The Federal Trade Commission and Health and Human Services Department sent a warning letter to 130 health systems and telehealth providers on Thursday regarding the privacy risks of third-party tracking technology.
FTC and HHS’ Office for Civil Rights flagged providers’ possible usage of Meta/Facebook and Google Analytics tracking technologies in the letter. The agencies said using such technologies could be a violation of the Health Insurance Portability and Accountability Act of 1996 or the FTC Health Breach Notification Rule. They warned organizations to exercise extreme caution in using these technologies and ensure the tools are not disclosing personal health information in an unauthorized fashion.
The FTC said it was not releasing the names of the 130 organizations, but selected them based on research and reporting indicating the current or former use of tracking technologies on their websites or apps.
Third-party tracking companies use code on websites and mobile apps to gather potentially identifiable information on users. A study published in April from researchers at the University of Pennsylvania found that third-party tracking technology is present on 98.6% of hospital websites in the United States. The most popular third-party tracking codes on hospital websites send data to Meta, Google and Adobe, according to the researchers.
It’s not the first time HHS’ Office for Civil Rights has brought up this issue. In December, it released a bulletin outlining its concerns with providers using third-party tracking codes on websites and apps that address specific symptoms, as well as on patient portals. The agency said in the bulletin that HIPAA-covered protected health information might include someone’s internet protocol address, which can be collected by third-party tracking codes.
The American Hospital Association, the nonprofit advocacy group representing hospitals, pushed back on the bulletin, saying in a letter to the agency it was defining protected health information too broadly by including internet protocol addresses.
The AHA did not respond to an immediate request for comment on the latest warning from the government.
Entities that are not subject to HIPAA still need to comply with the FTC Health Breach Notification Rule, the agencies said in the Thursday letter. The rule requires companies that collect and share consumers’ health information to notify those consumers. The FTC fined GoodRx in February and Teladoc Health's BetterHelp in March for allegedly violating the rule, accusing the companies of sharing consumers’ personal information with Facebook and other companies. GoodRx and BetterHelp did not admit wrongdoing.
In May, the FTC published a proposed rule to extend protections from the Breach Notification Rule to users of digital health apps.