HHS, FTC Publish Warning Letters Sent to Healthcare Entities Over Third-Party Tracking Tech

September 07, 2023 - In a document that spans hundreds of pages, HHS and the Federal Trade Commission (FTC) published letters sent to 130 healthcare organizations regarding the security and privacy risks of third-party tracking technology, identifying every recipient by name.

As previously reported, third-party tracking tech misuse has become a widespread issue in healthcare, resulting in multiple data breaches over the past year. A study published in Health Affairs in April 2023 found third-party tracking technologies on nearly all United States nonfederal acute care hospital websites.

In the wake of multiple high-profile breaches and lawsuits, the HHS Office for Civil Rights (OCR) issued a bulletin on the proper use of tracking tech to maintain HIPAA compliance in December 2022.  

As these issues continued to ramp up, in July 2023, OCR and the FTC announced that they had sent a joint letter to 130 hospitals and telehealth providers to emphasize the risks of third-party tracking tech. The agencies published the text of the letter at that time but did not identify the 130 recipients.

This latest announcement shed light on the exact entities that received this letter from HHS and the FTC. The recipients ranged from health systems such as Advocate Aurora Health, which had previously disclosed a third-party tracking tech-related breach, to lesser-known telehealth companies like Alfie and Oar.

“Impermissible disclosures of an individual’s personal health information to third parties may result in a wide range of harms to an individual or others. Such disclosures can reveal sensitive information including health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, where an individual seeks medical treatment, and more,” the letters stated.

“In addition, impermissible disclosures of personal health information may result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others.”

Each of the letters provided the recipients with short descriptions of their obligation under either HIPAA or the FTC Act and FTC Health Breach Notification Rules. The release of this information once again shows that OCR and the FTC will continue to prioritize curbing the negative impacts of third-party tracking tech on healthcare and guiding entities toward compliance.

“OCR and the FTC remain committed to ensuring that consumers’ health privacy remains protected with respect to this critical issue,” the letters continued.

“Both agencies are closely watching developments in this area. To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.”