a computer screen with a keyboard and a monitor

HHS and FTC Warn Providers Using Online Tracking Tools

Online tracking technologies (such as the Meta/Facebook Pixel, Google Analytics, and more) are widespread because all organizations want to understand and optimize user engagement. Yet, there's a darker side to these tools: They accidentally collect and share all sorts of user information with third parties.

At the individual level, these tracking tools often gather data without the user's full knowledge or consent (and would be a HIPAA violation each time protected health information is exposed). For healthcare professionals, though, the potential risks are even more acute. Although online tracking tools might offer useful analytics and conveniences, a top priority for health organizations must be protecting patients' privacy rights.


JUMP TO THE SECTION

Online tracking

Overview of the HHS and FTC's Warning to Health Providers

We're Watching You: That's essentially what the HHS and FTC is declaring in a joint warning letter sent to 130 hospitals about the risks of online tracking technologies. The letter shares examples of FTC enforcement actions against covered entities and business associates that didn't maintain patient privacy. The letter is a reminder that both enforcement agencies closely monitor and emphasize compliance in a digital landscape.

Online tracking analytics
Is patient data being captured without their knowledge or consent? If so, using online tracking tools will create HIPAA violations.

Deep Concerns Voiced: Unauthorized use of these tracking tools can expose sensitive health data, create profound negative implications for patients, and cause health providers tangled in breach incidents to settle with the consequences. For more information, a recent OCR bulletin highlights the significant security concerns associated with online tracking technologies.

Compliance is Crucial: Both HIPAA-regulated and non-HIPAA entities are urged to review their online practices to protect user health data. Regulators are sounding the alarm, and so our compliance advisors are alerting others to avoid these privacy breaches. In light of these concerns, let's tackle some questions health providers might encounter when protecting patients' health data.


Why is there such deep concern about online tracking in healthcare?

Ugh, you're getting data everywhere! Online tracking technologies (especially when embedded on healthcare websites and apps) pose risks of unintentionally disclosing personal health data to third parties.

Did you know an investigation found one-third (33%) of Top 100 Hospitals were sharing personal health data to Meta/Facebook? Such breaches can expose details ranging from health conditions and diagnoses to medications and treatments.

From web cookies to mobile app analytics, tracking technologies have become indispensable in offering enhanced user experiences. But what happens when these technologies tread too close to protected health information (PHI)?


What kind of harm can result from these unauthorized disclosures?

Woman working on a laptop

When a person's private health data is accessed without authorization, it can lead to several adverse outcomes. This includes potential identity theft, financial loss, and even discrimination based on one's health status. On a psychological level, patients could experience significant stress, stigma, or mental anguish, knowing their personal health details might be out in the open.

Check out this investigation that discovered 49 out of 50 telehealth websites were capturing and sharing health data with big tech companies. Would you be comfortable with your details out in the open?


If I'm HIPAA-regulated, then how does this concern me?

If you're a HIPAA-covered entity or business associate, it's crucial to ensure compliance with the HIPAA Rules for Privacy, Security, and Breach Notification Requirements. These rules govern the treatment of protected health information (PHI).

Any data your entity collects through tracking technologies, including PHI, must comply with these rules. HIPAA-regulated entities are explicitly barred from using tracking technologies in ways that might result in unauthorized PHI disclosures.


What about entities that aren't covered by HIPAA?

Even if your organization isn't HIPAA-regulated, the Federal Trade Commission Act (FTC Act) and the FTC Health Breach Notification Rule mandate protection against unauthorized health information disclosures. Regardless of who developed your platforms or how you use the tracked data, this remains true. It's essential to ensure that health data flows to third parties are closely monitored to prevent potential breaches.

Hazard symbol

Examples of Recent Enforcement Actions (Three Cases of Settlement Fines)

Three real-world examples underscore the importance of adhering to privacy standards, especially for HIPAA-covered entities and business associates. The enforcement actions from regulators involve Easy Healthcare Corporation, GoodRx, and BetterHelp. These companies faced legal challenges due to potential breaches of personal health information.


1. Easy Healthcare Corporation ⚕👛

(via a platform app called Premom designed to track ovulation and menstrual cycles)
  • Easy Healthcare Corporation landed in hot water when the company faced accusations of sharing data for advertising without user consent.
  • Fined $100,000 civil penalty 👛 for violating the HIPAA Breach Notification Rule along with a series of corrective actions in the settlement. In addition, a proposed court order seeks to ban Premom from sharing data without user consent going forward. (Yikes!)


2. GoodRx ⚕💸

(a platform for prescription discounts and telemedicine)
  • GoodRx was called into question for its privacy practices.
  • Settled for $1.5 million fine 💸 after disclosing users' health info without authorization or consent to big tech companies like Facebook, Google, and others.


3. BetterHelp ⚕💰

(a platform app for mental wellness and professional counseling)
  • BetterHelp faced scrutiny for possibly mishandling sensitive client data.
  • Fined $7.8 million 💰 after sharing consumers' data with third parties for advertising.


These cases are not just cautionary tales, but concrete reminders of the substantial risks involved. For HIPAA-covered entities and business associates, they highlight the importance of rigorous HIPAA compliance. Lapses can lead to significant financial penalties and erode trust, potentially undermining patient confidence in digital health services. In a world where data breaches can irreparably tarnish a company's reputation, it is crucial to understand and learn from these enforcement actions.

Arrow symbol

What steps should health providers take now?

Network system

To ensure compliance and protect users, health providers should immediately:

  1. Review Online Practices: Regularly audit and review your website and mobile apps for any tracking technologies and understand exactly what data they collect.
  2. Engage with Tech Teams: If you're unsure about any technologies within your departments, speak with your IT or tech teams to gain clarity.
  3. Seek Guidance: Familiarize yourself with the guidance provided by the OCR and FTC. Both agencies are dedicated to ensuring consumers' health data remains private and secure.
  4. Stay Updated: As technology evolves, so do the potential risks. Regularly stay updated with any new advisories or guidance from regulatory bodies.
  5. Conduct an SRA: A regular Security Risk Analysis (SRA) is an annual HIPAA requirement. HCP can assist your organization in a guided process of identifying, mitigating, and protecting HIPAA compliance.

The warning from HHS's OCR and FTC underscores the need for vigilance in our digital age, especially for healthcare providers. While online tracking technologies offer many advantages for understanding and enhancing user engagement, they come with potential pitfalls that can't be ignored.

In conclusion, health providers must prioritize compliance and take active measures to ensure the privacy and security of their users' data. Through informed action and a commitment to best practices, it's possible to leverage the best of technology while keeping patient data safe and secure.