Global Edition
Compliance & Legal

FTC, OCR send warning letter to hospitals about online tracking pixels

The agencies contacted 130 health systems and telehealth providers by mail to emphasize the potential HIPAA risks of using Meta/Facebook pixel and Google Analytics tracking tools that may be "impermissibly disclosing" protected health information.
By Andrea Fox
July 21, 2023
10:25 AM

Photo: Andrea Piacquadio from Pexels

The Federal Trade Commission joined the U.S. Health and Human Services Office for Civil Rights this week in reminding healthcare organizations about their responsibilities for third-party disclosures of protected health information under HIPAA, the FTC Act and the FTC Health Breach Notification Rule.

WHY IT MATTERS 

While OCR has addressed the privacy and security risks related to healthcare organizations that knowingly or unknowingly use third-party tracking tools that can analyze, gather and share sensitive medical data with advertising partners under HIPAA, the FTC is also using its authority to protect consumers’ health information from "potential misuse and exploitation." 

"These tracking technologies gather identifiable information about users, usually without their knowledge and in ways that are hard for users to avoid, as users interact with a website or mobile app," the agencies said in their announcement about the joint letter, posted on the HHS website, on Thursday.

They go on to describe how integrated tools on hospital and telemedicine websites can not only send PHI information directly back, but third parties like Google and Meta/Facebook may continue to track and gather information about patients even after they navigate away.

Several lawsuits allege that online tracking companies share PHI with their advertising partners, which target the patient with ads and other content. The class action lawsuits may also seek that any profit that hospitals may have made from selling the data be paid to patient victims, damages which some Louisiana hospitals may be facing

The letter reiterates that HIPAA Rules apply when the information that a regulated entity collects through tracking technologies or discloses to third parties (e.g., tracking technology vendors) includes PHI. 

In December 2022, OCR released a bulletin about the use of online tracking technologies by HIPAA-regulated entities and provides a general overview of how the HIPAA Rules apply.

The FTC adds a warning about consumer protection laws. 

"Even if you are not covered by HIPAA, you still have an obligation to protect against impermissible disclosures of personal health information under the FTC Act and the FTC Health Breach Notification Rule."

"This is true even if you relied upon a third party to develop your website or mobile app and even if you do not use the information obtained through use of a tracking technology for any marketing purposes." 

THE LARGER TREND

When OCR issued guidance on the use of online tracking tools, it reminded regulated entities of their obligations to comply with HIPAA's Privacy, Security and Breach Notification Rules and explained what steps healthcare organizations and others must take to protect PHI on user-authenticated and other applicable webpages and forms.

"In these circumstances, regulated entities must ensure that the disclosures made to such vendors are permitted by the privacy rule and enter into a business associate agreement with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules," OCR said in the bulletin.

OCR said it continues to be concerned about disclosures of health information to third parties.

"Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website," Melanie Fontes Rainer, OCR's director, said in a statement about the joint letter with the FTC. 

ON THE RECORD

"When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties," said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement. 

"The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.

Topics: 
Compliance & Legal, Government & Policy, Mobile, Patient Engagement, Privacy & Security

More regional news

UnitedHealth Group Optum building

Optum Virtual Care said to be closing down

By
Andrea Fox
April 26, 2024
Dr. Yinka Oyelese of Beth Israel Deaconess Medical Center on ultrasound AI

AI can make maternal ultrasonography more accessible, accurate and efficient

By
Bill Siwicki
April 26, 2024
John Halamka, president, Mayo Clinic Platform, and Arcadia president and CEO Michael Meucci with Kate Milliken

Prepare for success before deploying healthcare AI

April 26, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Dr. Yinka Oyelese of Beth Israel Deaconess Medical Center on ultrasound AI
AI & ML Intelligence
AI can make maternal ultrasonography more accessible, accurate and efficient

Most Read

HIMSS24 Europe: Interoperability takes centre stage in Rome
Virtus Health enhancing IVF patient experience with AI
HSCC publishes 5-year healthcare cybersecurity strategic plan
Healthcare is the big victim of Blackcat's cyber counteroffensive
A sense of urgency at the Healthcare Cybersecurity Forum
At HIMSS24, perspective on safeguarding ePHI and restricting unauthorized access

Research

White Papers

More Whitepapers

Compliance & Legal
Artificial Intelligence
Analytics

Webinars

More Webinars

Artificial Intelligence
Analytics
Analytics

Video

Adam McMullin at AvaSure_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Patient safety gets a boost from AI-powered virtual care
Sponsored by
John Halamka, president, Mayo Clinic Platform, and Arcadia president and CEO Michael Meucci with Kate Milliken
AI should augment, not replace, clinicians’ expertise
Jonathan Bush at Zus Health_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Independent patient data platform helps advance interoperability
Rachelle Landry at BD Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
How to help clinicians understand the value of digital health

More Stories

A radiologist examining X-ray images
National University Hospital launching AI-driven...
Heidi Wold at Longevity Health Plan_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Patients benefit from post-acute care
Wes Cronkite of TruBridge on AI
Highlighting rural voices is imperative for equitable, bias-free healthcare AI
Dr. Bill Frist and Larry Ellison
Oracle launches Autonomous Shield initiative, with eye on cloud cybersecurity
Clinicians consult a tablet
Patch management advice for fixing IoT vulnerabilities
Dr. Jesse M. Ehrenfeld, AMA president_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
AMA leader: Physicians must be the lodestar for IT innovation
Christine Antorini
Recognizing nursing as a calling: A key step toward enhancing workforce sustainability
One of Mercy Health's hospitals in Victoria
Role-based messaging's growing popularity in...