On July 20, 2023, the US Department of Health and Human Services, Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) issued a joint letter warning hospitals and other organizations providing telehealth services of the privacy and security risks related to the use of tracking technologies.
Pixels and other online tracking technologies can be embedded into websites, patient portals, or mobile apps to gather information on a user’s experience and interaction with the site, portal, or app. As part of that process, information may be transmitted to the tracking technology vendor, such as Google or Meta, who may use the information for their own purposes, or those of other customers, such as to provide interest-based advertising to the impacted consumer.
The recent OCR/FTC letter, sent to approximately 130 health systems and telehealth providers, builds off of the bulletin that OCR issued in December 2022, which highlighted the HIPAA obligations for covered entities and business associates when using online tracking technologies. In both the bulletin and the letter, OCR emphasizes that HIPAA-regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of protected health information (PHI) to tracking technology vendors.
For entities that are not regulated by HIPAA, the FTC explains that disclosing health information to third parties via tracking technologies may be a violation of the FTC Act or a breach of security under the FTC’s Health Breach Notification Rule. The FTC’s Office of Technology posted a blog in March 2023, describing some of its enforcement actions involving the use of tracking pixels and the concerns that the FTC has regarding protecting the confidentiality of consumer data.
Healthcare providers, health platforms, and other healthcare vendors should carefully analyze their use of tracking technologies on websites, portals, and mobile apps. Organizations should have a clear sense as to whether any data is transferred to the tracking technology vendor and, if so, what types of data. If identifiable patient or consumer data is being transferred, the organization should ensure that it has proper consumer disclosures and patient authorizations in place to permit the disclosure of that information.