The Federal Trade Commission joined the US Health and Human Services Office for Civil Rights this week to remind healthcare organizations of their responsibilities for third-party disclosures of protected health information under HIPAA, the FTC Act and the FTC Health Breach Notification Rule.
WHY IT MATTERS
While OCR has addressed the privacy and security risks associated with healthcare organizations knowingly or unknowingly using third-party tracking tools that can analyze, collect and share sensitive medical data with advertising partners under HIPAA, the FTC is also using its authority to protect consumer health information from “potential misuse and abuse.”
“These tracking technologies collect identifiable information about users, typically without their knowledge and in ways that are difficult for users to avoid, as users interact with a website or mobile application,” the agencies said in their notice of the joint letter, posted on the HHS website Thursday.
They go on to describe how tools built into hospital and telemedicine websites can not only send PHI information directly, but third parties like Google and Meta/Facebook can continue to track and collect information about patients even after they leave.
Some lawsuits allege that online tracking companies share PHI with their advertising partners, who target patients with ads and other content. The class-action lawsuits could also require that any profits the hospitals may have made from selling the records be paid to patient victims, damages that some Louisiana hospitals could face.
The letter reiterates that HIPAA rules apply when information that a regulated entity collects through tracking technologies or provides to third parties (eg, vendors of tracking technology) includes PHI.
In December 2022, OCR published a bulletin regarding the use of online tracking technologies by HIPAA-regulated entities and provides an overview of how the HIPAA Rules apply.
The FTC adds a warning about consumer protection laws.
“Even if you are not covered by HIPAA, you still have an obligation to protect against impermissible disclosures of personal health information under the FTC Act and the FTC’s Health Breach Notification Rule.”
“This is true even if you have relied on a third party to develop your website or mobile application and even if you do not use the information obtained from the use of a tracking technology for any marketing purposes.”
THE BIGGEST TREND
When OCR issued guidance on the use of online tracking tools, it reminded regulated entities of their obligations to comply with HIPAA’s Privacy, Security, and Breach Notification Rules and explained what steps healthcare organizations and others should take to protect PHI on user-authenticated and other applicable web pages and forms.
“In these circumstances, regulated entities must ensure that disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules,” OCR said in the bulletin.
OCR said it continues to be concerned about the disclosure of health information to third parties.
“Although online tracking technologies can be used for beneficial purposes, patients and others should not sacrifice the privacy of their health information when using a hospital’s website,” Melanie Fontes Rainer, director of OCR, said in a statement about the joint letter with the FTC.
ON THE RECORD
“When consumers visit a hospital’s website or request telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement.
“The FTC is again issuing notice that companies must exercise extreme caution when using online tracking technologies, and that we will continue to do everything in our power to protect consumers’ health information from potential misuse and abuse.”
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a publication of HIMSS Media.
