Health care and health care-adjacent organizations face materially increased regulatory and class action risk from commonly used third-party analytics and advertising services (ad/analytics services) on their websites, patient portals, mobile applications, and other Internet-connected services. Recent settlements with regulators and class action plaintiffs have resulted in millions of dollars in payments, bans on disclosing health information for advertising purposes, and long-term regulatory oversight of organizations' data sharing practices. In this alert, we briefly examine the sources of risk, including the Department of Health and Human Services (HHS), the Federal Trade Commission (FTC), state enforcement authorities, and class action plaintiffs, and highlight some considerations for mitigating each.
Online ad/analytics services in a nutshell
Most websites and mobile applications include code that allows vendors of ad/analytics services to collect information about users as they interact with websites and mobile applications. The code may include, for example, the use of third-party cookies, web beacons or tracking pixels, and session replay functions (third-party trackers). The vendors then process and analyze data collected via third-party trackers for various purposes, such as providing user analytics reports, facilitating online advertising (both personalized and non-personalized), and helping website and mobile application operators analyze user experience decisions and better understand what content is popular. Vendors also typically use the data for their own purposes, such as to provide their services to other customers and develop and improve their products and services.
What elevated the risk of using online ad/analytics services?
In the last year, users and vendors of ad/analytics services have become a frequent target for federal and state regulators and class action plaintiffs. As previously discussed in our blog post, late last year, HHS' Office for Civil Rights (OCR), which is responsible for enforcing the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, HIPAA), issued a bulletin describing potential HIPAA non-compliance from the use of third-party trackers. Since the beginning of this year, the FTC has settled three separate cases alleging deceptive and unfair business practices under the FTC Act by digital health platforms based on their use of ad/analytics services. The California Attorney General's first public enforcement action under the California Consumer Privacy Act (CCPA) involved a website's use of ad/analytics services, and regulators in several states have recently issued statements or entered into settlement agreements related to digital health platforms sharing health information with third parties for ad/analytics purposes. Finally, the plaintiffs' bar has brought a significant number of class action lawsuits in 2023 against users and vendors of ad/analytics services, building on the explosion of such lawsuits filed in 2022. These class actions are frequently aimed at health care-related organizations and include claims of HIPAA violations.
OCR bulletin. OCR's bulletin focuses on educating HIPAA-regulated entities on whether the use of third-party trackers is an impermissible disclosure of protected health information (PHI) under HIPAA. The applicability of HIPAA to certain online activities has been a question with which HIPAA-regulated entities have wrestled for years. The bulletin explains that HIPAA could apply to websites made available by HIPAA covered entities even when users are not patients and no treatment or billing information is collected. This position seems to ignore the fact that individuals visit websites for many reasons unrelated to receiving health care or plan benefits for themselves. The bulletin also states that any information collected through a HIPAA covered entity's mobile application or from website users after they authenticate themselves likely is PHI regulated by HIPAA. According to the bulletin, there are also situations where unauthenticated use of a website could result in collecting PHI, such as information collected from visitors of web pages that are dedicated to specific conditions, include functionality to make appointments or search for doctors, or allow logging in/registering for an account. If information collection through a website or mobile app must comply with HIPAA, disclosure of such information without authorization or without a business associate agreement with the recipient could be an impermissible disclosure. In the event a HIPAA regulated entity experiences an impermissible disclosure, it must analyze whether it has breach notification obligations under HIPAA, which may lead to regulatory scrutiny and class actions. OCR also recently announced the formation of a new Enforcement Division focused on leveraging the office's limited resources in a skill-set model to drive greater implementation and enforcement of the law.
FTC enforcement actions and guidance. Three recent FTC enforcement actions targeted digital health platforms not regulated by HIPAA that made promises of limited data sharing but allegedly allowed third-party trackers to collect information from users of the platforms for advertising services. The companies allegedly did not provide notice or obtain consent for the third-party trackers or have internal policies and procedures to identify and prevent these non-compliant practices. Further, according to the FTC's complaints, the companies did not adequately limit by contract the use of the information by vendors of the ad/analytics services for their own purposes. In two cases the FTC concluded that the unauthorized disclosures were also "breaches of security" that required breach notifications to be sent to affected individuals, the FTC, and prominent media outlets under the FTC's Health Breach Notification Rule (HBNR). The consequences of these settlements are severe. The companies, for instance, are prohibited from sharing health information for advertising purposes (even with consent) and must pay monetary penalties (including penalties for each of the two companies that exceeded $1 million), and comply with ongoing third-party compliance audit and reporting obligations of their privacy programs for 20 years. In two instances, the companies were required to re-negotiate contracts with vendors to improve data protection terms. The FTC has also required companies to send breach notifications in accordance with the HBNR, which is an additional potential penalty for organizations required to comply with the HBNR. The FTC's new Office of Technology also issued related guidance describing the technical aspects of pixel tracking in the health care context. The guidance emphasizes the FTC's concern that consumers often cannot avoid their usage because these pixels do not respond to traditional controls such as blocking third party cookies.
State regulatory enforcement. The first and only enforcement action under the CCPA was similarly related to the use of third-party trackers on a website. Even though the case was brought against a retailer, the California Attorney General (AG) has the authority to bring an action against any organization subject to the CCPA, including organizations in the health care and life sciences industries. The California AG's complaint concluded that the company's "decision to provide third parties including 'advertising networks, business partners, [and] data analytics providers' with access to its customers' data in exchange for services from those entities was a sale of personal information as defined by the CCPA. [...] Both the trade of personal information for analytics and the trade of personal information for an advertising option constituted sales under the CCPA." In other words, engaging vendors of ad/analytics services may involve the "sale" of information, which leads to a company's obligation under the CCPA to provide enhanced notice and process opt-outs. In this case, the company allegedly did not provide proper notice or process opt-outs as required by the CCPA. The settlement requires the company to pay a $1.2 million penalty, provide proper notice and make available required opt-out options, update contracts with vendors of ad/analytics services to accurately describe the types of data exchanged, and report to the California AG the list of vendors of ad/analytics services it uses. California and other current and coming comprehensive state consumer privacy laws (including those in Connecticut, Colorado, Utah, and Virginia, all of which will be in effect as of the end of 2023) have similar requirements associated with the use of third-party trackers. Additional similar state consumer privacy laws will go into effect after 2023.
The CCPA is not the only California statute that may have implications for the use of tracking technologies by health care companies. The Confidentiality of Medical Information Act (CMIA) may apply to businesses offering certain health care-related hardware or software, including mobile applications, to individuals or providers of health care. The CMIA requires patient authorizations for many uses of "medical information" for "marketing," both as defined by the CMIA, which could be interpreted to include the use of third-party trackers. The California AG signaled in a recent press release that its increased focus on third-party trackers was not limited to CCPA compliance.
Enforcement actions in other states have also focused on the use of third-party trackers in the health care context. The Attorneys General of Connecticut, the District of Columbia, and Oregon recently entered into a resolution agreement with the defendant in one of the FTC actions discussed above. They claimed that the company's use of third-party trackers violated state unfair and deceptive practices acts, as well as state laws requiring the safeguarding of personal information. Under the resolution agreement, the company is prohibited disclosing health or location information without the affirmative express consent of the individual. The company is also required to implement comprehensive privacy and information security programs with certain specific components and pay $100,000 to the Attorneys General.
Class action litigation. This year, we have seen a continuation of the growing trend in class action filings against vendors of ad/analytics services and the website and mobile application operators using those services. Plaintiffs have used creative arguments, characterizing the tracking technology as "spyware," and claiming violations of federal and state wiretap laws, violations of HIPAA and similar state health privacy laws, violations of the Video Privacy Protection Act, an invasion of privacy, and other torts or contract breaches. The complaints generally allege that the defendants did not provide the necessary notice or obtain the legally required consent (opt-ins, authorizations, or opt-outs). There have already been class action settlements of nearly $20 million, and we expect many more to come.
How can the risk be mitigated?
Organizations can take steps to mitigate risk from the increased scrutiny of the use of third-party trackers on websites and mobile applications. Several examples of such steps are summarized below.
Identify the applicable regulatory framework(s). If an organization is regulated by HIPAA and/or state health privacy laws, the organization should analyze whether those laws would apply to the information collected through each of its websites and mobile applications. It is possible that a HIPAA-regulated entity has some websites (such as patient portals) that are regulated by HIPAA and some websites (such as general marketing websites) that may not be regulated by HIPAA. General state consumer privacy laws may apply instead of or in addition to HIPAA and/or state health privacy laws. Organizations may have obligations under other laws, like the federal and state wiretap laws and the Video Privacy Protection Act, regardless of whether they are regulated by HIPAA or state health privacy laws.
Identify the third-party trackers used on websites and mobile applications. An organization will be unable to effectively evaluate and mitigate its risk from the use of third-party trackers if it does not have an accurate picture of the scope of their use. Identifying the third-party trackers used by websites and mobile applications can be a time-intensive task as it may involve coordinating with the external agencies and internal marketing and IT teams. Organizations should also consider how to monitor the removal and addition of third-party trackers on an ongoing basis as part of a privacy program.
Practice good website and mobile application hygiene – evaluate whether each third-party tracker is providing a benefit that outweighs the risk. Organizations commonly use more third-party trackers than they actually need or even realize. Given the increase in risk from these trackers, now is an excellent time to evaluate the benefits and risks of ad/analytics services. There are a number of questions an organization should answer. For example, is it necessary to permit the third-party trackers of several ad networks on the website, or would one ad network suffice? Does the organization benefit from using the third-party trackers on all website pages, or could they be used on fewer pages or not used at all? Are the third-party trackers collecting health information or could they infer health information? Is that the intent?
Implement notice and choice mechanisms or other compliance obligations required by the applicable regulatory framework(s). Depending on the applicable regulatory framework(s), there may be several decisions and steps necessary to comply with the law. A few considerations follow. If the information collection and sharing through a website must comply with HIPAA, an organization should assess the existence and terms of business associate agreements with vendors or whether it is feasible to obtain and rely on HIPAA authorizations from users. If the website data collection and sharing is subject to state consumer privacy laws, an organization should consider whether to implement notice and opt-out mechanisms to meet compliance obligations or to contract with vendors of ad/analytics services in a manner that would not trigger such requirements. The organization should consider whether to either discontinue using third-party trackers to collect information on pages with video content or try to comply with the notice and written consent requirements of the Video Privacy Protection Act. An organization may also have notice and consent obligations to avoid violating federal and state wiretapping laws.
Refine vendor diligence and procurement processes. Vendor risk management has become increasingly important from a cybersecurity perspective, and it now becomes crucial from a privacy perspective as well. Before an organization selects a vendor of ad/analytics services, it should understand how data will be collected and used by the vendor. That understanding will inform whether an organization should use the vendor and analyze the role of the vendor (e.g., does the provider meet the qualifications of a business associate under HIPAA or a service provider/processor under state consumer privacy laws?). Organizations may also need to refine their procurement processes to build in a requirement to negotiate agreements with vendors of ad/analytics services to limit their data use for their own commercial purposes, such as for product development. Further, an organization should consider whether to implement and enforce a policy to prohibit the execution of click-through terms until after evaluating the privacy impact and ensuring the vendors' practices align with the company's privacy promises.
Update the privacy program to cover the use of third-party trackers. Organizations should potentially update their privacy programs to expand their corporate controls relating to the use of third-party trackers. For example, organizations can update internal policies to cover the evaluation and ongoing monitoring of the use of third-party trackers, develop training on the proper use of third-party trackers, ensure experienced privacy professionals participate in decision-making related to the use of third-party trackers, and update risk-management documentation and processes to incorporate the use of third-party trackers.
Consider whether breach notifications are required. Both OCR and the FTC have stated that the use of third-party trackers could result in impermissible disclosures of PHI or personal information that could require sending breach notifications to affected individuals, the regulators, and others. Organizations should consider analyzing whether their prior use of third-party trackers has been compliant with applicable law. If such use was non-compliant, organizations should evaluate whether breach notification is required and make any such legally required notifications.
The bottom line
Regulators and privacy advocates have been discussing the privacy implications of third-party trackers for a long time. But the regulatory and class action activity over the past year indicates that the use of third-party trackers is squarely in the crosshairs and has significantly increased in risk. Organizations should take this time to evaluate their use of third-party trackers before they receive a regulatory inquiry or class action complaint forcing them to do so.
This article is presented for informational purposes only and is not intended to constitute legal advice.
