Nationwide, the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services (HHS) have issued warnings to hospital systems and telehealth providers concerning the privacy and security risks posed by online tracking technologies. The letters emphasize the concerns arising from the potential sharing of a user's sensitive health information through the use of those technologies.

“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in an official news release this week.

The FTC and HHS' Office for Civil Rights (OCR) jointly cautioned hospitals and telehealth providers regarding the privacy and security risks associated with online tracking technologies integrated into their websites or mobile apps, the release said. Those technologies, such as the Meta/Facebook Pixel and Google Analytics, may inadvertently disclose consumers' sensitive personal health data to third parties. 

The agencies sent a letter to approximately 130 hospital systems and telehealth providers, alerting them to the risks of using tracking technologies that gather identifiable information about users without their knowledge, potentially compromising their privacy when interacting with websites or apps, according to the release.

The joint letter reiterated the concerns related to the unauthorized disclosure of personal health information to third parties, the release said. Such disclosures could reveal sensitive details about an individual's health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals and medical treatment locations. The Health Insurance Portability and Accountability Act (HIPAA)-covered entities were reminded of their responsibilities to safeguard health data from unauthorized disclosure under the law, while companies not covered by HIPAA were also reminded of their obligation to protect against the unauthorized disclosure of personal health information.

Recent enforcement actions and guidance from the FTC have emphasized the need for companies to monitor the flow of health information to third parties using tracking technologies integrated into websites and apps, the release said. Violations of privacy regulations may lead to consequences under the FTC Act and potential breaches of security under the FTC's Health Breach Notification Rule. The FTC is committed to promoting competition, protecting consumers and educating the public about consumer topics.