Skip to Content

Privacy & Data, Reproductive Rights

Two Executive Agencies Take Positive Steps to Keep Health Data Private

It’s never been easier to interact with your doctor. There’s rarely a need to place actual phone calls to your doctor’s office only to be met with hold music – most everything is now online. You can get your prescription medicines mailed directly to your door without stepping foot in a pharmacy. Even mundane interactions like setting up appointments, accessing test results, and communicating directly with the doctor are easier today thanks to smartphone apps and online patient portals. This improved access and flexibility empowers people to be more active players in their health care and achieve better health outcomes.

But, as we continue to embrace and utilize these digital health tools, one constant remains – people expect their health data will be kept private. 

Recently, federal regulators have taken a series of steps to help make sure people’s health information stays private. Specifically, two agencies – the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) – have acted to stop people’s health data from being shared and used for unrelated purposes. This blog will briefly examine these agency actions and break down why each is an important step forward, even though the most significant progress depends on Congress finally passing comprehensive privacy legislation.  

First, in December, OCR released a Bulletin highlighting the important privacy obligations under the Health Information Portability and Accountability Act (HIPAA) that health providers (such as doctors’ offices and hospitals) must follow when using apps and websites. OCR’s bulletin is designed to address an ongoing problem where data shared by patients with their health providers is also being inappropriately shared with advertisers. One way this happens is when a patient uses their doctor’s patient portal to make an appointment or access test results. There are ample news accounts of health providers’ services, like patient portals, containing tracking technologies, such as cookies or “beacons,” that can collect and share people’s health information with unrelated third parties to be used for purposes such as targeted advertising. Use of these trackers can run afoul of HIPAA.

CDT welcomes this Bulletin. It clearly spells out where certain tracking technologies can result in the impermissible disclosure of a person’s health data. Equally important, it puts every entity regulated under HIPAA (such as your doctor and your insurer) on notice that if they incorporate tracking technologies into their websites, portals, or other platforms, they are obligated to protect all protected health information (PHI) collected and shared by those trackers. The bulletin makes clear that without HIPAA-compliant patient authorizations, entities that purposefully or inadvertently disclose health data to tracking technology vendors have likely violated HIPAA. Separately, OCR has asked Congress to increase its budget to help the office better investigate healthcare data breaches as well as enforce civil rights.

While a positive step, the OCR Bulletin is limited to HIPAA-regulated entities. It will not affect other entities that collect similar, if not the same information. For example, health apps like period or fitness trackers are typically not made by your doctor or insurer and, as a result, they are not covered by the HIPAA Privacy Rule. 

It is in this unaddressed space where recent FTC actions come into play. On February 1, 2023, the FTC announced an enforcement action against GoodRx for failing to notify consumers of its unauthorized disclosures of consumers’ personal health information to other advertising companies. GoodRx is an online health platform that provides prescription drugs, telehealth visits, and other health services. In this case, the FTC alleges that GoodRx, over the course of years and contrary to its stated policies, shared sensitive personal health information (including names of prescription medications and health conditions) with advertising companies and platforms like Facebook and Google. Moreover, GoodRx failed to report these unauthorized disclosures to the FTC, consumers, and the media as required by the Health Breach Notification Rule, which the FTC enforces.

On March 2, 2023, the FTC issued a proposed order banning BetterHelp from sharing consumers’ health data for advertising. BetterHelp is an online platform that offers consumers  online counseling services. In its complaint, the FTC notes how BetterHelp told the millions of consumers that signed up for its services that it would keep their health information private and use it only for non-advertising purposes like facilitating consumers’ therapy. However, the FTC alleges that despite those promises to consumers, for years BetterHelp continually broke its promises by monetizing consumers’ health information to target them and others with advertisements. Like GoodRx, the FTC also alleges that BetterHelp shared consumers’ health information with advertising companies and platforms like Facebook, Pinterest, Snapchat, and Criteo.

The FTC, FDA, and OCR/HHS also recently released a Mobile Health App Interactive Tool. This interactive tool is designed to assist mobile health app developers in identifying which federal laws and regulations may apply to their apps. Checking this tool early in the development of consumer-facing products, well before any digital health app is publicly released, can ensure apps are in compliance with applicable laws.   

We commend these agencies for using their authority to go after companies that are illegally and inappropriately sharing consumers’ private health data. However, a more universal and complete solution rests with Congress. It is time to pass comprehensive privacy legislation that protects health data in the first instance, particularly because the sphere of health data that is not subject to HIPAA has been growing for years. Absent such legislation, agencies will continue to be limited to taking useful but only piecemeal actions to curb health data abuses.