On July 20th, 2023, the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services (HHS) announced that they had issued a joint letter to approximately 130 hospitals and telehealth providers warning them about privacy law and security risks associated with the integration of online tracking technologies into their websites or mobile applications. According to the agencies, these technologies may be inadvertently disclosing consumers' sensitive personal health data to third parties.
Online Tracking and Potential HIPAA Privacy Law Issues
The purpose of the letter was to warn its recipients about the security and privacy risks associated with using technologies on their websites capable of tracking users’ online activities, such as the Meta/Facebook pixel and Google Analytics.
In addition to their tracking features, these technologies also gather personally identifiable information about website visitors, which could lead to impermissible disclosures of personal health information (PHI) to third parties, including health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, and where an individual seeks medical treatment.
Such disclosures may potentially trigger the Privacy, Security, and Breach Notification Rules under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to third parties or any other violations of the HIPAA Rules.
Companies not covered by HIPAA may still have a responsibility to protect against the unauthorized disclosure of personal health information under the FTC Act and the FTC Health Breach Notification Rule, which requires vendors of personal health records to notify consumers following a breach involving unsecured information.
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, outlined the agency’s concerns in the following statement: "When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties," Levine further stressed the FTC's commitment to protecting consumers' health information from potential misuse and exploitation.
The joint letter underscores regulators’ concerns with online tracking technologies and how they impact consumer privacy. Any company that operates a website that gathers health-related information from consumers (including sites that generate leads for health insurance) should ensure that they do not employ tracking technologies that could lead to inadvertent disclosures of PHI. Protecting such data is both a legal and a moral obligation of all entities, regardless of whether they are covered by HIPAA.