The Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS) Office for Civil Rights warned hospitals and telehealth providers of potential privacy and security risks embedded in their websites and applications.
In a June 20 letter, sent to roughly 130 hospital systems and telehealth providers, officials emphasized how medical websites and applications could expose unauthorized patient information to third-party tracking tools, like Meta Pixel and Google Analytics.
According to the letter, these tracking tools unavoidably and unknowingly gather identifiable information about users as they interact with a website or application.
For example, officials found that third-party trackers collected patient answers to medical intake questions on at least 13 websites of direct-to-consumer telehealth companies.
“Impermissible disclosures of an individual’s personal health information to third parties may result in a wide range of harms to an individual or others. Such disclosures can reveal sensitive information including health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, where an individual seeks medical treatment and more,” the letter reads.
The letter continues to explain that impermissible disclosures of personal health information could also result in identity theft, financial loss, discrimination, stigma, and mental anguish to the health or physical safety of the individual patient or others.
Officials also expressed concern that medical providers covered by the Health Insurance Portability and Accountability Act (HIPPA) could be violating the law’s rules on protected health information, which prohibits utilizing tracking technologies that could result in impermissible disclosures.
Even medical entities not covered by HIPAA have an obligation to protect against impermissible disclosures of personal health information under the FTC Act and the FTC Health Breach Notification Rule.
On July 14, FTC required BetterHelp, an online counseling service, to pay $7.8 million and prohibited it from sharing user health data for advertising purposes after the agency alleged that the company used and disclosed consumers’ email addresses, IP addresses, and health questionnaire information” for advertising purposes via Facebook, Snapchat, Criteo, and Pinterest.
“This is true even if you relied upon a third party to develop your website or mobile app and even if you do not use the information obtained through the use of tracking technology for any marketing purposes,” the letter reads.
The letter explains that recent FTC enforcement demonstrates “it is essential to monitor data flows of health information to third parties via technologies you have integrated into your website or app.”
Officials strongly recommended that hospitals and online health providers review HIPAA and the FTC Act, alongside recent FTC tools, to ensure they’re compliant with the law.