Around 130 hospital systems and telehealth providers received a cautionary letter from the U.S. Department of Health and Human Services and the Federal Trade Commission, highlighting concerns about the privacy and security risks related to the incorporation of online tracking technologies into their websites or mobile apps.
“Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” U.S. Department of Health and Human Services OCR Director Melanie Fontes Rainer said in a July 20 news release. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.”
These technologies, such as the Meta/Facebook pixel and Google Analytics, may disclose sensitive personal health data to third parties without users' knowledge, even after they leave the original website, the release said.
Hospitals and telehealth providers are being warned about the privacy and security risks associated with the use of online tracking technologies that may be integrated into their websites or mobile apps and may be impermissibly disclosing sensitive personal health data about customers to third parties by HHS, Office for Civil Rights and FTC, the release reported. Users' interactions with websites and mobile apps are tracked and analyzed using tracking technologies.
Most tracking technologies created by third parties transmit data directly to the third parties that created them, and they may keep tabs on users and collect information about them even after they leave the original website and visit other websites, according to the release.
The Health Insurance Portability and Accountability Act of 1996 Privacy, Security and Breach Notification Rules, which establish basic privacy and security standards for the protection of some individually identifiable health information, are administered and enforced by OCR, the release said. The goal of the FTC is to safeguard the public against dishonest or unfair commercial practices as well as from unfair competition through law enforcement, advocacy, research and education.
The letter emphasized the dangers and issues associated with the usage of technology like the Meta/Facebook pixel and Google Analytics that can monitor a user's online behavior, according to the release. As users engage with a website or mobile app, these tracking technologies collect personally identifiable information about them, frequently without their knowledge and in ways that are challenging for them to avoid.
In a bulletin late last year, OCR emphasized these worries and reminded HIPAA-covered organizations of their legal obligations to safeguard health information from unauthorized disclosure, the release said. Since then, OCR has acknowledged it is conducting investigations around the country to guarantee HIPAA compliance. Even if a third party created their website or mobile app, businesses that are not covered by HIPAA are nonetheless required to prevent the unlawful exposure of personal health information.
The FTC warned businesses they must keep an eye on the flow of health information to third parties that use tracking technologies built into websites and apps through its recent enforcement actions against BetterHelp, GoodRx and Premom as well as recent guidance from the FTC's Office of Technology, the release reported. According to the FTC's Health Breach Notification Rule, the unauthorized publication of such information can be illegal under the FTC Act and amount to a security breach.
