Understand all your legal privacy requirements, beyond HIPAA

The U.S. government is warning telehealth firms about their use of trackers on their websites that may be illegally disclosing customers’ personal health data to third parties. In a letter sent to about 130 hospitals and telehealth providers last year, regulators stated that technologies such as Meta/Facebook pixel and Google Analytics can gather identifiable information about users without their knowledge or ability to opt out. Such trackers could collect data about health conditions, treatments and where a patient is seeking care. The letter also noted that companies not covered by HIPPA still have an obligation to protect health data users disclose on their websites.

The maker of the free Premom ovulation tracking app now has strict limits on sharing user data, following an FTC complaint that it had deceived users by sharing their personal health information with marketers without notification. The FTC alleged Easy Healthcare’s privacy policy made several false promises regarding how it would share personal data and if users could be identified through that data. Regulators claim the company failed to protect sensitive and private information, such as an individual user’s sexual and reproductive health, and their parental and pregnancy status. Easy Healthcare is now barred from sharing data for advertising, and the firm must collect consent before sharing users’ health information for any other reasons. It is also required to disclose to users how their data will be used.

The FTC has fined Cerebral $7 million and set strict limits for how the healthtech firm may use health data in marketing. Regulators allege the company improperly shared its customers’ personal health information to external parties for advertising. According to the FTC, Cerebral sent medical histories, insurance information and prescription data, among other personal information, to third parties that used the information for ads and analytics. In 2023, Cerebral had self-reported a health data breach that affected more than 3 million users. In what the FTC said is a “first-of-its-kind prohibition,” Cerebral is now banned from using any health information for most advertising purposes, and it must get consent for any instances when it does disclose health information. It was also required to post a notice about this penalty on its website and the steps it is taking to remediate the issue.

The My Health My Data Act includes extensive new obligations for many companies that may not realize the sweeping scope of the Act applies to them. While the law was originally intended to protect health data not otherwise covered by HIPPA, the new requirements – including multiple consent requests and complex authorizations – go far beyond HIPPA. Depending on how judges interpret the new law, it could cover a broad range of retailers and other companies that handle personal data about health and related topics.

The FTC has recently ordered several disciplinary actions for healthtech firms that do not follow through with the promises they make in their privacy policies. In one case, regulators sued Monument, which provides alcohol treatment services, for sharing customers’ health data with third-party advertisers without user consent. While Monument repeatedly pledged to not share its users’ personal information, the company in fact shared that data with third-party advertisers through secret trackers. Monument was fined $2.5 million, but that penalty was suspended due to the firm’s inability to pay.

There are 11 new state privacy laws scheduled to go into effect over the next two years, and dozens more currently under consideration by local legislatures. In July, new requirements in Florida, Oregon, and Texas could result in substantial fines for companies that are behind on data collection and consent requirements in those states. While there are similar elements among the new laws, each has unique provisions; for example, Florida’s law will primarily affect large companies, while the laws in Texas and Oregon may also apply to nonprofit groups and small businesses, respectively. Regulatory changes are coming quickly throughout the U.S., and without a thorough understanding of the new laws, your business is vulnerable to legal challenges. Common Sense Privacy closely monitors new legislation and can alert you when your policies fail to meet new requirements.