FTC and OCR jointly warn 130 healthcare providers about the potential risks of using online tracking pixels like Meta/Facebook and Google Analytics. They emphasize compliance with HIPAA and consumer protection laws to protect patient’s sensitive health information from unauthorized disclosures to third parties. The focus is on safeguarding privacy and ensuring caution in using tracking technologies.
The Federal Trade Commission (FTC) and the U.S. Health and Human Services Office for Civil Rights (OCR) has taken action to address potential risks related to the use of online tracking pixels in the healthcare industry. They have jointly sent warning letters to 130 health systems and telehealth providers, stressing the importance of complying with the Health Insurance Portability and Accountability Act (HIPAA), the FTC Act, and the FTC Health Breach Notification Rule.
The primary concern is the use of tracking tools like Meta/Facebook pixel and Google Analytics, which may inadvertently expose protected health information (PHI) without proper authorization. The agencies have emphasized that healthcare organizations are responsible for third-party disclosures of PHI, and this includes the data gathered and shared by these tracking technologies.
The nature of these tracking tools raises concerns about user privacy. Such technologies often gather identifiable information about users without their knowledge and make it challenging for users to avoid being tracked as they interact with websites or mobile apps.
Moreover, integrated tools on hospital and telemedicine websites could send PHI directly to third parties like Google and Meta/Facebook, allowing these companies to continue tracking and gathering patient information even after they leave the site.
There have been lawsuits alleging that online tracking companies share PHI with advertising partners, leading to targeted ads and content for patients. In some cases, the affected patients may seek damages and a portion of the profits made from selling their data, potentially impacting Louisiana hospitals.
The joint letter reiterates that HIPAA Rules apply to regulated entities when they collect or disclose PHI through tracking technologies. The OCR previously released a bulletin in December 2022 guiding the use of online tracking technologies by HIPAA-regulated entities.
The FTC also reminds organizations that consumer protection laws come into play, even if they are not covered by HIPAA. All entities must protect against impermissible disclosures of personal health information under the FTC Act and the FTC Health Breach Notification Rule.
The focus of these actions is to safeguard consumers’ health information and privacy. Hospital websites and telehealth services should prioritize protecting patients’ most private and sensitive health data from being disclosed to advertisers and other third parties without proper consent. The FTC vows to continue its efforts to protect consumers’ health information and ensure that companies exercise caution when using online tracking technologies.