The Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) are warning hospitals and telehealth providers about privacy and security risks. Many hospitals use online tracking technologies in their websites or mobile apps that are leaking sensitive information to social media and other internet search companies. In a joint letter, the FTC and OCR told approximately 130 hospital systems and telehealth providers that they should make sure that they are not accidentally allowing Meta/Facebook pixel and Google Analytics tools to track patients’ online activities. Such disclosures to third parties that collect identifiable information about patients’ medical conditions, drugs, and treatments, if they are occurring, would be in violation of Health Insurance Portability and Accountability Act (HIPAA) privacy rules.
HHS highlighted these concerns in a bulletin it issued late last year that reminded entities covered by HIPAA of their responsibilities to protect health data from unauthorized disclosure under the law. On July 20, 2023, the FTC and OCR sent the joint letter to reiterate those obligations to protect patient data.