The Department of Health and Human Services and the Federal Trade Commission have sent a joint letter to approximately 130 hospital systems and telehealth providers to emphasize the risks and concerns about the use of technologies, such as the Meta/Facebook pixel and Google Analytics, that can track a user’s online activities. We have summarized each agency’s position and guidance here and here, respectively.
The joint letter emphasizes the agencies’ focus on this issue, conveying to recipients a call to action:
To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.
The joint letter reminds entities regulated by HIPAA that the HIPAA privacy and security rules apply when the information that such entities collect through tracking technologies or disclose to third parties (e.g., tracking technology vendors) includes PHI. As noted in the earlier HHS Bulletin on this issue, individuals with or without an existing patient relationship with the regulated entity could be sharing PHI with the entity (or a third party) through its website tracking technologies.
For those entities not subject to HIPAA, the joint letter affirms they still may have an obligation to protect against impermissible disclosures of personal health information under the FTC Act and the FTC Health Breach Notification Rule. The joint letter makes clear this would be the case:
“even if you relied upon a third party to develop your website or mobile app and even if you do not use the information obtained through use of a tracking technology for any marketing purposes”
Regulated entities, including covered entities and business associates, should conduct an audit of any tracking technologies used on their websites, web applications, or mobile apps and determine if those technologies are being used in a manner that complies with HIPAA and the FTCA. They also should consider an ongoing process for managing their online assets to ensure such technologies are not implemented without appropriate vetting and risk assessment. Regulated entities also should review tracking technology vendor agreements to ensure they contain appropriate terms relating to the collection, use, processing, and disclosure of PHI or personal health information. This may require a business associate agreement. Additional considerations are provided in our earlier posts at the links above.