OCR, FTC warn about web tracking tools

The Office of Civil Rights (OCR) and the Federal Trade Commission (FTC) are getting serious about making sure health systems are staying on the right side of HIPAA and other privacy rules when using website tracking technology.  

Just weeks after issuing a bulletin outlining the proper and improper usage of data tracking technologies such as Meta Pixel and Google Analytics, the two agencies have followed up with a sternly worded warning to approximately 130 health systems and telehealth providers about following the law when adding such technologies to their websites. 

“Recent research, news reports, FTC enforcement actions, and an OCR bulletin have highlighted risks and concerns about the use of technologies, such as the Meta/Facebook pixel and Google Analytics, that can track a user’s online activities,” the letter says. “These tracking technologies gather identifiable information about users as they interact with a website or mobile app, often in ways which are not avoidable by and largely unknown to users.” 

Improper data use means big trouble for HIPAA covered entities

“Impermissible disclosures of an individual’s personal health information to third parties may result in a wide range of harms to an individual or others…[including] identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others,” the letter stated.    

“If you are a covered entity or business associate (“regulated entities”) under HIPAA, you must comply with the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules), with regard to protected health information (PHI) that is transmitted or maintained in electronic or any other form or medium.” 

Approximately 98% of hospital websites use these technologies in one form or another, and some health systems have already found themselves in hot legal waters due to their use of tracking tools, which can collect a variety of data elements related to how a user travels through a website or what information they actively submit through forms or clicks.   

Unhappy website users have already started to file a wave of class action lawsuits against health systems that may or may not have violated their privacy, which puts health systems at risk of legal fees and a negative mark against their public reputation.  

HIPAA isn’t the only privacy law in play

The OCR and FTC letter continued by pointing out that even non-HIPAA-covered entities still have an obligation to protect against the improper use or disclosure of health information under the FTC Act and the FTC Health Breach Notification Rule, even if the entity contracted with a third party to develop a website or application, and even if the information is not being actively used for tracking or marketing purposes. 

“It is essential to monitor data flows of health information to third parties via technologies you have integrated into your website or app,” OCR and FTC stressed. “The disclosure of such information without a consumer’s authorization can, in some circumstances, violate the FTC Act as well as constitute a breach of security under the FTC’s Health Breach Notification Rule.” 

FTC has released guidance documents explaining the technical rationale behind recent enforcement actions and has even developed an interactive tool for mobile app developers to help them navigate the complex landscape of data privacy guidelines.     

“OCR and the FTC remain committed to ensuring that consumers’ health privacy remains protected with respect to this critical issue. Both agencies are closely watching developments in this area,” the letter concludes. “To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.” 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.