An explosive issue is brewing among regulators and privacy lawyers who are coming after healthcare organizations that use website tracking. You may be violating HIPAA and FTC privacy rules right now and not be aware of it.
In April we wrote about the Office for Civil Rights (OCR) view that web trackers present a risk to patient privacy; see HIPAA Enforcement of Website Tracking Breaches. OCR believes that web trackers present a risk to privacy and security, and its Director, Melanie Fontes Rainer, has stated that website tracking in healthcare is a top OCR priority and they’re “looking into organizations across the country.”
The Federal Trade Commission (FTC) is now weighing in, joining with OCR to pursue organizations that permit unauthorized disclosures of personal information with website trackers. The unauthorized disclosure of such information may violate Section 5 of the FTC Act and could constitute a breach of security under the FTC’s Health Breach Notification Rule that applies to organizations not covered by HIPAA.
Note recent FTC enforcement actions against BetterHelp, GoodRx and Premom. The FTC’s Office of Technology has also published Guidance (FTC Guidance) about website tracking, putting companies on notice that they must monitor the flow of health information to third parties that use tracking technologies integrated into websites and apps.
Web Tracking Lawsuits on the Rise
Private lawsuits are also gaining ground. On August 11, 2023 Advocate Aurora Health agreed to pay a whopping $12.25 million to settle class action claims that the Illinois-based hospital chain invaded patient privacy by using tracking codes on its websites and patient portal. The proposed settlement is awaiting court approval. This is only one example – the first and largest publicly known settlement of a website tracking claim – many more class action lawsuits are in the pipeline.
Healthcare Organizations Double Down to Preserve Web Trackers
Website tracking technology is everywhere on the internet even if you don’t see it. Google and Meta (Facebook/Instagram) embed tracking technology in their services because the analytic information is a source of revenue. People think internet usage is free but user information is sold to third parties, like advertisers and other sellers. A person searches for shoes on the internet and suddenly receive shoe ads across every site. But in healthcare, the user information is protected health information (PHI) under HIPAA and should not be disclosed without authorization.
Remember PHI can be any one of eighteen “individual identifiers” that link to an individual – examples include a name, birth date, email address, phone number, or IP (Internet Protocol) address.
Although federal regulators are raising pressure on healthcare organizations that use web trackers, leading healthcare organizations are pushing back, arguing that OCR’s Online Tracking Guidance (OCR Guidance) is too broad. The argument has flared up over the last few months with public letters between opposing sides.
Federal regulators and the American Hospital Association (AHA) have hardened their positions. On May 22 the AHA wrote a letter to OCR asking them to suspend the OCR Guidance. A key issue for the AHA is that they believe an IP address should not be considered an “individual identifier” within the definition of protected health information under HIPAA. The AHA also suggested that the issue was “more suited to regulation by the Federal Trade Commission — not OCR” and that OCR should work with the FTC.
OCR and FTC Team Up and Respond
On this last point the AHA got its wish. On July 20, the FTC and OCR sent a joint letter to approximately 130 hospital systems and telehealth providers alerting them about the risks and concerns about the use of technologies, such as the Meta/Facebook pixel and Google Analytics, that can track a user’s online activities.
According to the letter, website trackers gather information about users “usually without their knowledge and in ways that are hard for users to avoid, as users interact with a website or mobile app.” The user’s private information is then disclosed to the tech company itself, and to third parties that use it for marketing.
OCR and FTC assert:
“Such disclosures can reveal sensitive information including health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, where an individual seeks medical treatment, and more. In addition, impermissible disclosures of personal health information may result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others.”
Follow the HIPAA Security Rule
The website tracking debate is another example of how the law and policy makers are racing to catch up with the explosive growth of tech. If you are an organization that handles personal health information, you should closely examine your website, email service provider, patient portal, telehealth provider, etc. and find out whether website trackers are present.
You need to do this to comply with federal law, whether HIPAA or FTC rules, but also to prepare for and defend against potential lawsuits. Strengthening privacy and security protections around patients and customers is also a good business practice to earn and maintain trust.
Although website trackers are everywhere, you are not helpless. You can change your settings and adapt the tools you use. Both Google Analytics and Meta allow you to opt out of their website tracking features. If you handle PHI or other personal information, whether you’re covered by HIPAA or not, you should consider opting out to avoid costly investigations or lawsuits.