Abstract: Health care industry stakeholders have regularly used online tracking technologies to help improve patient experience. However, growing scrutiny by the Office for Civil Rights, which enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA), requires covered entities and business associates to proceed cautiously in their use of such technologies. In addition, recent enforcement actions by the Federal Trade Commission make clear that a wide range of digital health companies, whether or not regulated by HIPAA, must tread carefully when collecting and disclosing personal information related to health, especially where consumers’ location data is to be used for a company’s advertising purposes, as they may be held accountable for failing to maintain the privacy and security of individuals’ protected and individually identifiable health information.

The increasing number of lawsuits and news articles regarding use of these technologies demonstrates that third-party technology tracking vendors who receive PHI often are not operating under Business Associate Agreements (BAAs). The vendors in most instances disavow any need to collect PHI and accordingly instruct users to avoid sending PHI or other personally identifiable information. Under HIPAA, covered entities and business associates generally may not disclose PHI to third parties for health care operations purposes, unless such disclosure is to a business associate pursuant to a BAA, or the disclosure is made pursuant to an individual’s HIPAA-compliant authorization.

Not only does sharing PHI through third-party tracking technologies without individuals’ authorizations violate HIPAA, but the FTC has asserted in two recent enforcement actions that the collection and sharing of individuals’ IIHI through these technologies without individuals’ “affirmative express consent” constitutes unfair and deceptive trade practices.