Website and application tracking technology has attracted a lot of attention over the past 12 months. The technology – often referred to as pixels – consists of small snippets of code that are added to websites and web applications to monitor user activity within the website or application. These code snippets collect valuable information about how users interact with websites and applications, and the information they collect can be used by the developers of websites and applications to make improvements. If an important web page is not being visited, for example, changes can be made to make the internal links to that page more prominent to increase visitor numbers.
The code snippets are extensively used on websites and applications and are typically provided by third parties such as Google (Google Analytics) and Meta (Meta Pixel). The information collected by these code snippets is often sent back to the snippet provider, and in the case of Meta, that information can be used for advertising purposes on platforms such as Facebook and Instagram. If a user is logged into their Facebook account when they visit a website that has Meta Pixel installed any information collected can be linked with that individual.
When these code snippets are used by healthcare organizations there is significant potential for protected health information to be transferred, and in order for those disclosures to be made legally, website visitors must be informed about the disclosures and must provide their consent. Alternatively, the disclosure must be permitted by the HIPAA Privacy Rule and there must be a business associate agreement in place. The extent to which these technologies were used was highlighted by a study last summer by The Markup, which revealed one-third of the top 100 hospitals in the United States were using tracking code on their websites. The revelations prompted the HHS’ Office for Civil Rights to issue HIPAA guidance on the use of these code snippets.
The Federal Trade Commission (FTC) has also been taking an interest and has been investigating disclosures of sensitive health information to social media networks and other third parties by organizations not covered by HIPAA, such as health app providers and companies that offer health-related online services. Currently, there is nothing wrong with non-HIPAA-covered entities using these tracking technologies and even collecting and disclosing health information for advertising purposes, provided consumers are informed about the disclosures and give their consent. The FTC has recently announced settlements with two companies over the use of code snippets and the transfer of identifiable health information to third parties when the companies had stated on their platforms that health data collected would be protected and would not be disclosed to third parties.
A follow-up study by The Markup late last year revealed many telehealth providers were using the code snippets and were not being transparent about the possible disclosures. The studies by the Markup and various media reports indicate the problem is rife and these disclosures are commonly occurring, largely unknown to the users of health-related websites and health apps. Further, the personal health data collected is often sold to and by data brokers at scale.
OCR’s guidance for HIPAA-regulated entities can be seen as a warning, and the use of tracking technologies on the websites and applications of HIPAA-regulated entities could be the subject of a future HIPAA enforcement initiative and the FTC has signaled its intent to actively enforce the FTC Act and its Health Breach Notification Rule with respect to disclosures of personal health data.
Last week, three Democratic Senators – U.S. Senators Amy Klobuchar (D-MN), Elizabeth Warren (D-MA), and Mazie Hirono (D-HI) – introduced legislation that takes privacy protection a step further. The proposed legislation, the Upholding Protections for Health and Online Location Data (‘UPHOLD’) Privacy Act, seeks to stamp out the practice entirely by prohibiting any company from collecting personally identifiable health data, from any source, and using that information for commercial advertising.
“For too long companies have profited off of Americans’ online data while consumers have been left in the dark, which is especially concerning in light of reports that some social media companies collect data related to reproductive health care,” said Senator Klobuchar. “By stopping the use of personal health information for commercial advertising and banning the sale of location data, this legislation will put new protections in place to safeguard Americans’ privacy while giving consumers greater say over how their sensitive health data is shared online.”
The UPHOLD Privacy Act also seeks to introduce data minimization and disclosure restrictions on companies’ use of personal health data without consent and would ban the sale of precise location data to and by data brokers. The latter is in response to the Supreme Court’s overturning of Roe v. Wade, which removed the federal right to abortion. There are fears that location data could potentially be collected and provided to law enforcement, allowing women who visit reproductive healthcare facilities to be prosecuted.
“Since the reversal of Roe, data brokers and tech firms have continued to profit from the private health and location data of millions of Americans, including those seeking reproductive health care services,” said Senator Warren. “The UPHOLD Privacy Act would protect consumers’ sensitive data and their right to privacy.”