OCR and FTC Publish Tracking Technology Warning Letters Sent to Hospitals and Telehealth Providers

ADPPA updates

In July 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) jointly sent letters to 130 hospitals and telehealth companies warning them about the risks of using tracking technologies on websites and applications. The letters have now been published and those 130 companies have been identified by name.

Tracking tools such as Meta Pixel and Google Analytics are used to collect visitor data that is used to improve websites and web apps; however, the data collected is also transmitted to the providers of the tracking tools. The data collected by Meta Pixel, for example, is used to serve targeted ads to individuals. When these tools are added to the websites and apps of healthcare providers and telehealth companies, personally identifiable information (PII) and protected health information (PHI) may be impermissibly disclosed to third parties. In 2022, several reports were published highlighting the extent to which these tools were used on the websites of hospitals and telehealth providers. One study, published in Health Affairs, found that virtually all non-federal acute care hospitals had these tracking tools on their websites.

In December 2022, OCR issued guidance to HIPAA-covered entities on the use of these tools. In the guidance, OCR explained that these tools could only be used if there was a valid, HIPAA-compliant business associate agreement or if authorizations were received from individuals consenting to the collection and disclosure of the data. The FTC also investigated the use of these tools by entities not covered by HIPAA and imposed fines for violations of the FTC Act and the Health Breach Notification Rule.

The letters explain that tracking tools have the potential to disclose sensitive identifiable health information to third parties and outline the obligations of companies under HIPAA, the FTC Act, and the Health Breach Notification Rule. The letters advise the recipients to check their websites and applications and make sure that they are fully compliant. The letters explain that both OCR and the FTC are closely watching developments in this area and are committed to ensuring that consumers’ health privacy remains protected.

The letters were sent to a wide range of healthcare organizations, including health systems, hospitals, and telehealth companies such as Advocate Aurora Health, Ascension, Johns Hopkins Hospital, MedStar Health, Alfie, Oar, Keeps, and Hone Health.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/