Skip to main content

We usually don’t recommend reading other people’s mail, but even if you weren’t one of the approximately 130 companies that received a recent joint letter from the FTC and HHS’ Office for Civil Rights (OCR), anyone in the health arena – hospitals, other HIPAA-covered entities, telehealth providers, health app developers, etc. – should take the letter to heart and consider a privacy and security check-up at their business.

The joint letter alerts recipients to the risks that tracking technologies – including Meta/Facebook pixel and Google Analytics – pose to the privacy and security of consumers’ personal health information. As users interact with websites or mobile apps, technologies are often tracking their online activities and gathering personal data about them. Much of this happens behind the scenes with consumers utterly unaware they’re being tracked and unable to avoid what’s happening.

The nature of the data these technologies are gathering without consumers’ consent – for example, health conditions, diagnoses, medications, and visits to healthcare providers – is uniquely confidential. And impermissible disclosure can lead to identity theft, financial loss, discrimination, stigma, mental anguish, and other injurious consequences.

You’ll want to read the letter for OCR’s perspectives on tracking and personal health information, but here’s a sentence worth highlighting: “HIPAA regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to third parties or any other violations of the HIPAA Rules.” The letter also cites a December 2022 OCR bulletin with an overview about how HIPAA applies to the use of online tracking technologies.

But even if a company isn’t covered by HIPAA, the letter is a reminder that it still has obligations under the FTC Act and the FTC’s Health Breach Notification Rule to protect against the impermissible disclosures of personal health information. Citing recent FTC law enforcement actions against Easy Healthcare, BetterHelp, GoodRx, and Flo Health, the letter establishes that it's “essential to monitor data flows of health information to third parties via technologies you have integrated into your website or app.” What if you had someone else design your site or app? The compliance buck still stops with you. Furthermore, your company is legally responsible even if you don’t use the data obtained through tracking technologies for marketing purposes.

In addition to underscoring that both agencies are watching developments in this area, the letter ends with this admonition: “To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.”

That’s sound advice for companies that received the joint letter – and for other businesses, too.

Check out more health privacy resources from the FTC.
 

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

Elizabeth Darnold
August 08, 2023

I di have all my medical records/doctor appointments dates/behavioral health counselor memos/ ectopic HIPPA Rights were disregarded, when hospital records sent me a message via/ gmail, which I did not give them permission or an account for , I happened to use AOL for all my email that was important at the time,( now I can't even get back into AOL?) BUT the message told me the results of my ultrasound showed 2 babies! And congratulations, they gave due date, .....I WAS 43 ,AND KNEW, this is not for real, but there was a picture of a sonogram I went running to my doctors office , and made quite a unstable impression I am certain, but the nurse took me back said she was gonna look in the computer, tells me oh,ohhhhh,no it's not yours, they mixed up someone else's records with your name and email, ( that I didn't authorize for them to use PERIOD! My next stop was the records department to speak to anyone competent, only found someone who wanted to tell me they would change my email address, I filed a administrative grievance and dropped it off to the head of patient services, the next week, front page news in the Wenatchee World was how because of mishandling of computer into records for apportionment, more than 3000, people's personally info was accidentally exposed on the legality of HIPPA was never mentioned at the time only,well these things g happen and it wasn't billing info, so we apologize! I never get anything but a hard time if I have to go to that hospital, God Forbid, for anything!