This week, the Federal Trade Commission joined with the US Office of Health and Human Services to remind healthcare organizations of their responsibility for third-party disclosures of protected health information under HIPAA, the FTC Act, and the FTC’s Health Infringement Notification Rules.
WHY IT IMPORTANT
While OCR has addressed the privacy and security risks associated with healthcare organizations knowingly or unknowingly using third-party tracking tools that may analyze, collect, and share sensitive health data with advertising partners under HIPAA, the FTC is also using its authority to protect consumers’ health information from “potential misuse.” and
“These tracking technologies collect identifying information about a user, often without their knowledge and in a way that is unavoidable for the user, when the user interacts with a website or mobile app,” the agencies said in a joint letter announcement, posted on the HHS website, on Thursday.
They go on to describe how tools integrated on telemedicine and hospital websites not only send back PHI information directly, but third parties like Google and Meta/Facebook can continue to track and collect information about patients even after they leave.
Several lawsuits allege that online tracking companies share PHI with their advertising partners, who target patients with advertising and other content. Class action lawsuits could also require that any profits that hospitals may make from selling data be paid to patient victims, damages that some hospitals in Louisiana may face.
The letter reiterates that the HIPAA Rules apply when information that a regulated entity collects through tracking technology or discloses to third parties (e.g., a tracking technology provider) includes PHI.
In December 2022, OCR released a bulletin on the use of online tracking technologies by HIPAA-regulated entities and provided a general overview of how the HIPAA Rules apply.
FTC adds warning about consumer protection laws.
“Even if you are not covered by HIPAA, you are still obligated to protect against unauthorized disclosure of personal health information under the FTC Act and the FTC Health Violations Notification Rule.”
“This is true even if you rely on a third party to develop your website or mobile app, and even if you don’t use the information obtained through the use of tracking technology for any marketing purposes.”
TREND TO BIGGER WOMAN
When OCR issued guidance on the use of online tracking tools, it reminded regulated entities of their obligation to comply with HIPAA’s Privacy, Security and Breach Notification Code, and explained the steps healthcare organizations and others must take to protect PHI on other applicable websites and forms, and to be authenticated by users.
“In these cases, regulated entities must ensure that disclosures to such vendors are permitted under privacy rules and enter into business association agreements with these tracking technology providers to ensure that PHI is protected under the HIPAA Rules,” OCR said in the news release.
OCR said it continues to be concerned about the disclosure of health information to third parties.
Melanie Fontes Rainer, director of the OCR, said in a statement about the joint letter with the FTC: “While online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice their health information privacy when using the hospital’s website.
ON PROFILE
“When consumers visit a hospital website or search for telehealth services, they need not worry that their most sensitive and private health information may be disclosed to advertisers and other anonymous third parties,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection.
“The FTC is again announcing that companies need to exercise extreme caution when using online tracking technologies, and we will continue to do everything in our power to protect consumers’ health information from potential misuse and exploitation.”
Andrea Fox is the senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
