The Office for Civil Rights (OCR) of the Department of Health and Human Services and the Federal Trade Commission (FTC) jointly issued cautionary letters to 130 hospitals and telehealth providers regarding the use of tracking technologies, such as pixels, on their websites and web apps. These technologies risk disclosing sensitive health information to third parties, violating both HIPAA Rules and the FTC Act.
In the US, the majority (98.6%) of nonfederal acute care hospitals have used tracking technologies on their websites, as per a study in Health Affairs. In 2022, The Markup found 33% of top US hospitals used tracking technologies for identifiable health information. Tracking technology led to breaches of protected health information with millions of patient records impermissibly disclosed.
Subsequent research by The Markup uncovered that telehealth companies also widely employed these tracking technologies. Non-HIPAA-bound companies must still protect personal health information from unauthorized disclosure. FTC acted against GoodRx, BetterHelp, and Premom, non-HIPAA entities, for alleged tracking technology violations.
In December 2022, OCR issued guidance to HIPAA-regulated entities concerning the use of tracking technologies. While these tools can be beneficial for enhancing patient services, they can also collect and transmit information protected by HIPAA. These technologies enable user tracking beyond the website or app, risking unauthorized use and disclosure by third parties.
OCR and FTC Caution Hospitals and Telehealth Companies about Risks of Tracking Technologies
When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties. The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.
said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection
Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website, OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.
aid Melanie Fontes Rainer, OCR Director
The OCR and FTC jointly issued cautionary letters to 130 entities regarding the use of tracking technologies on their websites and mobile apps, which have the potential to disclose sensitive health data. These organizations are suspected of utilizing tracking technologies such as Meta/Facebook’s Pixel and Google Analytics code to collect and analyze user interactions on their digital platforms. It’s important to note that the letters themselves do not imply that any organization has been found in violation of HIPAA or the FTC Act. Similarly, not receiving a letter does not indicate compliance. Entities collecting personal health information should review their websites and web apps for tracking technologies to comply with relevant laws. Report tracking tech-related breaches under HIPAA and FTC Health Breach Notification Rules.
The letters stress that both agencies are closely monitoring developments in this area and urge organizations using the mentioned tracking technologies to familiarize themselves with the laws referenced in the letters. Taking necessary actions to safeguard individuals’ health information’s privacy and security is strongly encouraged by the FTC and OCR.
