The Federal Trade Commission (FTC) and U.S. Department of Health and Human Services (HHS) recently issued warnings to hospital systems and telehealth providers today about the privacy and security risks associated with online tracking technologies. The letter highlighted concerns related to the potential sharing of users' sensitive health information through those technologies.

“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a July 20 news release.

Hospitals and telehealth providers are being warned about the potential privacy and security risks associated with the use of online tracking technologies on their websites or mobile apps, according to the release. The agencies are concerned that such technologies may inadvertently disclose consumers' sensitive personal health data to third parties. 

Despite the potential benefits of the tracking technologies, the agencies emphasize patients and users should not have to compromise the privacy of their health information when engaging with health care providers online, the release reported. Melanie Fontes Rainer, OCR director, asserted that the agency will employ all available resources to address the issue.

Approximately 130 hospital systems and telehealth providers received the joint letter from the agencies alerting them to the risks and concerns related to the use of tracking technologies like the Meta/Facebook pixel and Google Analytics, the release said. Those technologies collect identifiable user information without users' explicit knowledge, making it difficult for users to avoid being tracked while interacting with a website or mobile app. 

The letter reiterated the dangers posed by the unauthorized disclosure of personal health information to third parties. Such disclosures could potentially reveal sensitive details like health conditions, diagnoses, medications, medical treatments, frequency of medical visits and an individual's preferred medical facilities, according to the release. Entities not covered by HIPAA also have a responsibility to safeguard personal health information from unauthorized disclosure, even if a third party developed their website or app.

The FTC's recent enforcement actions against companies such as BetterHelp, GoodRx and Premom, as well as guidance from the FTC's Office of Technology, emphasize the need for companies to monitor the flow of health information to third parties using tracking technologies integrated into websites and apps, the release said. Unauthorized disclosure of such data could lead to FTC Act violations and breaches of security under the FTC's Health Breach Notification Rule.