3rd Party Risk Management , Governance & Risk Management , HIPAA/HITECH
Feds Warn Hospitals, Telehealth Firms About Web Tracker Use
HHS, FTC Notify 130 Entities About Risk of Sharing Sensitive Data in Tracking ToolsThe Federal Trade Commission and the Department of Health and Human Services are jointly warning dozens of hospitals and telehealth providers of potential data privacy and security violations involving the use of online tracking technologies.
See Also: Live Webinar | All the Ways the Internet is Surveilling You
The two agencies said on Thursday they had jointly sent letters to about 130 hospital systems and telehealth providers alerting them about the risks and concerns involving the use of online tracking technologies, such as the Meta/Facebook pixel and Google Analytics.
"These tracking technologies gather identifiable information about users, usually without their knowledge and in ways that are hard for users to avoid, as users interact with a website or mobile app," said the letter signed by Melanie Fontes Rainer, director of HHS' Office for Civil Rights, and Samuel Levine, director of the FTC's Bureau of Consumer Protection.
"Both agencies are closely watching developments in this area. To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals' health information," they wrote.
The agencies, which declined to publicly disclose the recipients of the letters, selected the entities "based on research and reporting that has been done in this area," an FTC spokeswoman told Information Security Media Group.
"The letters were sent to hospitals and hospital systems, as well as telehealth companies that we believe may have or have had tracking technologies on their websites or apps impermissibly disclosing consumers' sensitive health information to third parties," she said.
The agencies sent these letters to provide information to entities "that may not be aware of the security and privacy risks to their patients and customers," the spokeswoman said.
"In addition, we think the recipients will want to stop the risks, since they threaten to undermine consumer trust in potentially valuable online tools to promote health. Receipt of one of the letters is not intended to suggest that a provider has violated the law, just as failure by other healthcare providers to receive this informational letter should not be viewed as any sort of stamp of approval."
Enforcement Actions
The FTC has already taken enforcement actions against at least two telehealth providers - BetterHelp and GoodRx - plus mobile fertility app vendor Premom in cases involving those companies' use of tracking tools that shared consumer's sensitive health and personal information with third-party analytics and social media firms without individuals' consent.
The FTC alleged those companies' use of online trackers had amounted to unfair acts or practices in violation of Section 5 of the FTC Act. In the enforcement actions against GoodRx and Premom, the FTC also alleged the companies had violated the FTC's health data breach notification rule.
The FTC's enforcement actions in these online tracking cases so far have included multimillion-dollar civil monetary penalties and orders for the companies to stop their practices involving disclosures of consumers' health information to third parties for advertising and related purposes.
HHS OCR is also actively investigating the use of website tracking tools by some HIPAA-covered entities as potential HIPAA violations, said Susan Rhodes, HHS OCR acting deputy director of strategic planning and regional manager, during Information Security Media Group's Healthcare Security Summit in New York City on Tuesday.
HHS OCR in December issued guidance about the use of online trackers, warning regulated entities they are not permitted in a manner that would result in impermissible disclosures of PHI to third-party vendors or in any other violations of the HIPAA Rules (see: HHS: Web Trackers in Patient Portals Violate HIPAA).
"This is a top enforcement priority of the agency," Rhodes said.
Fontes Rainer, in an interview with ISMG in April, said HHS OCR's first enforcement action against a tracking tool-related HIPAA violations would be "hopefully soon."
Since the issuance of HHS OCR's online tracker guidance in December, several HIPAA-covered entities have reported to the agency large health data breaches involving their previous use of the technologies.
That includes online mental health services firm Cerebral, which has reported the largest such incident so far this year. The San Francisco-based company in March reported a breach affecting nearly 3.2 million individuals involving the "inadvertent" sharing of PHI, including online mental health assessments, through its use of pixels and similar web tracking technologies, to third parties such as TikTok, Facebook and Google (see: Not-So-Cerebral Sharing of Mental Health Data Hits Millions).