FTC, HHS warn of potential privacy and security risks embedded in online health sites

The Federal Trade Commission and the Department of Health and Human Services’ Office for Civil Rights are warning hospitals and telehealth providers that their websites and apps could potentially be exposing unauthorized patient information to third party tracking tools. 

In a letter Thursday to roughly 130 hospital systems and telehealth providers, OCR officials emphasized the risks and concerns of possibly disclosing patient health information through third party tools, like Meta Pixel and Google Analytics, that are commonly used to track website interactions by users and audience metrics. 

“These tracking tools gather identifiable information about users as they interact with a website or mobile app, often in ways which are not avoidable by and largely unknown to users,” the letter said, going on to note that impermissible disclosures can reveal sensitive information including health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, where an individual seeks medical treatment and more.” 

Agency officials are concerned that entities like hospitals and other medical offices covered by the Health Insurance Portability and Accountability Act could be in violation of the law’s rules around protected health information, which prohibits the use of tracking technologies that could result in impermissible disclosures. 

The letter points to a December 2022 bulletin from OCR that outlines where HIPAA-covered entities may use tracking technologies on their websites and software apps — namely for customer service, business planning and development, and business management or general administrative activities — but also explains the limits of where those tools can be applied to avoid disclosing patient information. 

Even if telehealth providers are not covered by HIPAA, the letter notes they are still subject to guard against impermissible disclosures under the FTC Act and the FTC Health Breach Notification Rule. 

“This is true even if you relied upon a third party to develop your website or mobile app and even if you do not use the information obtained through use of a tracking technology for any marketing purposes,” the letter said. “As recent FTC enforcement actions demonstrate, it is essential to monitor data flows of health information to third parties via technologies you have integrated into your website or app.” 

OCR officials also cited recent reports that found trackers from companies like Meta, Google, TikTok, Bing, Snap, Twitter, LinkedIn or Pinterest that collected patient answers to medical intake questions on at least 13 websites of direct-to-consumer telehealth companies.

That was alongside a July 14 FTC order the required online counseling service BetterHelp to pay $7.8 million and prohibited it from sharing user health data for advertising purposes after the agency alleged that “BetterHelp used and disclosed consumers’ email addresses, IP addresses and health questionnaire information to Facebook, Snapchat, Criteo and Pinterest for advertising purposes.”  

Thursday’s letter went on to strongly encourage hospitals and online health providers to review HIPAA and the FTC Act, alongside recent FTC tools, to help ensure compliance with the law.