The Federal Trade Commission and the Department of Health and Human Services sent warning letters to 130 health systems and telehealth providers on Thursday regarding the privacy risks of third-party tracking technology.
The FTC and HHS’s Office for Civil Rights flagged vendors’ ability to use Meta/Facebook and Google Analytics tracking technologies in the letter. The agencies said the use of such technologies could violate the Health Insurance Portability and Accountability Act of 1996 or the FTC’s Health Infringement Notification Rule. They warn organizations to exercise extreme caution when using these technologies and ensure they do not reveal personal health information in an unauthorized manner.
The FTC said it did not disclose the names of the 130 organizations, but selected them based on research and reports indicating current or previous use of tracking technologies on their websites or apps.
Third-party tracking companies use code on websites and mobile apps to collect identifiable information about users. A study published in April from researchers at the University of Pennsylvania found that third-party tracking technology is present on 98.6% of hospital websites in the United States. According to the researchers, the most common third-party tracking codes on hospital websites send data to Meta, Google and Adobe.
This is not the first time the HHS Office of Civil Rights has raised this issue. In December, it released a bulletin outlining its concerns with providers using third-party tracking codes on websites and apps that address specific symptoms, as well as on patient portals. The agency said in a news release that health information protected by HIPAA could include someone’s internet protocol address, which could be collected using third-party tracking codes.
The American Hospital Association, the nonprofit advocacy group that represents hospitals, pushed back on the bulletin, saying in a letter to the agency that it was defining protected health information too broadly by including internet protocol addresses.
The AHA did not immediately respond to a request for comment on the latest warning from the government.
Agencies that do not comply with HIPAA still need to comply with the FTC’s Health Infringement Notification Rule, the agencies said in the letter Thursday. The rule requires companies that collect and share consumers’ health information to notify those consumers. The FTC fined GoodRx in February and Teladoc Health’s BetterHelp in March for alleged rule violations, accusing the companies of sharing consumers’ personal information with Facebook and other companies. GoodRx and BetterHelp did not admit wrongdoing.
In May, the FTC published a proposed rule to extend the protections from the Breach Notification Rule to users of digital health apps.
