The Authors

Patricia Markus
Patricia MarkusNelson Mullins
Patricia A. Markus (trish.markus@nelsonmullins.com) represents health care providers and health technology companies across the country on wide-ranging regulatory compliance, reimbursement, licensure, and operational matters, with a special focus on issues surrounding health information privacy, security, and technology.
Shane Duer
Shane DuerNelson Mullins
Shane Duer (shane.duer@nelsonmullins.com) focuses his practice on healthcare regulatory and corporate matters, with an emphasis on data privacy, cyber security, and information management concerns within and beyond the health care industry.
The Journal on Emerging Issues in Litigation
Emerging Litigation Podcast
Emerging Litigation PodcastProduced by HB Litigation and Law Street Media
Interviews with leading attorneys and other subject matter experts on new twists in the law and how the law is responding to new twists in the world.

Digital Health Care Companies, Beware 

Federal Agencies Are Tracking Your Use of Online Tracking Technologies.

Abstract: Health care industry stakeholders have regularly used online tracking technologies to help improve patient experience. However, growing scrutiny by the Office for Civil Rights, which enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA), requires covered entities and business associates to proceed cautiously in their use of such technologies. In addition, recent enforcement actions by the Federal Trade Commission make clear that a wide range of digital health companies, whether or not regulated by HIPAA, must tread carefully when collecting and disclosing personal information related to health, especially where consumers’ location data is to be used for a company’s advertising purposes, as they may be held accountable for failing to maintain the privacy and security of individuals’ protected and individually identifiable health information.

The increasing number of lawsuits and news articles regarding use of these technologies demonstrates that third-party technology tracking vendors who receive PHI often are not operating under Business Associate Agreements (BAAs). The vendors in most instances disavow any need to collect PHI and accordingly instruct users to avoid sending PHI or other personally identifiable information. Under HIPAA, covered entities and business associates generally may not disclose PHI to third parties for health care operations purposes, unless such disclosure is to a business associate pursuant to a BAA, or the disclosure is made pursuant to an individual’s HIPAA-compliant authorization.

Not only does sharing PHI through third-party tracking technologies without individuals’ authorizations violate HIPAA, but the FTC has asserted in two recent enforcement actions that the collection and sharing of individuals’ IIHI through these technologies without individuals’ “affirmative express consent” constitutes unfair and deceptive trade practices.