Scrutiny Over Health Data Tracking, Disclosures GrowsRegulators and Legislators Paying Closer Attention to Privacy Controversies
Privacy concerns over Silicon Valley's collection of sensitive health data from consumers without their knowledge or consent have become enforcement priorities for U.S. federal regulators.
Online trackers such as Google Analytics "present significant HIPAA compliance concerns," said Melanie Fontes Rainer, director of the Department of Health and Human Services' Office for Civil Rights. She spoke during a virtual conference Tuesday afternoon.
"This is an area of enforcement priority and interest for OCR especially in light of the public attention this has been getting," she added.
The Office of Civil Rights becomes particularly alarmed, she said, if a third-party tracking company has access to electronic protected health information but hasn't signed a business associate agreement limiting its use of the data and complying with the HIPAA rules.
Rainer's office in December issued guidance highlighting the risks to covered entities and individuals regarding the use of tracking tools (see: HHS: Web Trackers in Patient Portals Violate HIPAA).
The Federal Trade Commission will also continue to scrutinize how tech companies handle sensitive health information, said Elisa Jillson, an attorney with the FTC's Division of Privacy and Identity Protection in the Bureau of Consumer Protection, during the same virtual conference.
The FTC's recent enforcement action against telehealth and discount prescription drug company GoodRx is an example of the kinds of cases that the agency is keeping a close eye on, she said (see: FTC Hits Firm with $1.5M Fine in Health Data-Sharing Case).
The FTC in February smacked GoodRx with a $1.5 million civil penalty for failing to disclose to consumers that it had shared their data with advertisers, including Facebook and Google, contrary to the company's privacy promises and for neglecting to report the disclosures under the FTC's health data breach reporting rule.
GoodRx "is a wake-up call to the market," Jillson says.
A slew of members of Congress have also pressured tech companies over their collection of health data from patient portals and other online medical websites.
Most recently, a trio of Democratic senators proposed legislation banning personally identifiable health data being collected from "any source," including wearable devices and websites, for the use of commercial advertising absent consumers' consent. The bill also proposes to ban the sale of location data to or by data brokers.
The bill, the Upholding Protections for Health and Online Location Data Privacy Act is sponsored by Sen. Amy Klobuchar of Minnesota and has the backing of Sen. Elizabeth Warren of Massachusetts and Sen. Mazie Hirono of Hawaii.
Without Republican backers, the chances of the UPHOLD legislation advancing in a politically divided Congress is doubtful.
The legislation is nonetheless an example of the growing scrutiny of health-related data tracking and disclosures, some privacy advocates say.
"Over the past several years, there has been a growing general public awareness of the fact that much of the sensitive consumer health data collected by websites and apps is not protected by HIPAA," said Felicity Slater, a policy fellow with the Future of Privacy Forum.