/cdn.vox-cdn.com/uploads/chorus_asset/file/24016885/STK093_Google_04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24808816/Starfield__The_Settled_Systems___Supra_Et_Ultra_____Starfield__The_Settled_Systems___Supra_Et_Ultra_2023_7_25_94252.263_1440p_streamshot.png)
The Federal Trade Commission joined the US Office of Health and Human Services for Civil Rights this week in reminding healthcare organizations of their responsibilities for third-party disclosure of health information protected under HIPAA, the FTC Act and the FTC Health Breach Notification Rule.
why it matters
While OCR has addressed privacy and security risks related to health care organizations that knowingly or unknowingly use third-party tracking tools that may analyze, collect and share sensitive medical data with advertising partners under HIPAA, the FTC is also exercising its authority to protect consumers’ health information from “potential misuse and exploitation.”
“These tracking technologies collect identifiable information about users, typically without their knowledge and in ways that are difficult for users to avoid, as users interact with a website or mobile app,” the agencies said in their announcement about the joint letter posted on the HHS website on Thursday.
They further explain how integrated tools on hospital and telemedicine websites can not only send PHI information back directly, but third parties like Google and Meta/Facebook can continue to track and collect information about patients even after they are away.
Several lawsuits allege that online tracking companies share PHI with their advertising partners, who target patients with ads and other content. Class action lawsuits could also demand that patient victims pay back whatever profits the hospitals made from selling the data, which some hospitals in Louisiana may have to bear.
The letter reiterates that HIPAA rules apply when a regulated entity collects information through tracking technologies or discloses to third parties (for example, tracking technology vendors), including PHI.
In December 2022, OCR issued a bulletin regarding the use of online tracking technologies by HIPAA-regulated entities and provides a general overview of how the HIPAA rules apply.
FTC adds a warning about consumer protection laws.
“Even if you are not covered by HIPAA, you still have an obligation to protect against unacceptable disclosure of personal health information under the FTC Act and the FTC Health Breach Notification Rule.”
“This is true even if you rely on a third party to develop your website or mobile app and even if you do not use the information obtained through your use of tracking technology for any marketing purposes.”
big trend
When OCR issued guidance on the use of online tracking tools, it reminded regulated entities of their obligations to comply with HIPAA’s privacy, security, and breach notification rules and explained the steps health care organizations and others should take to protect PHI on user-authenticated and other applicable webpages and forms.
“In these circumstances, regulated entities should ensure that disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA regulations,” OCR said in the bulletin.
OCR said it is concerned about the disclosure of health information to third parties.
“While online tracking technologies can be used for beneficial purposes, patients and others should not sacrifice the privacy of their health information when using a hospital website,” OCR director Melanie Fontes Reiner said in a statement about the joint letter with the FTC.
On the record
“When consumers visit a hospital website or search for telehealth services, they should not worry that their most private and sensitive health information may be disclosed to advertisers and other anonymous, hidden third parties,” Samuel Levine, director of the FTC’s Consumer Protection Bureau, said in a statement.
“The FTC is again giving notice that companies need to exercise extreme caution when using online tracking technologies and we will continue to do everything in our power to protect consumers’ health information from potential misuse and exploitation.”
Andrea Fox is a senior editor for Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
