The Office for Civil Rights and the Federal Trade Commission have sent a joint letter to 130 hospital systems and telehealth providers to emphasize the risks and concerns about the use of tracking technologies, such as the Meta/Facebook pixel and Google Analytics, that can track a user's online activities.
Why it matters
The Health and Human Services' Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) have issued a stern warning to hospital systems and telehealth providers about the privacy and security risks associated with online tracking technologies. This comes in the wake of a series of lawsuits and allegations against healthcare providers for potential violations of the Health Insurance Portability and Accountability Act (HIPAA) due to third-party tracking.
The big picture
The OCR and FTC's joint warning can be read here and underscores the growing concern about the use of online tracking technologies, such as cookies and pixels, by healthcare providers.
When interacting with a website or mobile app, these tracking technologies gather identifiable information about users, often without user knowledge or consent and in ways that are difficult to avoid. While useful for analytics and advertising, these technologies can potentially compromise the privacy and security of patients' health information, a clear violation of HIPAA.
What they're saying
"Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital's website," said Melanie Fontes Rainer, OCR Director. "OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue."
The Mount Nittany Health case
Mount Nittany Health, a healthcare provider based out of Pennsylvania, recently faced allegations over third-party tracking. The lawsuit alleges that sensitive information was disclosed about the patient's medical conditions, medical providers, and location to third parties without their knowledge or consent. This case is a reminder of the potential legal liabilities for hospitals.
Related: 98.6% of hospitals use tracking that puts patient privacy at risk
Meta's defense
In response to several lawsuits alleging that its Meta Pixel tracking tool violates HIPAA, Meta has claimed that the hospitals that use the tool are the liable parties, not Meta. Meta argues that the hospitals are the ones who are responsible for obtaining patient consent before sharing their data with third-party companies and ensuring that their websites are HIPAA compliant.
Related: Meta claims hospitals are to blame for Meta Pixel HIPAA violations
The ransomware threat
BakerHostetler's 2023 Data Security Incident Response (DSIR) Report found that while ransomware is often in the news, it's not the only issue that healthcare organizations face. Some organizations are finding themselves in hot water for their use of third-party pixels, which can send data to other companies for marketing purposes. BarkHostetler said they are handling over 50 cases related to pixel use.
Between the lines
The OCR and FTC's warning, coupled with the ongoing lawsuits, highlight the tension between the use of modern online technologies and the need to protect patient privacy. While these technologies can provide valuable insights for healthcare providers, they must be used responsibly and in compliance with privacy laws.
What's next
The lawsuits against Meta and other healthcare entities are still pending, and how they will be resolved is unclear. However, the case has raised important questions about the privacy of patient data and the role that technology companies play in protecting that data. The Meta Pixel scandal is a reminder of the importance of patient privacy. It is also a reminder that companies like Meta must be more careful about collecting and using personal data.
The bottom line
The widespread use of third-party tracking on hospital websites poses significant risks to patient privacy. It may result in legal liabilities for hospitals. More robust privacy regulations, proactive measures by hospitals, and self-regulation within the healthcare industry are needed to safeguard sensitive patient information from being accessed and exploited by third parties.
Be smart
Healthcare providers should take this warning as a call to action to review their online practices and ensure they are in compliance with HIPAA. Patients should also be aware of these issues and take steps to protect their own privacy when seeking health information or services online.
Related: HIPAA Compliant Email: The Definitive Guide
Dean Levitt
