The Federal Trade Commission joined the U.S. Office of Health and Human Services for Civil Rights this week in reminding healthcare organizations of their responsibilities with respect to third-party disclosures of protected health information under HIPAA, the FTC, and the FTC’s Health Breach Notification Rule.
WHY IS IT IMPORTANT
While OCR has addressed the privacy and security risks of healthcare organizations knowingly or unknowingly using third-party tracking tools capable of analyzing, collecting, and sharing sensitive medical data with advertising partners under HIPAA, the FTC also uses its authority to protect consumer health information from “potential misuse and exploitation.”
“These tracking technologies collect identifiable information about users, usually without their knowledge and in ways that are difficult for users to avoid, when users interact with a website or mobile application,” the agencies said in their announcement on the joint letterposted on the HHS website on Thursday.
They then describe how tools embedded on hospital and telemedicine websites can not only return PHI information directly, but third parties like Google and Meta/Facebook can continue to track and collect patient information even after they leave.
Several lawsuits allege that online tracking companies share PHI with their advertising partners, who target the patient with advertisements and other content. Class action lawsuits can also seek to ensure that any profits that hospitals may have made from the sale of the data are paid to victimized patients, damages that some Louisiana hospitals may experience.
The letter reiterates that HIPAA rules apply when information a regulated entity collects through tracking technologies or discloses to third parties (e.g., tracking technology providers) includes PHI.
In December 2022, the OCR published a newsletter on the use of online tracking technologies by HIPAA-regulated entities and provides a general overview of how HIPAA rules apply.
The FTC adds a warning about consumer protection laws.
“Even if you are not covered by HIPAA, you still have an obligation to protect yourself from inadmissible disclosures of personal health information under FTC law and the FTC’s Health Breach Notification Rule.”
“This is true even if you have used a third party to develop your website or mobile application and even if you do not use the information obtained through the use of tracking technology for marketing purposes.”
THE GREAT TREND
When OCR has published guidelines on the use of online tracking toolsit reminded regulated entities of their obligations to comply with HIPAA’s privacy, security, and breach notification rules and explained the steps healthcare and other organizations must take to protect PHI on user-authenticated webpages and forms and other applicable webpages and forms.
“In these circumstances, regulated entities should ensure that disclosures made to these vendors are permitted by the privacy rule and enter into a trade association agreement with these tracking technology vendors to ensure that PHI is protected in accordance with HIPAA rules,” OCR said in the bulletin.
The OCR said it continues to be concerned about the disclosure of health information to third parties.
“While online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” OCR Director Melanie Fontes Rainer said in a statement regarding the joint letter with the FTC.
“When consumers visit a hospital’s website or search for telehealth services, they shouldn’t have to worry that their most private and sensitive health information could be leaked to advertisers and other anonymous and hidden third parties,” Samuel Levine, director of the FTC’s Office of Consumer Protection, said in a statement.
“The FTC again warns that companies should exercise extreme caution when using online tracking technologies and that we will continue to do everything in our power to protect consumers’ health information from potential misuse and exploitation.”
Andrea Fox is the editor of Healthcare IT News.
Healthcare IT News is a HIMSS Media publication.