The Federal Trade Commission this week, along with the US Health and Human Services Office for Civil Rights, reminded healthcare organizations of their responsibilities for the disclosure of protected health information by third parties under HIPAA, the FTC Act and the FTC Health Breach Notification Rule.
WHY IT MATTERS
While OCR has addressed the privacy and security risks associated with healthcare organizations knowingly or unknowingly using third-party tracking tools that can analyze, collect, and share sensitive medical information with advertising partners under HIPAA, the FTC also uses its powers to protect consumer health information from “potential misuse and exploitation.”
“These Tracking Technologies collect identifiable information about users, usually without their knowledge and in ways that are difficult for users to avoid, as users interact with a website or mobile app,” the agencies said in their announcement joint letterpublished Thursday on the HHS website.
They go on to describe how integrated tools on hospital and telemedicine websites can not only send back PHI information directly, but third parties such as Google and Meta/Facebook can continue to track and collect information about patients even after navigation.
Several lawsuits allege that online tracking companies share PHI with their advertising partners, who target the patient with ads and other content. The class action lawsuits may also seek to have any profits hospitals made from selling the data paid out to patient victims Some Louisiana hospitals may face this.
The letter reiterates that if the information that a regulated entity collects using tracking technologies or discloses to third parties (e.g., tracking technology providers) includes PHI, the HIPAA rules apply.
In December 2022, OCR released one Notice about the use of online tracking technologies by HIPAA-regulated businesses and provides a general overview of the application of HIPAA rules.
The FTC adds a warning about consumer protection laws.
“Even if you are not covered by HIPAA, you still have an obligation to protect yourself from improper disclosure of personal health information under the FTC statute and the FTC Health Breach Notification Rule.”
“This is true even if you have relied on a third party to develop your website or mobile app, and even if you do not use information obtained through the use of tracking technology for marketing purposes.”
THE BIGGER TREND
If OCR has issued guidelines on how to use online tracking toolsIt reminded regulated companies of their obligations to comply with HIPAA rules for privacy, security and breach reporting, and outlined the steps healthcare organizations and others must take to protect PHI on user-authenticated and other applicable websites and forms.
“In these circumstances, regulated entities must ensure that disclosures to such providers are permitted by privacy regulations and enter into a business partner agreement with these tracking technology providers to ensure PHI are protected under HIPAA rules,” OCR said in the bulletin.
OCR said it remains concerned about the disclosure of health information to third parties.
“While online tracking technologies can be used for useful purposes, patients and others should not compromise the confidentiality of their healthcare information when using a hospital’s website,” said Melanie Fontes Rainer, director of OCR, in a statement accompanying the joint letter with the FTC.
ON THE RECORD
“When consumers visit a hospital’s website or use telemedicine services, they shouldn’t have to worry about their most private and sensitive health information being leaked to advertisers and other unnamed, covert third parties,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement.
“The FTC reiterates that businesses must exercise extreme caution when using online tracking technologies and that we will continue to do everything we can to protect consumer health information from potential misuse and abuse.”
Andrea Fox is Senior Editor of Healthcare IT News.
Healthcare IT News is a publication of HIMSS Media.