This summer, the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) issued and published warnings to over 120 hospitals and telehealth providers regarding third-party online tracking technologies that may be integrated into their websites and mobile apps, creating privacy and security risks. Within its warning, OCR and the FTC highlighted that the technologies at issue included Meta/Facebook pixel and Google Analytics, both of which track a user’s online activities. Tracking technologies have the ability to gather identifiable information about users as they interact with website or mobile application, often without the user’s knowledge, and these technologies may impermissibly redisclose such information in violation of applicable data privacy regimes.
The warning letters caution organizations to ensure that their use of tracking technologies is consistent with their obligation to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the FTC Act, and the FTC Health Breach Notification Rule. The letters follow FTC’s announcement of its intent to focus greater enforcement efforts toward data privacy and security, its guidance regarding pixel tracking, and its actions against GoodRx, Betterhelp, and Cerebral, among others. Separately, OCR released its own a bulletin regarding HIPAA compliance associated with the use of tracking technologies.
Healthcare organizations that operate websites and/or mobile applications must conduct a thorough review of how they use tracking technologies, and how they disclose such use(s) to their users, to ensure that their integrations do not create liability. This must include a review of any third-party service provider or hosting service that assists or enables the organization’s website or application to be accessed.
How Frier Levitt Can Help
Data privacy and security regulations and enforcement trends continue to evolve, including the implementation and enforcement of various state privacy regimes. Organizations with access to PHI or other health data must ensure their practices are consistent with applicable federal and state laws that govern how such data is accessed, used, and shared. Contact Frier Levitt for assistance in determining how HIPAA and FTC data privacy rules impact your business and what measures you must take to ensure your compliance with these rules.
