Skip to main content

FTC, HHS, Warn of HIPAA Risks from Online Tracking Tech

Analysis  |  By John Commins  
   July 20, 2023

Letters to providers highlight concerns stemming from use of technologies that may share a user's sensitive health data.

Federal regulators are warning hospitals and telehealth providers about the risks that patients' health data could be "impermissibly disclosed" by online tracking technology wired into providers' websites and mobile apps.

The Federal Trade Commission and the Department of Health and Human Services' Office for Civil Rights cited potential violations of the Health Insurance Portability and Accountability Act (HIPAA) in a joint letter sent this week to 130 hospital systems and telehealth providers.

The watchdogs raised concerns about the privacy risks linked to online tracking platforms such as the Meta/Facebook pixel and Google Analytics that gather user personal data, often without their knowledge and in ways that are hard to avoid when users visit a website or mobile app.

"If you are a covered entity or business associate ("regulated entities") under HIPAA, you must comply with the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules), with regard to protected health information (PHI) that is transmitted or maintained in electronic or any other form or medium," the letter says.

"Even if you are not covered by HIPAA, you still have an obligation to protect against impermissible disclosures of personal health information under the FTC Act and the FTC Health Breach Notification Rule," the letter continues. "This is true even if you relied upon a third party to develop your website or mobile app and even if you do not use the information obtained through use of a tracking technology for any marketing purposes."

HHS highlighted these concerns in a bulletin late last year that reminded HIPAA entities of their responsibilities to protect health data from unauthorized disclosures.

The commission has backed up its warnings to third-party players with recent multimillion-dollar fines and legal actions against BetterHelpGoodRx and Premom.

Samuel Levine, director of the FTC's Bureau of Consumer Protection, says "the FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers' health information from potential misuse and exploitation."

“The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies...”

John Commins is a content specialist and online news editor for HealthLeaders, a Simplify Compliance brand.


KEY TAKEAWAYS

The FTC and HHS this week warned of potential HIPAA violations in a joint letter to 130 hospital systems and telehealth providers.

The watchdogs raised concerns about the privacy risks linked to online tracking platforms such as the Meta/Facebook pixel and Google Analytics.

Third parties not covered by HIPAA still have an obligation to protect patient data under the FTC Act and the FTC Health Breach Notification Rule.


Get the latest on healthcare leadership in your inbox.