Elevated regulatory scrutiny of well being know-how corporations’ use of promoting applied sciences | JD supra

Fenwick & West LLP

The proliferation of well being apps and linked gadgets that permit people to trace their well being situations, therapy, drugs, health, fertility, sleep, psychological well being, weight-reduction plan and different very important areas has led to elevated regulatory scrutiny. Current regulatory steering and multimillion-dollar enforcement actions are clarion calls to well being know-how corporations to make sure they’re correctly utilizing web monitoring applied sciences on their digital properties.

OCR steering on utilizing monitoring applied sciences

The Division of Well being and Human Companies’ Workplace for Civil Rights (OCR), which enforces the Well being Insurance coverage Portability and Accountability Act (HIPAA), not too long ago issued steering warning {that a} HIPAA-regulated entity’s use of Web monitoring applied sciences on its web sites and apps are topic to HIPAA privateness guidelines. These monitoring applied sciences embrace generally used analytics and promoting instruments, reminiscent of monitoring pixels used for remarketing, internet beacons and session replay scripts. OCR advises that these applied sciences fall below HIPAA laws as a result of the varieties of information they accumulate, together with IP tackle, geographic location, gadget ID, promoting ID, or different distinctive identifiers, can hyperlink a person web site or app- person to a HIPAA-regulated entity, even within the absence of a affected person relationship. Accordingly, this information is “associated to the person’s previous, current, or future well being or well being care or fee for care.” For instance, when a lined entity (reminiscent of a hospital or healthcare supplier) locations a monitoring pixel on its appointment scheduling web page, the pixel shares the affected person’s IP tackle with the pixel supplier. Based on the OCR steering, the lined entity should be certain that it shares the IP tackle with the pixel supplier in a HIPAA compliant method.

FTC enforcement of its well being breach notification rule

OCR is just not the one regulator specializing in using monitoring applied sciences on healthcare web sites and apps. On February 1, 2023, the Federal Commerce Fee (FTC) settled an enforcement motion in opposition to a digital well being platform for violating Part 5 of the FTC Act and the FTC’s Well being Breach Notification Rule, 16 CFR Half 318 (FTC Rule). The FTC rule applies to corporations which are doesn’t topic to HIPAA, however which collects or maintains identifiable well being details about shoppers within the type of private well being data. The FTC rule requires corporations to inform people inside a minimum of 60 calendar days of the unauthorized entry to their private well being data. In 2021, the FTC issued a coverage assertion advising in opposition to it anybody sharing private well being data – together with intentional disclosures – with out the consent of the person to whom it involved violated the FTC rule. The FTC additionally warned that violations of the FTC Rule might lead to civil penalties of as much as $43,792 per violation per day.

This case was the FTC’s first enforcement of the FTC Rule. The FTC alleged that the corporate violated the FTC Rule and Part 5 of the FTC Act by sharing private and well being details about its customers with (1) promoting platforms, reminiscent of Fb, Google and Criteo; and (2) different third events reminiscent of Department and Twilio, with out notifying or acquiring the consent of its customers. The FTC additionally discovered that the observe contradicted guarantees the corporate made in its privateness insurance policies that it will not share its customers’ well being data. Beneath the phrases of the settlement, the FTC imposed a civil penalty of $1.5 million and completely prohibited the corporate from disclosing well being data to 3rd events for promoting functions.

BetterHelp, Inc. FTC Enforcement

Only one month later, in March 2023, the FTC filed an enforcement motion alleging that BetterHelp, a web based psychological well being counseling service, shared data figuring out its customers with advertisers in violation of its privateness guarantees on its web site and questionnaire . The grievance alleges that BetterHelp allowed advertisers to make use of details about its customers to create uniform swimming pools of people for promoting. A consent order, if permitted, would require BetterHelp to refund as much as $7.8 million to shoppers who paid for BetterHelp subscriptions. The proposed FTC order requires BetterHelp to (1) get hold of affirmative categorical consent earlier than disclosing private data to sure third events for any goal; (2) implement a complete privateness program; (3) require third events to delete client well being data and different private data; and (4) implement a knowledge retention plan for client well being and private data.

Sensible takeaways for digital well being purchasers

All digital well being purchasers utilizing focused promoting and on-line monitoring applied sciences on their web sites and cell apps should consider and pay attention to the legal guidelines to which they might be topic: HIPAA, Part 5 of the FTC Act (which prohibits unfair or misleading acts or practices in or impacts commerce) and/or the FTC Rule. The FTC has supplied an interactive software to assist builders of cell apps that in any method relate to well being data decide which legal guidelines and laws might apply.

Are you a lined entity or enterprise affiliate topic to HIPAA? In that case, you could:

  1. Take into account which internet advertising instruments (cookies, pixels, internet beacons) you utilize in your digital properties, reminiscent of your web sites or cell functions.
  2. Decide the place these internet advertising instruments are positioned in your digital properties, and be aware elevated controls on internet pages the place delicate well being data could also be collected (for instance, on an appointment scheduling web page the place situations or signs may be entered).
  3. Take into account what information is shared with third-party suppliers of those instruments, and be aware that even IP addresses are thought of protected well being data (PHI) below OCR’s new steering.
  4. Decide when you’ve got the required agreements in place with the software suppliers, reminiscent of a enterprise relationship settlement or subcontractor settlement.
  5. Weigh the advantages of utilizing these internet advertising instruments in opposition to the extra prices of complying with OCR’s new steering. Continued compliant use of those instruments will seemingly require corporations to acquire prior authorization or consent from customers (together with web site guests, even when a affected person relationship is just not fashioned) to reveal their PHI to suppliers of those internet advertising instruments.
  6. Revise your Privateness Coverage and Discover of Privateness Practices to precisely mirror your internet advertising practices. Part 5 of the FTC Act requires that disclosure of well being data privateness practices not be deceptive or misleading.

In the event you accumulate private well being data however aren’t a HIPAA lined entity or enterprise affiliate:

  1. In case your web site or app collects identifiable well being details about a person from a number of sources, e.g. by way of a mixture of client enter and APIs, you might be topic to the FTC rule. And like HIPAA-regulated corporations, Part 5 of the FTC Act requires that statements to shoppers about how you utilize and share their well being data should not be deceptive.
  2. Take into account which third-party promoting suppliers you utilize, if any.
  3. Conduct an inside audit to find out what, if any, private data you share with third-party promoting suppliers.
  4. Assessment all your web sites and different digital properties to make sure that your privateness coverage is prominently displayed and readily accessible to shoppers on every. Customers ought to be required to acknowledge your privateness coverage earlier than finishing any consumption questionnaires.
  5. Assessment all statements and guarantees you have got made in regards to the use and disclosure of private and well being data in consumer consumption questionnaires, in your privateness insurance policies, in your web sites and cell functions, and in different public boards and platforms (eg, Twitter), and take away any privateness guarantee or illustration that doesn’t precisely mirror Firm practices.
  6. Acquire affirmative categorical consent earlier than disclosing well being data to third-party promoting know-how suppliers. Affirmative categorical consent should be particular and separate from the corporate’s common phrases and situations.
  7. Prepare workers in privateness and safety finest practices for dealing with or making selections about sharing private or well being data.
  8. Contractually restrict advertisers’ use of private data for their very own impartial enterprise functions, together with their very own analysis and improvement and advert optimization.
  9. Take into account growing and implementing inside insurance policies for sharing private and well being data, together with requiring prior authorized assessment and approval of any information sharing with third-party suppliers of internet advertising instruments.