The era of rampant, unconsented, and unregulated online data collection may finally be winding down for consumer health data. But the advances in consumer privacy have not yet fully reached the millions of people with health information related to their drug use, substance use disorder treatment, or recovery.
In July, two key agencies for consumer health privacy, the Department of Health and Human Services and the Federal Trade Commission, sent letters to 130 hospital systems and telehealth providers cautioning against the use of online trackers that may be impermissibly sharing consumers’ sensitive health data. Similarly, last year, the agencies worked together in releasing a tool to clarify which federal privacy laws might apply to health apps and the consumer data they collect, generate, use, store, and share.
In our increasingly digital world, it is encouraging to see HHS and the FTC taking a proactive, collaborative approach to consumer health privacy online, but there is a gaping hole at the center of their work: the privacy rights of people seeking services online for health issues related to drug use.
Today, the tens of millions of Americans who use drugs and alcohol nationwide can seek help from thousands of online services. These apps and websites offer to help you set goals for alcohol consumption, track your daily drinks, locate a provider to treat opioid use disorder, connect you to a counselor who specializes in stimulant use disorder, or provide the platform for your telehealth visits with a treatment program.
For people who cannot access such supports in person, these online services may be enormously beneficial. But they may also collect very sensitive data about current and recent criminalized drug use that can potentially lead to arrest and prosecution, as well as family separation, eviction, deportation, discrimination, and denial of health care services, insurance, or employment.
Given the potential weaponization of this data and the importance of expanding access to health services for people who use drugs, it is hard to understand why HHS and the FTC are not using a powerful tool at their disposal: the HHS regulations at 42 CFR Part 2 (more commonly known as Part 2), which provide robust privacy protections for people with substance use disorder (SUD) treatment records. These privacy regulations almost certainly apply to data collected by many of these websites, apps, and telehealth platforms offering SUD treatment services.
But HHS and the FTC remain silent: Neither federal agency has issued any guidance, enforcement actions, nor public statements affirming Part 2’s role in protecting SUD privacy online. The FTC’s recent enforcement actions have addressed apps providing reproductive health and mental health services, but the commission has not yet addressed any of the thousands of apps providing services related to drug use, addiction, and recovery.
Even though Part 2 likely applies to data collected online by some addiction-related apps and websites, the lack of any federal guidance or enforcement leaves companies’ privacy practices operating in a regulatory gray area that ultimately harms consumers. For example, after the FTC and HHS released guidance about the prohibited use of trackers on HIPAA-covered entities’ websites, two alcohol recovery apps announced in March that they used the guidance to determine that they had impermissibly shared more than 100,000 patients’ personal information and health data with advertisers for years. But the notice to patients only referred to “HIPAA and all other applicable law,” without addressing Part 2 at all.
Moreover, HHS-FTC’s silence on Part 2 is hard to understand, considering the two agencies’ concerted effort elsewhere to address multiple federal privacy laws and regulations. For example, the privacy tool for health apps covers a half-dozen laws and regulations, including the HIPAA Privacy, Security, and Breach Notification Rules, the Information Blocking Regulations, and the Federal Food, Drug, and Cosmetic Act.
Part 2’s privacy protections matter for people with sensitive and often criminalized health information. In the wake of the Supreme Court’s decision in Dobbs, privacy for criminalized health data has attracted more attention; for example, more than three dozen members of Congress recently wrote a letter calling on the Biden administration to end the “warrantless government surveillance” permitted by the HIPAA Privacy Rule.
Unlike the HIPAA Privacy Rule, Part 2 already prohibits law enforcement from accessing or using SUD treatment data without strict judicial oversight: If law enforcement subpoenas an app that falls under the SUD privacy regulations, Part 2 prohibits the app from turning over any patient records unless law enforcement first obtains a judicial court order finding that there was no other way of obtaining the information, the information is needed to investigate an “extremely serious” crime, and the need for the disclosure outweighs the potential injury to the patient, the physician-patient relationship, and the ability of the provider to offer services to other patients, among other criteria. Perhaps more than any other privacy framework, Part 2 recognizes that the criminalization of health information can ultimately deter people from seeking services and getting treatment, and so its protections go further than HIPAA to safeguard people against warrantless government surveillance.
Plain and simple: The privacy protections under Part 2 are integral to the well-being of people who use drugs, and it is past time for the HHS-FTC collaboration to address their online privacy rights.
For one easy first step, HHS and the FTC should add Part 2 to the list of “relevant” federal privacy laws and regulations in the FTC’s mobile health tool. At the Legal Action Center, where I work, we created this short and simple “mHealth SUD Privacy tool” to help fill the gap and explain how Part 2 may apply to mobile health apps offering SUD treatment services.
Secondly, HHS and the FTC should correct the record and ensure that future action on consumer health privacy incorporates the important privacy protections in Part 2. They can start by looking at all the ways that individuals’ privacy rights are overlooked, misunderstood, or violated in the SUD mHealth ecosystem. For example, our report in collaboration with the Opioid Policy Institute, “Websites for Opioid Addiction Treatment and Recovery Services: Data Sharing and Privacy Risks,” details troubling privacy practices on a dozen popular treatment and recovery sites over a 16-month period. Once the issues are identified, they should work together to make sure their regulatory actions are addressing Part 2 throughout the online ecosystem of treatment and recovery support.
As we continue to lose more and more people each year to fatal overdose, it’s crystal clear that we need to be doing all we can to expand access to care and promote treatment over punishment. Online services offer to help bridge that gap, but individuals should not need to pay with their privacy in order to access services. For their part, the next coordinated action by HHS and the FTC must include and uplift the privacy rights of people who use drugs and people with substance use disorder treatment records. Lives depend on it.
Jacqueline Seitz is a lawyer and deputy director of health privacy at Legal Action Center, where she advocates for the rights of people who use drugs and people living with HIV.