FTC and HHS’s Office for Civil Rights put healthcare stakeholders on notice about the use of tracking technology

Federal regulators plan to more rigorously monitor whether tracking technologies on provider websites are impermissibly disclosing consumers’ protected health information (PHI) to third parties in violation of HIPAA.

The Federal Trade Commission (FTC) and the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services last month sent a letter to around 130 health systems and telehealth providers to spell out the risks of technologies such as Meta Pixel and Google Analytics.

“These tracking technologies gather identifiable information about users as they interact with a website or mobile app, often in ways which are not avoidable by and largely unknown to users,” the letter states.

Consequences can include disclosure of information such as health conditions, diagnoses, medications and treatments, visit frequency, site of care and more, the letter states. Transmission of such information also raises the risk of identity theft, financial loss, discrimination, stigma and “mental anguish,” and can jeopardize “the reputation, health or physical safety” of the patient.

“Both agencies are closely watching developments in this area,” the letter states. “To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.”

Enforcement stands to be noticeably ramped up for telehealth in particular because this week marked the end of a 90-day “transition period” for providers to ensure they’re fully HIPAA-compliant with respect to telehealth services.

OCR had exercised HIPAA enforcement discretion in its oversight of telehealth and certain other healthcare operations for the duration of the COVID-19 public health emergency, which ended May 11. The agency then provided a 90-day period during which the discretionary enforcement continued for telehealth. That ended Aug. 9.

Amplifying key points

The letter emphasizes some of the points highlighted in a December bulletin issued by OCR about restrictions on the use of online tracking technologies by HIPAA-covered entities and business associates. The bulletin stressed that tracking technologies cannot be used in a manner that results in disclosure of PHI to tracking-technology vendors for marketing or other purposes, unless the hospital has received appropriate authorization from the patient.

“While it has always been true that regulated entities may not impermissibly disclose PHI to tracking-technology vendors, because of the proliferation of tracking technologies collecting sensitive information, now more than ever, it is critical for regulated entities to ensure that they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule,” the bulletin states.

The bulletin notes that all individually identifiable health information (IIHI), including home and email addresses or the individual’s IP address, is considered protected information “even if the individual does not have an existing relationship with the [HIPAA] regulated entity” and even if the information does not include specific clinical or billing data.

“This is because, when a regulated entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the regulated entity (i.e., it is indicative that the individual has received or will receive healthcare services or benefits from the covered entity), and thus relates to the individual’s past, present or future health or healthcare or payment for care,” the bulletin states.

Expanding the scope of enforcement

PHI may be disclosed from a user-authenticated page (i.e., a page requiring a log-in) only if the transmission is compliant with the HIPAA Privacy Rule, while any electronic PHI must be secured as per the HIPAA Security Rule, according to the bulletin. Vendors that provide tracking-technology services to hospitals also must abide by Privacy Rule provisions and sign a business associate agreement with the client hospital.

Tracking on unauthenticated pages, such as a hospital’s home page, generally is not subject to HIPAA enforcement because an individual’s PHI is not accessible. But if such information is accessible, such as in the case of credential information entered on a login page, or email or IP addresses collected on a resource page providing information about specific health conditions, those pages would need to be HIPAA-compliant.

“OCR’s statement that data tracked from a patient logging into a user-authenticated website is PHI is not particularly surprising. However, OCR went a step further by stating that tracking data captured on unauthenticated websites may also be PHI,” states a bulletin by attorneys with Akerman.

Mobile apps such as those that help patients manage their health or make payments must be HIPAA-compliant unless the app was developed or offered by an entity that is not covered by the regulations, according to the OCR bulletin.

Time to shore up compliance

“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a news release about the letter. “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.”

A bulletin written by attorneys with Manatt states, “Although HIPAA does not include a private right of action, plaintiffs’ attorneys are using a wide range of legal theories in litigation against healthcare providers, including hospital systems. These include violations of state and federal privacy and unfair business practices laws.”

In response, hospitals and other healthcare stakeholders should “evaluate how they are collecting, using and sharing health data, taking care to consider the potential breadth of data that the OCR, FTC and other federal and state regulators may deem health-related. First, they should review what data is being collected via tracking technologies operating on their websites and mobile apps (including of both unauthenticated and authenticated users) and with whom that data is shared. Legal counsel should determine whether any such data could constitute PHI subject to HIPAA, and if PHI has been disclosed, determine appropriate steps to respond to such disclosure and mitigate future risks.”