On July 20, 2023, the Department of Health and Human Services (DHHS) through the Office of Civil Rights (OCR) and the Federal Trade Commission (FTC) issued a joint letter to hospitals and telehealth providers alerting them to the privacy and security risks related to the use of online tracking technologies. The warning particularly focuses on the potential of the impermissible disclosure of consumer personal health data to unauthorized third parties. The two agencies discussed the dangers associated with the use of tracking technologies both via website and application platforms, which may impermissibly share information to third-party developers, regarding user interaction. Furthermore, these technologies may continue to gather information about the consumer, even once the individual has navigated beyond the initial website. This impermissible encroachment of consumer data may implicate or even heighten the probability of disclosures of personal health information violations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Breach Notification Rules, FTC Act, and the FTC Health Breach Notification Rule.
The agencies particularly reiterated that “such disclosures can reveal sensitive information including health conditions, diagnoses, medications, medical treatments, frequency of visits to healthcare professionals, where an individual seeks medical treatment and more. In addition, impermissible disclosures of personal health information may result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others.”
The OCR, as recently as its December 2022 Bulletin, reminded covered entities of their regulatory obligations under HIPAA, in protecting health data from unauthorized disclosures. Furthermore, telehealth services have catapulted into mainstream business due to the pandemic-triggered necessity for remote care, which has now turned into everyday practice. However, with such broad usage, it is important that these technologies be constantly reviewed and continue to evolve regarding safety and user risks.
The joint letter issued by OCR and FTC serves as a reminder that entities should review operations to ensure that their policies and procedures are current regarding privacy, security, and breach notifications. Furthermore, similar considerations must also be incorporated in all business associate agreements and in the required public notification and consent forms prior to the release of any information.
1. U.S. Department of Health and Human Services, “Use of Online Tracking Technologies” (July 20, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/FTC-OCR-Letter-Third-Party-Trackers-07-20-2023.pdf.
2. U.S. Department of Health and Human Services, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” (December 1, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html.
