OCR/FTC Warn Hospitals & Telehealth Companies About Tracking Technologies
The Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) have written to 130 hospitals and telehealth providers warning them about the risks of using tracking technologies such as pixels on their websites and web apps which may disclose sensitive health information to third parties in violation of the HIPAA Rules and the FTC Act.
A study published in Health Affairs suggests 98.6% of US nonfederal acute care hospitals have used tracking technologies on their websites, and a 2022 analysis by The Markup found one-third of the top 100 hospitals in the United States were using tracking technologies on their websites that could collect individually identifiable information, including information about health conditions. Following these discoveries, several hospitals and health systems reported breaches of protected health information, some of which involved impermissible disclosures of millions of patient records.
A later study by The Markup found that the technologies were also widely used by telehealth companies. Even companies that are not required to comply with the HIPAA Rules have an obligation to protect personal health information against impermissible disclosure. The FTC has already taken action against entities that are not covered by HIPAA, such as GoodRx, BetterHelp, and Premom, over the use of these tracking technologies for alleged violations of the FTC Act and Health Breach Notification Rule.
In December 2022, OCR issued guidance to HIPAA-regulated entities on HIPAA and tracking technologies. While these tools can provide valuable insights for improving the services provided to patients, these technologies can collect and transmit information protected by HIPAA. Further, these technologies also permit the tracking of users even after they navigate away from the website or mobile app where the tracking technology is used. Any information transmitted to a third party may then be used for a purpose not permitted under the HIPAA Rules, and the collected information may be further disclosed to other third parties.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.”
“Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, OCR Director. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.”
The letters were jointly sent by OCR and the FTC to 130 entities cautioning them about tracking technologies on websites and mobile apps that can potentially disclose sensitive health data. The organizations that were sent the letters are believed to have used or are using tracking technologies such as Pixel from Meta/Facebook and Google
Analytics code to collect and analyze user interactions on websites and web apps. The letters do not mean that an organization has been found to be in violation of violated HIPAA or the FTC Act nor does the failure to receive a letter mean that an organization is in the clear. All organizations that collect personal health information should review their websites and web apps to identify any tracking technologies and ensure they are fully compliant with all relevant laws. If tracking technologies are discovered to have been used on websites or apps that impermissibly disclosed personal health information or protected health information to third parties, then the breaches should be reported in accordance with the HIPAA Breach Notification Rule and FTC Health Breach Notification Rule.
“Both agencies are closely watching developments in this area,” explained the FTC and OCR in the letters. “To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.”