In July 2023, the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services Office of Civil Rights (OCR) sent a joint letter to approximately 130 hospital systems and telehealth providers raising concerns about privacy and security risks associated with certain online tracking technologies.
The FTC and OCR’s letter focuses on the use of tracking pixels and other online tracking technologies offered by companies such as Meta and Google that can track a user’s online activities. The letter warns that the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules apply when the information that a regulated entity (i.e., a covered entity or business associate) collects through tracking technologies or discloses to third parties, such as tracking technology vendors, includes protected health information (PHI). It also cautions that the disclosure of a consumer’s health information obtained using online tracking technologies without the consumer’s authorization can, in some circumstances, violate the FTC Act and constitute a breach of security under the FTC’s Health Breach Notification Rule.
The letter is the latest indicator that the use of online tracking technologies by healthcare industry participants is an enforcement priority of the FTC and OCR. It comes on the heels of recent FTC enforcement actions against BetterHelp, GoodRx, and Premom related to the disclosure of user health data gathered by online tracking technologies to third parties for targeted advertising. In these cases, the FTC has alleged that it is a violation of Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce,” when a company makes unauthorized disclosures of users’ personal health information to advertisers or other third parties despite representing to its users that it would not make such disclosures. The FTC has also alleged that a company’s failure to notify its users of unauthorized disclosures of the users’ identifiable health information to third-party advertising companies and platforms constitutes a violation of the FTC’s Health Breach Notification Rule.
The letter also follows a December 2022 OCR bulletin cautioning entities covered by HIPAA about the risks of impermissible disclosures of PHI associated with the use of online tracking technologies. The use of online tracking technology by healthcare entities has also attracted media attention. The Markup, a nonprofit tech-focused newsroom, has published reports examining the use of a tracking tool called the Meta Pixel on hospital websites and telehealth platforms.
Given the increasing scrutiny of online tracking technologies, healthcare entities should evaluate if and how they are using these tools. This evaluation should address whether tracking technologies are in use on websites or mobile applications that access PHI or user health data. Healthcare entities that have implemented online tracking technologies should assess whether the disclosure of any information gathered through these technologies to third parties, such as the vendors of the technology, is compliant with HIPAA, the FTC Act, and the FTC’s Health Breach Notification Rule. Further, healthcare entities should implement compliance procedures to ensure that any future use of online tracking technologies complies with applicable law.