Recent Posts

Popular Topics



Legal developments in data, privacy, cybersecurity, and other emerging technology issues

FTC and HHS Alert Parties in the Health Arena that Tracking Technologies Pose Privacy and Security Risks

Last week, the FTC and HHS’ Office for Civil Rights (OCR) sent a joint letter to approximately 130 hospitals and telehealth providers concerning the privacy and security risks related to the use of online tracking technologies integrated into their websites or mobile apps.  The agencies assert that these tracking technologies – such as the Meta/Facebook pixel and Google Analytics – gather identifiable information about users when they interact with a website or mobile app, often without users’ knowledge and in ways that are hard for users to avoid.

In the letter, the agencies identified the risks they perceive exist from the unauthorized disclosure of an individual’s personal health information to third parties. For example, they claim that the disclosure of such information could reveal sensitive information including health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, and where an individual seeks medical treatment.

The HHS previously highlighted these concerns in a bulletin the agency issued late last year that reminded entities covered by the Health Insurance Portability and Accountability Act (HIPAA) of their legal responsibilities to protect health data from unauthorized disclosure.  Furthermore, the FTC has taken the position that companies not covered by HIPAA also have a responsibility to protect against the unauthorized disclosure of personal health information—even when a third party developed their website or mobile app. The FTC’s recent enforcement actions against BetterHelpGoodRx and Premom, as well as guidance from its Office of Technology, reveal that the agency expects companies to monitor the flow of health information to third parties that use tracking technologies integrated into websites and apps. The FTC claims that the unauthorized disclosure of such information may violate the FTC Act and could constitute a breach of security under the FTC’s Health Breach Notification Rule.

In addition to the heightened attention from the FTC and OCR, private class actions have been filed against health care entities employing tracking or behavioral advertising technology on their websites, which has been reported to be a prevalent practice.  Therefore, it is advisable for health care entities to conduct a legal review to determine how or whether to utilize third-party tracking technologies on their websites or apps.

Topics: FTC, HIPAA
Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.