Last month, Cerebral, Inc., notified the Department of Health and Human Services Office for Civil Rights (“OCR”), and issued a public notice, that nearly 3.2 million individuals may have been affected by a breach of data, including protected health information (“PHI”), as a result of Cerebral’s use of pixels and similar tracking technologies on its platform between October 2019 and January 2023. Cerebral indicated in its notice that these tracking technologies were sharing information with Cerebral subcontractors that may not have had safeguards in place to comply with the Health Insurance Portability and Accountability Act (“HIPAA”) and with which Cerebral did not have adequate business associate agreements (“BAA”).
Depending on the level of an individual’s interaction on Cerebral’s platform, the disclosures may have included the individuals’ name, phone number, email address, date of birth, IP address, Cerebral client ID number, demographic data, service(s) the individual selected, mental health assessment responses, certain associated health information, subscription plan type purchased, appointment dates and other booking information, treatment and other clinical information, health insurance and pharmacy benefit information, and insurance co-pay amount. The tracking technologies did not redisclose any financial information or social security numbers.
This breach announcement follows a December 2022 OCR bulletin on the “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” The Bulletin was meant to emphasize that regulated entities must maintain compliance with HIPAA in their use of these technologies, which commonly collect and disclose a variety of information that the individual provides when using the entities’ websites or mobile apps, including individually identifiable health information (“IIHI”). The disclosed information might include an individual’s medical record number, home or email address, and dates of appointments, as well as their IP address or geographic location, medical device IDs, or any unique identifying code. Most IIHI collected on a regulated entity’s website or mobile app is PHI. The bulletin emphasizes that regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of HIPAA. Further, regulated entities must ensure that all tracking technology vendors have signed adequate BAAs.
While Cerebral’s breach notification was issued pursuant to HIPAA, it follows the recent trend of enforcement actions taken by the Federal Trade Commission (“FTC”), which includes a $1.5 million penalty to GoodRX to enforce the Health Breach Notification Rule, and a settlement with Cerebral competitor BetterHelp, for impermissible consumer data disclosures that resulted in a proposed $7.8 million fine. Both actions were in response to breaches that occurred by impermissibly sharing personal health information with third parties for advertising purposes. The FTC accompanied these actions with statements that their enforcement was intended to “[convey] an unmistakable message about just how seriously the FTC takes this kind of betrayal of trust” and that the “[FTC] will use all of its legal authority to protect American consumers’ sensitive data.”
OCR’s bulletin and Cerebral’s breach notification reinforce that covered entities and their business associates must evaluate their use of tracking technologies on websites and applications to ensure that any data collected and shared is done so permissibly and is not overlooked in the context of the organization’s regular risk assessment. With the increased agency attention to privacy, security, and breach penalties, businesses with access to PHI or health data can expect greater scrutiny. It is recommended that these entities review and revise their policies and procedures to ensure compliance and avoid penalties.
How Frier Levitt Can Help
Data privacy regulations continue to evolve, including the implementation and enforcement of various state privacy regimes. Organizations with access to PHI or other health data must ensure their practices are consistent with applicable federal and state laws that govern how such data is accessed, used, and shared. Contact Frier Levitt for assistance in determining how HIPAA and FTC data privacy rules impact your business model and what measures you must take to ensure your business is complying with these rules and prepared to respond in the event of a breach.
