixels, cookies, etc.) are invisible and everywhere. Offered by Meta’s Pixel and Google Analytics, and by many social media platforms like Instagram and TikTok, tracking technologies are the workhorse behind tailored advertising (e.g., behavioral advertising) and marketing analytics on consumer-facing websites. Tracking technologies capture static and behavioral information about webpage visitors, such as click-through rate, location, and other user input, including personally identifiable information. The leading players across industries commonly use these techniques and drive much of the tailored advertising strategies we see today, and digital health companies are no exception.


Who is tracking what now?

Most of us understand very little about what kind of personal information companies’ websites collect, how these companies use that information, and how and with whom they share it. Digital health platforms, in particular, often collect sensitive and private personal information about website users. Regulators believe (and their policies reflect) that this heightens the need for transparency and privacy protections. 


Who is enforcing rules related to tracking technologies?

The Department of Health and Human Services Office of Civil Rights (OCR) and the Federal Trade Commission (FTC) are two federal agencies that enforce consumer privacy protections, including HIPAA and the FTC Breach Notification Rule (HBNR), respectively. Federal law empowers both agencies to penalize companies whose undisclosed use of tracking technologies may threaten consumer privacy. 

Here are some recent actions that indicate heightened scrutiny of tracking technology usage: 

  1. In December 2022, OCR published a bulletin advising regulated entities of potential noncompliance with HIPAA (e.g., not having a Business Associate Agreement in place with advertisers that use tracking technologies). OCR advised that regulated entities should ensure all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, these entities disclose only the minimum necessary PHI to achieve the intended purpose. OCR also advised that regulated entities should establish BAAs with tracking vendors that meet the definition of a “Business Associate”. Lastly, OCR recommended addressing the use of tracking technologies in a regulated entity’s internal risk management protocol. 

  2. In early 2023, the FTC levied two enforcement actions (against GoodRx and BetterHelp) resulting in millions of dollars in fines for failing to alert customers that tracking technologies were being used without their consent and for failing to comply with the HBNR (e.g., privacy policies that did not mention the use of tracking technologies).

  3. In July 2023, FTC and OCR published a joint letter cautioning hospitals and telehealth providers about the privacy and security risks related to online tracking technologies integrated into their websites or mobile apps that may impermissibly disclose consumers’ sensitive personal health data to third parties. 

  4. In March 2024, OCR issued an updated version of this bulletin on March 18, 2024. In this update OCR clarified that information collected via these technologies is only PHI when the information is linked to the “past, present or future health care, or payment for health care,” for an individual. OCR also expressly stated that it is prioritizing compliance with the HIPAA Security Rule in investigations of the use of online tracking technologies.


What does that mean for my digital health business?

Tracking technologies collect personal information about digital health website users for marketing purposes. This information may include basic demographic information, more sensitive health-related data, and IP addresses and location data. If the digital health company is a Covered Entity or Business Associate without a Business Associate Agreement (BAA) with the tracking technology company, every instance of data collection may violate HIPAA. Penalties for violations of this nature can reach up to $50,000 per violation or in excess of $1.5 million per year (for identical violations). 

If the digital health company is not subject to HIPAA, they may be subject to FTC enforcement under Section 5 of the FTC Act, which regulates unfair and deceptive trade practices. Civil penalties for violations of Section 5 of the FTC Act are capped at $51,744 per violation. If your website has 1,000 visitors per day, you can see how this can add up. GoodRx was recently fined $1.5 million for violating the HBNR. The FTC also permanently banned GoodRx from disclosing user health information with applicable parties for advertising purposes.


How do I remain compliant when using tracking technologies?

First, you need to determine if the information you collect on your website (and share with tracking technology vendors) is subject to HIPAA or the HBNR. This is not always obvious, but a good rule of thumb is that if you’re collecting personally identifiable information on behalf of a healthcare payor or a healthcare provider (e.g., telehealth network) that submits claims to payors, then you’re likely subject to HIPAA. **This is the case even if your company does not collect any health-related information.** A simple name and email address combo can be PHI. Even an IP address on its own may be considered PHI in some circumstances. 

In its March 2024 update OCR provided examples of what types of webpage interactions create PHI. Records of visits to webpages that provide general information (such as a facility’s visiting hours or employment opportunities) do not relate to an individual’s past, present or future health care, or payment for care, and thus are not implicated by HIPAA. However, OCR noted that, when individuals visit webpages to seek treatment options, the record of those visits (including the user’s IP address and geographic location) IS subject to HIPAA.

If you’re not subject to HIPAA, you may still be subject to the HNBR.  The FTC HBNR requires healthcare entities to notify consumers following a breach involving unsecured, individually identifiable health information. If a service provider/ IT vendor to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The FTC defines a breach more broadly than you may be aware. For example, the FTC considered GoodRx’s transmission of individually identifiable health information to tracking technology advertisers (e.g., Facebook and Google) a breach. 


HIPAA Compliance Checklist

If you’re subject to HIPAA, take these steps immediately:

Sign BAAs – Execute BAA with any tracking technology vendor that meets the definition of a “business associate”. Note: A tracking technology vendor that obtains information from your website or app will likely meet this definition; OR 

De-identify Before Sharing - Use a de-identification service that de-identifies PHI on the website before disclosing it. Data stripped of identifiers is not PHI subject to HIPAA. OCR stated in its 2024 update that healthcare entities can engage a Customer Data Platform (such as Segment or Freshpaint) to de-identify tracking information before the information is provided to tracking technology vendors. While this may offer a compliant solution, you will need to validate that the Platform will remove all identifiers that a tracking technology vendor could use to re-identify any individual. In addition, from a practical standpoint, when information is properly de-identified, the value provided by tracking technology vendors may be reduced.   Note: The FTC Office of Technology has said in a March 2023 blog post that hashing information to scramble personal identifiers is not always adequate to constitute de-identification, because hashes can be reversed or used to re-identify data across databases.

Patient Disclosure & Authorization - Inform users that you share PHI with third parties, including tracking technology vendors, for the purpose of advertising and marketing. Include this in your privacy policy, web site disclaimers, and terms of use documentation. If you plan to sell this information, or you want to bypass HIPAA restrictions on use, obtain explicit HIPAA-compliant authorization from patients to do so.


FTC Compliance Checklist

If you’re not subject to HIPAA, but you’re collecting and sharing health information with tracking technology vendors, take these steps:

Beef up Your Privacy Policies - Publish and maintain accurate privacy policies on all consumer-facing websites, patient portals, and mobile applications. Disclose your intention to share information for the purposes of advertising with third parties. The FTC focuses on consumer protection, so make sure your policies are accurate, transparent, and updated regularly.

HBNR Compliance – Establish a mechanism to report any potential breaches of consumer health data under HBNR requirements.


Key Takeaway

FTC and OCR are holding digital health companies accountable for violations of consumer privacy laws related to the use of tracking technologies for performance marketing and behavioral advertising. The consequences of failing to implement safeguards around these activities can be steep, especially for young companies. Companies should determine what regulations apply to their business, take strides to assess their compliance status and implement controls to protect their users.


Three Steps to Get Started

1. Review consumer-facing privacy policies to ensure they accurately describe your use of tracking technologies in marketing and advertising. Also, verify that your privacy policy describes how consumer information is used in marketing.

2. Engage with tracking technology vendors to discuss the possibility of signing a BAA with sufficient safeguards for using PHI. Also, evaluate your arrangement from a technical standpoint to determine whether tracking technologies are being used on your website. In the alternative, you may find a vendor who can de-identify the information before it is transferred to a tracking vendor.

3. Ensure the internal privacy compliance program adequately addresses protocols for data loss, breaches, and other unauthorized dissemination of consumer health information.