The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OCR/FTC Warn Hospitals & Telehealth Companies About Tracking Technologies

Posted By on Jul 21, 2023

The Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) have written to 130 hospitals and telehealth providers warning them about the risks of using tracking technologies such as pixels on their websites and web apps which may disclose sensitive health information to third parties in violation of the HIPAA Rules and the FTC Act.

A study published in Health Affairs suggests 98.6% of US nonfederal acute care hospitals have used tracking technologies on their websites, and a 2022 analysis by The Markup found one-third of the top 100 hospitals in the United States were using tracking technologies on their websites that could collect individually identifiable information, including information about health conditions. Following these discoveries, several hospitals and health systems reported breaches of protected health information, some of which involved impermissible disclosures of millions of patient records.

A later study by The Markup found that the technologies were also widely used by telehealth companies. Even companies that are not required to comply with the HIPAA Rules have an obligation to protect personal health information against impermissible disclosure. The FTC has already taken action against entities that are not covered by HIPAA, such as GoodRx, BetterHelp, and Premom, over the use of these tracking technologies for alleged violations of the FTC Act and Health Breach Notification Rule.

In December 2022, OCR issued guidance to HIPAA-regulated entities on HIPAA and tracking technologies. While these tools can provide valuable insights for improving the services provided to patients, these technologies can collect and transmit information protected by HIPAA. Further, these technologies also permit the tracking of users even after they navigate away from the website or mobile app where the tracking technology is used. Any information transmitted to a third party may then be used for a purpose not permitted under the HIPAA Rules, and the collected information may be further disclosed to other third parties.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.”

“Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, OCR Director. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.”

The letters were jointly sent by OCR and the FTC to 130 entities cautioning them about tracking technologies on websites and mobile apps that can potentially disclose sensitive health data. The organizations that were sent the letters are believed to have used or are using tracking technologies such as Pixel from Meta/Facebook and Google

Analytics code to collect and analyze user interactions on websites and web apps. The letters do not mean that an organization has been found to be in violation of violated HIPAA or the FTC Act nor does the failure to receive a letter mean that an organization is in the clear. All organizations that collect personal health information should review their websites and web apps to identify any tracking technologies and ensure they are fully compliant with all relevant laws. If tracking technologies are discovered to have been used on websites or apps that impermissibly disclosed personal health information or protected health information to third parties, then the breaches should be reported in accordance with the HIPAA Breach Notification Rule and FTC Health Breach Notification Rule.

“Both agencies are closely watching developments in this area,” explained the FTC and OCR in the letters. “To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist