The U.S. Department of Health and Human Services Office for Civil Rights and the Federal Trade Commission sent an alert July 20 cautioning some 130 hospital systems and telehealth providers that using online tracking technologies on their websites or mobile apps may pose privacy and security risks by impermissibly disclosing consumers’ sensitive personal health data to third parties.
Third-party-developed tracking technologies, such as Meta/Facebook Pixel and Google Analytics, which collect and analyze information about how users interact with websites or mobile apps, may send information directly to their third-party developers and may continue to track users and gather information about them even after they navigate away from the original website to other websites, the alert said, which can violate the Health Insurance Portability and Accountability Act rule.
“Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, OCR director. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.”
“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.”
OCR highlighted these concerns in a bulletin it issued late last year that reminded entities covered by HIPAA of their responsibilities to protect health data from unauthorized disclosure under the law. Since that time, OCR has confirmed its active investigations nationwide to ensure compliance with HIPAA.
“Companies not covered by HIPAA still have a responsibility to protect against the unauthorized disclosure of personal health information — even when a third party developed their website or mobile app,” the alert said. “Through its recent enforcement actions against BetterHelp, GoodRx and Premom, as well as recent guidance from the FTC’s Office of Technology, the FTC has put companies on notice that they must monitor the flow of health information to third parties that use tracking technologies integrated into websites and apps. The unauthorized disclosure of such information may violate the FTC Act and could constitute a breach of security under the FTC’s Health Breach Notification Rule.”