FTC, OCR send warning letter to hospitals about online tracking pixels

The agencies contacted 130 health systems and telehealth providers by mail to emphasize the potential HIPAA risks of using Meta/Facebook pixel and Google Analytics tracking tools that may be "impermissibly disclosing" protected health information.
By Andrea Fox
10:25 AM

Photo: Andrea Piacquadio from Pexels

The Federal Trade Commission joined the U.S. Health and Human Services Office for Civil Rights this week in reminding healthcare organizations about their responsibilities for third-party disclosures of protected health information under HIPAA, the FTC Act and the FTC Health Breach Notification Rule.

WHY IT MATTERS 

While OCR has addressed the privacy and security risks related to healthcare organizations that knowingly or unknowingly use third-party tracking tools that can analyze, gather and share sensitive medical data with advertising partners under HIPAA, the FTC is also using its authority to protect consumers’ health information from "potential misuse and exploitation." 

"These tracking technologies gather identifiable information about users, usually without their knowledge and in ways that are hard for users to avoid, as users interact with a website or mobile app," the agencies said in their announcement about the joint letter, posted on the HHS website, on Thursday.

They go on to describe how integrated tools on hospital and telemedicine websites can not only send PHI information directly back, but third parties like Google and Meta/Facebook may continue to track and gather information about patients even after they navigate away.

Several lawsuits allege that online tracking companies share PHI with their advertising partners, which target the patient with ads and other content. The class action lawsuits may also seek that any profit that hospitals may have made from selling the data be paid to patient victims, damages which some Louisiana hospitals may be facing

The letter reiterates that HIPAA Rules apply when the information that a regulated entity collects through tracking technologies or discloses to third parties (e.g., tracking technology vendors) includes PHI. 

In December 2022, OCR released a bulletin about the use of online tracking technologies by HIPAA-regulated entities and provides a general overview of how the HIPAA Rules apply.

The FTC adds a warning about consumer protection laws. 

"Even if you are not covered by HIPAA, you still have an obligation to protect against impermissible disclosures of personal health information under the FTC Act and the FTC Health Breach Notification Rule."

"This is true even if you relied upon a third party to develop your website or mobile app and even if you do not use the information obtained through use of a tracking technology for any marketing purposes." 

THE LARGER TREND

When OCR issued guidance on the use of online tracking tools, it reminded regulated entities of their obligations to comply with HIPAA's Privacy, Security and Breach Notification Rules and explained what steps healthcare organizations and others must take to protect PHI on user-authenticated and other applicable webpages and forms.

"In these circumstances, regulated entities must ensure that the disclosures made to such vendors are permitted by the privacy rule and enter into a business associate agreement with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules," OCR said in the bulletin.

OCR said it continues to be concerned about disclosures of health information to third parties.

"Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website," Melanie Fontes Rainer, OCR's director, said in a statement about the joint letter with the FTC. 

ON THE RECORD

"When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties," said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement. 

"The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.