The Federal Trade Commission and the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services are warning hospitals and telehealth providers about the privacy and security risks associated with the use of telehealth technologies. online tracking integrated into their websites or mobile applications that may impermissibly disclose consumers’ sensitive personal health data to third parties.
“When consumers visit a hospital website or search for telehealth services, they should not have to worry that their most private and sensitive health information will be disclosed to advertisers and other anonymous third parties and hidden,” said Samuel Levine, director of the Bureau of the FTC. Consumer protection. “The FTC once again reiterates that companies should exercise extreme caution when using online tracking technologies and that we will continue to do everything in our power to protect people’s health information. consumers from potential misuse and exploitation.”
“While online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital website,” said Melanie Fontes Rainer, director of the OCR. “OCR continues to be concerned about unlawful disclosures of health information to third parties and will use all of its resources to address this issue.”
Both agencies sent the joint letter to approximately 130 hospital systems and telehealth providers to alert them of risks and concerns related to the use of technologies, such as like the Meta/Facebook pixel and Google Analytics, which can track a user’s online activities. These tracking technologies collect identifiable information about users, usually without their knowledge and in ways that are difficult to avoid, when users interact with a website or mobile application.
In their letter, both agencies reiterated the risks posed by unauthorized disclosure of an individual’s personal health information to third parties. For example, disclosing this information could reveal sensitive information, including health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, and where an individual seeks care. medical treatment.
HHS highlighted these concerns in a bulletin published at the end of last year which reminded the entities covered by the The Health Insurance Portability and Accountability Act (HIPAA) of their responsibilities to protect health information from unauthorized disclosure under the law.
Businesses not covered by HIPAA still have a responsibility to protect against unauthorized disclosure of personal health information, even when a third party developed their website or mobile application. Thanks to its recent coercive measures against Best help, BonRx And Premotheras well as recent advice from the FTC’s Office of Technology, the FTC warned companies that they should monitor the flow of health information to third parties that use tracking technologies embedded in websites and apps. Unauthorized disclosure of this information may violate the FTC Act and could constitute a security violation under the FTC’s Health Violation Notification Rule.
The FTC’s lead contributors to this issue are Ryan Mehm of the FTC’s Bureau of Consumer Protection and Erika Wodinsky of the FTC’s San Francisco Regional Office.