The past year has seen a significant increase in the focus on the privacy of health data. Beginning with the guidance released by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) in December 2022, the ways in which health data is collected and used is under a microscope. Beyond just guidance, enforcement has picked up with the Federal Trade Commission (FTC) issuing orders in cases against BetterHelp, GoodRx, and Flo Health for their misuse and misrepresentations of use of consumer’s health data. At the State level, all U.S. state privacy laws passed to date carry special provisions and requirements for “sensitive data” which includes consumer health information.
So what’s a marketer or advertiser in health and health-adjacent industries to do? Is it no longer possible to collect data for things like analytics? Let’s review the primary regulations and requirements for the collection of data via online tracking technologies and the keys to keep top-of-mind when evaluating your data collection architecture.
HIPAA applies to any organization that is a covered entity as defined in the law. Covered entities are health plans, health care clearinghouses, and health care providers. You should be aware if your organization is a HIPAA covered entity as the requirements are much more wide-reaching than just for digital data and tracking technologies.
HIPAA restrictions, as they relate to data collected by tracking technologies on a digital property, apply to any Protected Health Information (PHI). PHI is any individually identifiable health information related to an individual’s past, present, or future health or condition, the provision of health care, or the payment for the provision of health care. For the information to be individually identifiable it must be able to be used to identify an individual or there must be a reasonable basis to believe the information could be used to identify the individual. Simply put, if the information is associated with an identifiable person (even indirectly) and it relates to their health, it’s likely PHI.
The restrictions do not preclude a covered entity from collecting PHI, but they do place limitations on how the information can be used, with whom it can be shared, and place a heightened responsibility of care for the information collected. Some of the restrictions especially relevant for marketing and analytics data:
- For PHI to be used for targeted marketing or advertising, it requires explicit consent from the individual. Consent must be written and signed. In practice, this precludes the use of this data for digital advertising or marketing.
- PHI can only be disclosed to a business associate. Important for tracking technologies is that a business associate must sign a Business Associate Agreement (BAA) with the covered entity, a condition many popular analytics and advertising technology vendors are unwilling to meet. This means the use of many popular analytics and advertising technologies are a HIPAA compliance risk if PHI is being collected.
So where does this leave us?
- A HIPAA covered entity essentially must not use any PHI for digital marketing and targeted advertising.
- A HIPAA covered entity must only use third-party analytics platforms that will sign a BAA for analytics use cases if PHI is being collected.
- It is critical to adhere to transparency requirements for data collection, usage, and disclosure as outlined in HIPAA. Consumers have a number of rights related to notice and choice, covered entities must know where and what PHI is being collected, where it is going, and what how it is being used.
U.S. State Privacy Laws
As of this writing (July 2023), there are 12 states in the United States that have passed comprehensive privacy legislation. Residents of these states are afforded the privacy rights as detailed in each respective law. This means these requirements are applicable for any organization dealing with sensitive data, not just HIPAA covered entities.
One commonality amongst all of the state laws passed to date is the classification of health data (personal data pertaining to the past, present, or future health of an identified or identifiable individual) as “sensitive data” within the text. The collection and processing of sensitive data carries heightened requirements in each law. Most notable for our purposes are requirements for consent and opt-out. A few examples:
- California requires notification about sensitive data being collected and the ability for the individual to opt-out of such collection.
- Other state laws require explicit consent for the collection of sensitive data. Consent in this context can be a digital indication so long as it is specific and explicitly made.
So where does this leave us?
- Organizations processing health data for consumers in states with privacy laws must respect the consent and opt-out requirements of those consumers. Considering most organizations will take a uniform approach to operationalization of U.S. state privacy laws, explicit consent will be required to collect health data for an identified or identifiable user.
Washington’s My Health, My Data
Washington passed the My Health My Data (WMHMD) law in the first half of 2023 and it is applicable for any business* collecting the data or offering services to residents of Washington State. WMHMD imposes requirements on entities that are collecting and processing “consumer health data”, which is personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future health status.
Notable for analytics and advertising is the requirement for explicit consent to collect any consumer health data, with additional consent necessary for any sale or sharing of that data which is not consistent with the purposes disclosed at the point of collection. Explicit consent requires a positive, clear, affirmative action by the consumer for collection.
So where does this leave us?
- For any entity targeting products or services to Washington consumers, explicit consent is required to collect and share consumer health data. This includes collection for purposes of analytics as well as advertising.
*Important to note is that information meeting the definition of protected health information which is covered by HIPAA is exempt from WMHMD. This means that for HIPAA-covered entities, they should revert to the requirements as defined in HIPAA. The purpose of the law is to protect health information for entities falling outside the scope of HIPAA.
In July 2023 the Federal Trade Commission (FTC) and the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) sent a letter to approximately 130 hospital systems and telehealth providers to alert them about the risks and concerns about the use of tracking technologies. This follows the OCR Bulletin on Tracking Technologies published in December of 2022 clarifying their guidance for HIPAA-covered entities as well as actions from the FTC throughout the first half of 2023 against BetterHealth, GoodRx, and Flo Health. The letter reaffirms the commitment of the federal agencies for their investigation and enforcement of health data collection and protections under HIPAA for covered entities and under the FTC Act and FTC Health Breach Notification Rule for those not in scope of HIPAA.
Enforcement under the FTC Act focuses on unfair or deceptive acts or practices affecting commerce. In the context of health data collection and disclosure, the focus is on transparency, security, and only using the data for the purposes as disclosed to the consumer.
So where does this leave us?
- Health data is an enforcement focus.
- Identify if any health data is being collected and if it could fall within the scope of Protected Health Information.
- For any PHI, understand where it is collected, for what purposes is it being processed, and where it is being sent (internally as well as to external partners and platforms).
- Ensure all collection, use, and sharing of PHI is being properly disclosed to the consumer. Actions in practice must align with those in principle!
- Ensure requirements of all applicable regulations are being met.
Important Points to Consider
Traditionally, organizations have approached health data with a mindset of “restrictions are only relevant for HIPAA”, which is no longer the case. For any organization that is collecting or processing health data associated with individuals, it is critical to keep in mind the following:
- Understand if PHI is being collected anywhere across your digital properties.
- For any PHI, map exactly what is collected, for what purpose, and what platforms it is being sent to.
- For HIPAA-covered entities:
- If collecting PHI, ensure all partners involved in processing have signed a BAA and adhere to the HIPAA rules for business associates.
- Do not use PHI for purposes of targeted marketing and advertising.
- For all:
- Ensure PHI is only collected once required consent has been obtained (explicit opt-in for many states).
- Ensure all collection and usage of PHI is being disclosed to consumers per relevant requirements.
It is clear that the protections for health data are continuing to get more strict. With a focused enforcement effort from federal agencies and more purpose-specific legislation at the U.S. state level, it is critical to understand if any data your business is collecting falls within the scope of health data as defined by applicable regulations. If so, take steps immediately to ensure that data is being handled in a compliant manner.