FTC/OCR Letter Cautions Against Online Tracking Technologies + End of HIPAA Enforcement Discretion

In a joint letter, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) have issued a stark warning to healthcare providers about the potential privacy and security hazards posed by online tracking technologies. The letter emphasizes the impermissible disclosure of consumers’ sensitive personal health information to third parties.  Recent investigations, media coverage, and actions taken by the FTC have brought attention to the potential hazards linked with tracking technologies, including but not limited to the Meta/Facebook pixel and Google Analytics.  These tools collect identifiable information about users as they interact with websites or mobile apps, often unbeknownst to users themselves.  The unauthorized sharing of personal health information can lead to severe consequences for individuals, including the exposure of sensitive health conditions, diagnoses, medications, and medical treatments. Such breaches may also pave the way for identity theft, financial loss, discrimination, stigma, mental anguish, and potential harm to an individual’s reputation, health, or physical safety.

The letter emphasizes that healthcare providers who are considered covered entities or business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) must adhere to the HIPAA Privacy, Security, and Breach Notification Rules. This means that if tracking technologies involve the transmission or maintenance of protected health information (PHI), they must not result in impermissible disclosures of PHI to third parties or any other violations of the HIPAA Rules.  Even for entities not covered by HIPAA, the FTC Act and the FTC Health Breach Notification Rule require safeguarding against the unauthorized disclosure of personal health information. This obligation stands regardless of whether a third party developed the website or mobile app or if the information collected via tracking technologies is used for marketing purposes.

The letter also strongly urges healthcare providers to review the laws mentioned in the letter and take appropriate measures to protect individuals’ health information privacy and security.  Providers should also be aware that during the COVID-19 PHE, OCR exercised enforcement discretion with respect to imposing penalties for violations of HIPAA rules for providers using telehealth technologies.  In April, OCR announced through a federal register notice a 90-day transition period for providers to come into full compliance with HIPAA.  The 90-day transition period will end tomorrow, Aug. 9.  Therefore, providers should ensure the technologies they are now using comply with all of HIPAA’s requirements.  OCR has previously released a guidance document on remote communication technology that can be helpful for providers navigate the requirements.

To see the FTC and OCR’s entire warning, read the full letter issued to providers.