OCR and FTC Issue Letter to Hospital Systems and Telehealth Providers Emphasizing Privacy and Security Risks Related to Online Tracking Technologies

Jason de Jesus
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On July 20, 2023, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) sent a letter to approximately 130 hospital systems and telehealth providers warning that online tracking technologies that may be present on their websites or mobile applications may impermissibly disclose consumers’ sensitive personal health information to third parties in ways that are unavoidable and often unknown to users, and that may violate applicable law.

Online Tracking Technologies

OCR and FTC advise that online tracking technologies, such as the Meta/Facebook pixel and Google Analytics, can track a user’s online activities. The two agencies caution that online tracking technologies may continue to gather identifiable information about users even after the users navigate away from the original website to other websites and that they can gather identifiable information about users without their knowledge and in ways that are difficult for users to avoid.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The HIPAA Privacy, Security, and Breach Notification Rules apply when a covered entity or business associate regulated under HIPAA collects or discloses protected health information (PHI) to third parties, such as tracking technology vendors. In the joint letter, the agencies remind entities covered by HIPAA of their responsibilities to protect against unauthorized disclosure of PHI and advise that covered entities and business associates are not permitted to use tracking technologies in a way that would impermissibly disclose PHI to third parties or any other violations of the HIPAA rules.

FTC Act and FTC Health Breach Notification Rule

The agencies also advise that for entities not regulated by HIPAA, unauthorized disclosure of personal health information can violate the FTC Act and constitute a breach of security under the FTC’s Health Breach Notification Rule, even when relying on a third party to develop a website or mobile app and even if information obtained through use of a tracking technology is not used for any marketing purposes. The agencies highlight the importance of monitoring data flows of health information to third parties via online technologies that are integrated into entities’ websites and mobile applications.

A copy of the OCR and FTC joint letter is available here. OCR guidance materials on the use of online tracking technologies are available here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide