Warning letters have been sent by the HHS’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) to hospitals and telehealth companies over the use of website and mobile app tracking technologies. Tracking technologies, which include Meta Pixel and Google Analytics, are used to track and analyze user activity on websites and mobile apps; however, the information collected is transmitted to the providers of the code and that information may include personal health information and protected health information (PHI).
OCR is the primary enforcer of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which has strict rules for HIPAA-regulated entities – healthcare providers, health plans, healthcare clearinghouses, and their business associates – concerning the privacy and security of health information (PHI); however, even entities not covered by HIPAA have an obligation to prevent impermissible disclosures of personal health information and must not engage in deceptive business practices – such as collecting and sharing personal health information without informing and obtaining consent from consumers.
“Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said OCR Director, Melanie Fontes Rainer. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.”
While OCR has yet to announce any financial penalties for HIPAA violations related to tracking technologies, OCR has issued guidance on how HIPAA applies to tracking technologies and has confirmed that the tools may only be used if consent is obtained from individuals to collect and share their data with third parties or if the providers of the tools enter into a business associate agreement with the covered entity. Fontes Rainer has previously stated that this aspect of patient privacy is an enforcement priority for OCR and the FTC has already taken action against three non-HIPAA-covered entities over the use of tracking technologies – BetterHelp, GoodRx, and Premom – for alleged violations of the FTC Act and the Health Breach Notification Rule.
“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.”
OCR and the FTC have confirmed that letters have been sent to 130 hospitals and telehealth companies about the use of tracking technologies and while the letters do not indicate there have been violations of HIPAA or the FTC Act, the companies were chosen based on research into the use of these technologies. This action serves as a warning for all entities that collect personal health information or protected health information that they must ensure the privacy of health information and if they choose to use tracking technologies, that they do so in full compliance with all appropriate laws.
Even if a letter is not received, it does not mean that an organization is in full compliance with the FTC Act and HIPAA. OCR and the FTC are urging all entities that use these technologies to take steps to protect the privacy and security of individuals’ health information. The failure to take action to comply with the FTC Act, Health Breach Notification Rule, and the HIPAA Rules with respect to these tracking technologies could easily result in a financial penalty.