HHS, FTC Warn Hospitals and Telehealth Providers About Third-Party Tracking Tech

July 20, 2023 - The HHS Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) sent a joint letter to 130 hospitals and telehealth providers to emphasize the security and privacy risks of third-party tracking technologies.

As previously reported, numerous healthcare data breaches have resulted from third-party tracking tech being present on hospital websites and inadvertently transmitting sensitive data back to tech companies such as Facebook and Google. A study published in Health Affairs observed third-party tracking tech on 98.6 percent of all US nonfederal acute care hospital websites.

OCR previously issued a bulletin about the proper uses of tracking tech under HIPAA, and the FTC has settled high-profile cases with GoodRx and BetterHelp over their uses of this tech.

The joint letter ensures that if hospitals and telehealth companies had not received the message before, they will now.

“Impermissible disclosures of an individual’s personal health information to third parties may result in a wide range of harms to an individual or others. Such disclosures can reveal sensitive information including health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, where an individual seeks medical treatment, and more,” the letter stated.

“In addition, impermissible disclosures of personal health information may result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others.”

The agencies reminded HIPAA-covered entities of their duty to comply with the HIPAA Privacy, Security, and Breach Notification Rules and encouraged covered entities to consult OCR’s bulletin to navigate compliance in this space.

“Even if you are not covered by HIPAA, you still have an obligation to protect against impermissible disclosures of personal health information under the FTC Act and the FTC Health Breach Notification Rule,” the letter also stated.

“This is true even if you relied upon a third party to develop your website or mobile app and even if you do not use the information obtained through use of a tracking technology for any marketing purposes.”

OCR and the FTC made it clear that they would both take action to mitigate risk in respect to third-party tracking tech and strongly encouraged entities to take actions to further protect health information.

“Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, OCR Director. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.”