OCR and FTC Publish Tracking Technology Warning Letters Sent to Hospitals and Telehealth Providers
In July 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) jointly sent letters to 130 hospitals and telehealth companies warning them about the risks of using tracking technologies on websites and applications. The letters have now been published and those 130 companies have been identified by name.
Tracking tools such as Meta Pixel and Google Analytics are used to collect visitor data that is used to improve websites and web apps; however, the data collected is also transmitted to the providers of the tracking tools. The data collected by Meta Pixel, for example, is used to serve targeted ads to individuals. When these tools are added to the websites and apps of healthcare providers and telehealth companies, personally identifiable information (PII) and protected health information (PHI) may be impermissibly disclosed to third parties.ย In 2022, several reports were published highlighting the extent to which these tools were used on the websites of hospitals and telehealth providers. One study, published in Health Affairs, found that virtually all non-federal acute care hospitals had these tracking tools on their websites.
In December 2022, OCR issued guidance to HIPAA-covered entities on the use of these tools. In the guidance, OCR explained that these tools could only be used if there was a valid, HIPAA-compliant business associate agreement or if authorizations were received from individuals consenting to the collection and disclosure of the data. The FTC also investigated the use of these tools by entities not covered by HIPAA and imposed fines for violations of the FTC Act and the Health Breach Notification Rule.
The letters explain that tracking tools have the potential to disclose sensitive identifiable health information to third parties and outline the obligations of companies under HIPAA, the FTC Act, and the Health Breach Notification Rule. The letters advise the recipients to check their websites and applications and make sure that they are fully compliant. The letters explain that both OCR and the FTC are closely watching developments in this area and are committed to ensuring that consumersโ health privacy remains protected.
The letters were sent to a wide range of healthcare organizations, including health systems, hospitals, and telehealth companies such as Advocate Aurora Health, Ascension, Johns Hopkins Hospital, MedStar Health, Alfie, Oar, Keeps, and Hone Health.