On July 20th, The Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS) sent 130 letters to healthcare companies reminding them of their obligations around tracking technology and the Health Insurance Portability and Accountable Act (HIPAA). The letters indicate that the agencies are aware of possible privacy concerns in the recipients website or app, and encourages them to review and correct any possible issues. The letter specifically calls out that use of common marketing technology such as Google Analytics and the Meta pixel are very likely to be in violation of HIPAAs rules around impressible disclosure. The letters reflect a more targeted warning than the December Bulletin, and likely represents the final warning prior to enforcement action.
In recent times the FTC has been very proactive on enforcement over HIPAA violations, reaching settlements with companies such as GoodRx, Flo Health, BetterHelp, and 1Health, In each case in addition to a fine and corrective action, the companies were often bound to a consent decree mandating specific behavior (such as not selling / sharing user data) going forward. This is to say nothing of the reputational harm and possible lost business due to break in consumer trust.
Those in the healthcare space are strongly encouraged to spend the time reviewing the letters, and considering how they may apply to their own efforts and taking corrective action as needed. Very likely – time is running out to get your house in order and the risk of enforcement is escalating.