Regulatory enforcement and large litigation relating to the use of third party trackers on companies’ websites and applications have been on the rise. Tracking often occurs without the companies’ knowledge or consent. Third party tracking on hospital and provider websites has specifically garnered notable media attention. Recently, there has been significant activity by the Federal Trade Commission (“FTC”) under the Health Breach Notification Rule for unauthorized sharing of personal information. It has begun to penalize and impose steep corrective actions, including long-impacting future restrictions, for such violations.
A 2021 study of the largest for-profit, nonprofit and governmental hospitals in the United States found that all hospitals used advertisement trackers, and 90% of the hospitals used third-party cookies. In many instances, these third-party trackers and cookies accessed and collected hospital user data. More concerning, such user data may include the user’s personal contact information, provider and insurance information, and diagnoses.
These third party trackers, deployed and used predominantly by technology companies or social media companies, pose a significant challenge for health care companies, and compliance issues associated with third party tracking are only just beginning. Notably, HHS’ Office of Civil Rights (“OCR”), recently released a guidance on the use of such trackers by HIPAA-regulated entities, like hospitals and health plans. A summary of OCR’s guidance may be found in our prior blog post, “OCR Releases Guidance on Use of Tracking Technologies,” here. Furthermore, the rise of social media has brought increased OCR scrutiny of providers’ and other covered entities’ online activities and communications on social media and other public platforms.