A Privacy Review a Day, Keeps the Regulators Away

Jul 21, 2023 by Divya Sridhar, Director, Privacy Initiatives, BBB National Programs and Sander McComiskey, Intern, Privacy Initiatives, BBB National Programs

Reactions to the FTC & HHS Warning to Health Systems on Health Data Privacy Related to Tracking Technologies

Yesterday, the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services Office for Civil Rights sent a warning letter to nearly 130 hospitals and health systems cautioning them about their data privacy and security practices. In particular, the warning focused on obligations of the healthcare entities toward upholding robust consumer health privacy protections. 

Notably, the letter went out to healthcare entities that are traditionally deemed part of a highly-regulated industry, as they must comply with the Health Insurance Portability and Accountability Act (HIPAA), which was passed in 1996. Aren’t companies in compliance with HIPAA already covering their bases?

Not completely, but BBB National Programs Digital Health Privacy Program can help with that.

The warning discussed the inherent, though sometimes less apparent, risks associated with the healthcare entities’ use of online tracking technologies on mobile health apps and websites. For example, the letter implied that companies should be carefully reviewing practices regarding their treatment of patient and consumer health data that is shared with third parties through pixels and other tracking tools – for example, when collecting data through a seemingly innocent health intake form on a commercial website or on the entity’s mobile app. 

In recent years there have been numerous calls to attention about the leaking of sensitive health data from non-clinical, consumer-facing platforms and tools connected to health systems. It is also important to note that HIPAA does not cover consumer health data captured by many of the newer non-clinical technologies and software and their associated data practices and respective privacy harms.


Not the FTC’s First Rodeo (or Warning!)

Just last year, it was reported that 33 of the top 100 hospital systems were sending sensitive patient data to Facebook. This could not be worse timing, considering the effect that the Supreme Court’s Dobbs decision has on the treatment and processing of sensitive patient and health data, with states taking the lead on making decisions regarding women’s reproductive care.

Following the Dobbs ruling last July, the FTC published a statement committing to fully enforcing the law against illegal use and sharing of highly sensitive data – including location, health, and other sensitive information. And, as explained in the FTC’s proposed modification to the Health Breach Notification Rule, the FTC’s broad interpretation of “unauthorized disclosure” of sensitive health data now brings many of these entities in scope regarding their treatment of patient clinical and nonclinical data. 

In the proposed modifications to the Health Breach Notification rule, the FTC also seeks to revise the definitions of “PHR identifiable health information” and “health care provider” (among other core concepts), which will mean more companies will need to pay attention to their health privacy data sharing and advertising practices, including whether and how they share unencrypted data with third parties. 

Large health systems have traditionally relied on HIPAA marketing authorization forms or patient medical record release forms to permit the processing of payment data, to communicate with health insurance companies, to participate in product marketing, or for other related purposes, but the health systems are less aware of the digital advertising self-regulation principles and related concepts regarding obtaining consent prior to third-party ad tracking and sharing that may apply to sensitive consumer health data.

In the aftermath of the FTC and DHHS warning, healthcare entities will need to carefully review the personal and consumer health data that their websites and apps collect via pixels, cookies, and other ad tracking technologies, as this data sharing – intentional or unintentional in nature - could qualify as a data “breach” -- when it occurs without consent or prior authorization by the consumer. 

This interpretation creates a much more intentional expectation of the way these healthcare entities are preserving the privacy of their patients and consumers, when the entities interact with third parties, including cloud service providers, data analytics companies, and advertisers.


To Rely or Not to Rely on HIPAA? That Is the Data Protection Question.

What makes this paradigm shift in definitions and interpretations even more confusing is the overlapping nature of health data, which encompasses the intersection of clinical and non-clinical data. This is data that can be used to identify or obtain health data, status, and/or diagnosis about patients and/or consumers – all of which could be considered “sensitive” in nature. 

This year, three states have already passed state consumer health privacy laws focused on the additional obligations for entities that process sensitive health data, even if these entities are considered outside of the scope of HIPAA for either some or part of their business model. 

The state consumer health privacy laws enact some carveouts for HIPAA-covered entities, but the entities may not be wholly exempt from complying with the consumer privacy laws. For reference, the three consumer health privacy laws (and, to some extent, the now 13 comprehensive consumer data privacy laws) exempt the Personal Health Information (PHI) covered by HIPAA but govern all other personal information collected and processed by HIPAA-covered entities and other firms. 

It seems that most healthcare entities that house HIPAA and non-HIPAA-covered health data are taking one or more of the following, common approaches in their compliance efforts: 

  • Segmentation: Process the consumer health data separately from HIPAA, specifically aligning and tailoring practices to state consumer privacy and health privacy laws. Here, entities are wholly separating the data regimes for data sets subject to different laws and leveraging separate internal policies, vendor contracts, data subject requests, privacy policies, and more. A strenuous process, but possibly resulting in more robust data.
  • Harmonization: Highest common denominator compliance with both HIPAA PHI and state laws for relevant data. Narrow compliance efforts to a handful of highly regulated practices and require practices to be subject to the most restrictive laws. This approach reduces the rich quality of data collected but possibly less resource-heavy or capacity-rich.
  • Develop or deploy privacy-enhancing technologies (PET): Companies engaging in leveraging privacy-enhancing technologies utilize deep encryption and statistical methods to anonymize and/or de-identify the data to permit sensitive data sharing between and across entities. Privacy laws are mostly silent, except regarding guidance, about the best methodologies and approaches to PETs, and thus entities may find themselves feeling less fearful of regulatory scrutiny. The process can be time-consuming, and it can also result in a hefty investment of time, capital, and resources.
  • Wait and see: Here, entities wait to receive letters, warnings, and potentially fines from regulators before taking any consolidated action regarding their treatment of sensitive health data. This approach may be the easiest choice, but the riskiest.


Our recommendation? Take a multi-pronged approach with the Digital Health Privacy Program. 

Leading responsible companies and industry trade groups engage in industry self-regulation solutions to get ahead of the curve. BBB National Programs’ Digital Health Privacy Program is the most recent example. Developed by business leaders on the front lines of consumer health data management and public policy, and executed by attorneys and technologists, this new certification program helps companies keep pace with evolving legislation and regulation, with a visible, consumer-facing seal on external sites, platforms, and product marketing to demonstrate ongoing compliance and signal accountability in the marketplace to both consumers and regulators.

Why do we suggest industry self-regulation? Businesses have the power to help proactively move their own marketplace forward, towards establishing best practices and standards in consumer health privacy that make it easier to protect consumer health data. The Digital Health Privacy Program was designed to support companies in their compliance journey and align with various consumer privacy laws. 

If you lead or support the legal, privacy, or compliance work at a health system, telehealth provider, data analytics company using health data, or support these systems as a service provider or third party processing their data, consider joining the Digital Health Privacy Program, a robust solution and third-party accountability program to support and verify the practices you are undertaking to mitigate consumer health privacy and security risks. Contact DHPP@BBBNP.org for a 1:1 consultation.

Suggested Articles


Independence Day Edition: CBPR Framework Offers “Checks & Balances”

Going, Going, Gone Global, a webinar on the CBPR Global Forum, delved into how privacy impacts businesses’ brand reputation and builds trust with key stakeholders, discussed the purpose of the Global CBPR, and its value to Global Forum members.
Read more

Industry Self-Regulation: Part of the Solution for Governing Generative AI

The spotlight on generative AI remains bright. The benefits and risks continue to be ever-present in the minds of business and political leaders. No matter the timing or the setting, the creation of transparency, accountability, and collaboration among stakeholders is key to successful industry self-regulation as is the importance of setting standards and best practices.
Read more

The Demise of “Chevron Deference”: Who Will Fill the Regulatory Gaps?

The Supreme Court's 1984 ruling in Chevron v. NRDC held that courts should defer to federal agencies’ interpretations of ambiguous federal laws so long as those interpretations are reasonable. So given the court’s decision to overturn it, where does that leave companies that want a level playing field and perhaps even to raise the bar, instead of racing to the bottom?
Read more

Robust Dispute Resolution: A Quiet Enforcer for Privacy Compliance

ICYMI, a procedural rule change to update the GDPR has been agreed upon by the European Parliament to provide EU citizens with greater legal certainty regarding enforcement of GDPR, improve the dispute resolution process, and streamline the handling of cross-border cases.
Read more