On July 20, 2023, the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) sent a joint letter to 130 entities, including hospital systems and telehealth providers, which highlighted the risks and concerns about online tracking technologies that can track users’ online activities and disclose such information to third parties. The letter cautioned the entities that online tracking technologies, such as the Meta/Facebook pixel and Google Analytics, “may be present on your website or mobile application (app) and impermissibly disclosing consumers’ sensitive personal health information to third parties” (emphasis added).
The joint letter follows OCR’s December 2022 Bulletin, Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, which warned that, “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” In March 2023, the FTC issued guidance on the Hidden Impacts of Pixel Tracking. Entities that are not covered by HIPAA must protect health data under the FTC Act, and disclosures without a consumer’s authorization may constitute a breach of security under the FTC’s Health Breach Notification Rule.
OCR and the FTC did not provide details as to how the 130 entities were selected to receive the joint letter. It is not clear whether OCR or the FTC will conduct compliance reviews or investigations of the 130 entities; however, the letter did warn the entities that, “to the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.” Health centers looking for recommended next steps should review our blog, OCR Issues Bulletin Warning about Online Tracking Technologies and HIPAA Violations, or view our recent webinar, Online Tracking Technologies: Regulatory and Legal Risks.