FTC, HHS Warn Hospitals, Telehealth Firms of Privacy Violations With Tracker Use
The Federal Trade Commission and the Department of Health and Human Services have publicly named 130 hospitals and telehealth companies that were recently warned that the use of online tracking tools in their websites or mobile apps potentially violates federal data privacy and security regulations.
On Friday, the FTC and the HHS’ Office for Civil Rights posted copies of each letter the two agencies jointly sent on July 20 to dozens of U.S. telehealth providers and healthcare organizations, alerting them about the risks and concerns involving the use of online tracking technologies, such as the Meta/Facebook pixel and Google Analytics.
The letter recipients include a diverse mix of telehealth firms, including specialty online care providers – such as acne care company Apostrophe, male healthcare provider Hone Health and online mental health provider Mantra Health. The recipients also include a wide variety of healthcare organizations, including Johns Hopkins Hospital, Inova Health, New York-Presbyterian Hospital and Advocate Aurora Health.
But rather than a concise list that names each of the organizations receiving the letters, the disclosure by the FTC and HHS/OCR is a 387-page PDF file containing a redacted copy of each letter sent to the 130 entities, arranged in alphabetical order.
While the FTC and HHC OCR also publicly disclosed on July 20 that they had sent letters to 130 entities, the regulators at the time did not disclose the identities of the organizations (see: Feds Warn Hospitals, Telehealth Firms About Web Tracker Use).
But now that’s changed with the release of the redacted letters.
“Healthcare web tracking is a clash between patient privacy and commercial interests built on individually identifiable information,” said regulatory attorney Paul Hales of the Hales Law Group. “The conflict is mushrooming at a feverish pace with no resolution in sight.”
The FTC and HHS OCR in their letters warn that the online trackers contained on each of the organizations’ websites or mobile application potentially impermissibly disclose consumers’ sensitive personal health information to third parties.
Such disclosures can reveal information including health conditions, diagnoses, medications, medical treatments, frequency of visits to healthcare professionals, where an individual seeks medical treatment, and many more private details, the agencies wrote.
Some of the healthcare systems receiving the letters – including New Yor- Presbyterian and Advocate Aurora – in recent months also reported large health data breaches to HHS OCR involving their previous use of web trackers (see: 3 More Healthcare Entities Report Website Tracking Breaches).
Advocate Aurora last month agreed to a preliminary $12.25 million settlement of a proposed class action lawsuit filed in the wake of its web tracker breach, which it reported to HHS OCR in October 2022 as affecting 3 million individuals (see: Advocate Aurora to Settle Web Tracker Claims for $12.25M).
Some experts said publicly releasing the names of letter recipients and copies of warning letters sent to each is an unusual move for the FTC and HHS OCR to make.
“This is the first time advisory letters sent to specific entities have been made public,” said longtime privacy attorney David Holtzman of the consulting firm HITprivacy LLP. He said the agencies’ letters are “a shot across the bow placing entities on notice that they must monitor and stop the flow of health information to third parties that use tracking technologies integrated into websites and apps.”
The FTC told Information Security Media Group that it will sometimes publicly post information pertaining to frequently requested records under the Freedom of Information Act.
“Hot topics are subjects requested more than three times in a calendar year,” the agency’s website states. The copies of letters sent jointly by FTC/HHS OCR were also recently added to that FTC FOIA webpage.
Regulatory attorney Rachel Rose said the agencies’ letters also serve as an opportunity for entities to correct bad behavior.
“One of the objectives of both agencies is assisting with compliance,” she said. “HHS has a more limited umbrella in terms of scope than the FTC. HIPAA applies only to covered entities, business associates and subcontractors versus the FTC, which has oversight of conduct that impacts consumers.”
Given the language in the letters and agency website postings, as well as guidance issued last December warning about the use of online trackers, Rose predicts that HHS OCR will soon be issuing enforcement actions related to web trackers violations.
HHS OCR officials have also admitted that the agency is investigating the potentially impermissible use of online tracking technologies at HIPAA-regulated entities across the U.S. (see: Why HHS Regulators Are Heavily Scrutinizing Web Tracker Use).
Meanwhile, the FTC has already issued a handful of enforcement actions against telehealth providers in such cases, including large financial settlements with discount drug firm GoodRx and online counseling firm BetterHelp.
Neither the FTC nor HHS OCR immediately responded to ISMG’s requests for additional details about the letters, whether any letter recipients had replied to the correspondence, and plans for imminent potential regulatory enforcement actions against any of the recipients.
None of the letter recipients ISMG contacted for comment about the agencies’ letters immediately responded.