If you’ve checked on your legal department, they may resemble Pepper (left). Hospitals and telehealth companies have been put on notice by letter agencies HHS Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) that personal health information–not just protected health information (PHI) covered by HIPAA–that can be transmitted to third-parties by ad trackers like Meta Pixel is now forbidden, verboten, not permitted. In the joint statement by OCR and FTC, hospitals, providers, and telehealth providers were explicitly told that use of these online trackers is being equated with violations of consumer privacy. Their release specified “sensitive information” such as health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, and where an individual seeks medical treatment. Hospitals and telehealth companies also cannot plead ignorance of what their developers did, as the responsibility is being put squarely on them to monitor the data going to third parties out of websites and apps.
“The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said. At OCR, which historically had its hands full with HIPAA violations and data breaches, their scope has broadened. “Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, OCR Director. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.” Both HHS and FTC can take action without the time-consuming legal actions that DOJ must undertake.
True to FTC’s renewed use of the 2009 Health Breach Notification Rule, the letter sent to 130 hospital systems and telehealth providers came down hard on anything that could be interpreted as personal health information. Even for health organizations not covered by HIPAA, the letter is explicit on their obligation to protect against disclosure to third parties and to monitor the flow to third parties even if not used for marketing. Without explicit consumer authorization, it can “violate the FTC Act as well as constitute a breach of security under the FTC’s Health Breach Notification Rule.” Previous TTA coverage on third-party trackers and FTC actions here. Health IT Security
Between the DOJ and FTC alone, with actions on ad trackers and changes to antitrust guidelines, they have made the spring and summer of 2023 a most interesting and busy one for hospital and healthcare company legal departments. It’s even more amazing that given this background and on notice, Amazon just keeps flouting basic regulations about health information usage, such as for Amazon Clinic–which to date has not rolled out. TTA 27 June
Most Recent Comments