The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OCR, FTC Publish Online Tracking Technology Warning Letters

Posted By on Sep 6, 2023

The Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) have published the letters that were sent to hospital systems and telehealth providers in July 2023 advising them about the privacy risks associated with website tracking technologies such as Meta Pixel and Google Analytics.

The widespread use of these tools on hospital websites and the risk of impermissible disclosures of protected health information (PHI) prompted OCR to issue guidance for HIPAA-regulated entities in December 2022. OCR stated in the guidance that these tools are not permitted under HIPAA unless consent is obtained via HIPAA authorizations or if there is a valid business associate relationship with the technology provider and a corresponding HIPAA-compliant business associate agreement (BAA). The FTC has also taken an interest in these tools and has taken action against non-HIPAA-regulated entities for alleged violations of the FTC Act and the FTC’s Health Breach Notification Rule with respect to tracking technologies.

The July 2023 letters explain that serious privacy and security risks have been identified with online tracking technologies and the recipients of the letters were warned that their websites and mobile applications may have these tracking tools in place that could be disclosing consumers’ sensitive personal health information to third parties. The types of information disclosed would depend on where the tracking technologies have been added. If they have been added to appointment scheduling apps or behind the logins of patient portals they could disclose highly sensitive information to third parties such as health conditions, diagnoses, medications, treatment information, treatment locations, frequency of visits, and more, along with identifiers that link that information to individuals. The disclosed information could be used by third parties for advertising purposes and could potentially result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others.

The recipients of the letters, which include a diverse range of HIPAA-regulated entities and non-HIPAA-covered entities that collect health information, have been advised to review OCR and FTC guidance, assess the extent to which tracking technologies are in use, and ensure they are fully protecting the privacy and security of individuals’ health information.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The recipients of the letters have now been made public in the 387-page PDF document jointly published by OCR and FTC on their websites. While OCR and the FTC had reason to issue the letters to these organizations, receipt of a letter does not mean that tracking technologies are currently being used or HIPAA, the FTC Act, or the Health Breach Notification Rule have been violated. The recipients of the letters are listed below.

ADHD Online, MI DearBrightly, CA Kick Health, WA Peace Health, WA Strut Health, TX
Advocate Aurora Health, WI Done, CA KwikMed, AZ Penn Medicine Chester County Hospital, PA Talkiatry, NY
Alfie, NY Dorsal, NY LCMC Health System, LA Penn Medicine, PA Talkspace, NY
Alpha, CA Duke University Health System, NC Lemonaid, CA Picnic, NY Tampa General Hospital, FL
Apostrophe, CA El Camino Hospital, CA Loyola Medicine, IL Piedmont Healthcare, GA Texas Health Resources, TX
Array Behavioral Care, NJ Eleanor Health, MA Mantra Health, NY Plume, CO The Wellness Company, RI
Ascension, MO Elektra Health, NY Marshall Medical Center, CA PRJKT RUBY, AZ Thomas Jefferson Hospital, PA
Barnes-Jewish Hospital, MO Everlywell, TX MedStar Health, MD Push Health, CA Tufts Medical Center, MA
Barton Healthcare System, CA Facet, NY Memorial Healthcare System, FL QCare Plus, FL UC Davis Health, CA
Beaumont Health System, MI Favor, CA MemorialCare Long Beach Medical Center, CA Quick MD, CA UCLA Reagan Medical Center, CA
Bellin Health, WI Folx, MA Mercy Medical Center, MD Relief Labs, Inc. d/b/a Clearing, NY UCSF Office of Legal Affairs, CA
Bicycle Health, MA Found, CA Middlesex Health, CT Remedy Psychiatry, CA UnityPoint Health, IA
Bon Secours Mercy Health, OH Froedtert Hospital and the Medical College of Wisconsin, WI Mindbloom, FL Renown Health, NV University Hospitals Cleveland Medical Center, OH
Boulder Care, OR Gennev, WA Minded, NY Riverside Health System, VA University of Chicago Medicine, IL
Brigham and Women’s Faulkner Hospital, MA Grady Health System, GA Mistr, FL Rochester Regional Health, NY University of Iowa Hospitals and Clinics, IA
Brightline, CA Henry Ford Hospital, MI MultiCare Health System, WA Roman, NY University of Kansas Health System, KS
Brightside, CA Hers, CA Musely, CA Rush University Medical Center, IL University of Pittsburgh Medical Center, PA
Calibrate, NY Hims, CA My Ketamine Home, FL Salem Health, OR University of Texas Southwestern Medical Center, TX
CallonDoc, TX Hone Health, NY Nemours Children’s Health, FL Sanford USD Medical Center, SD University of Vermont Health Network, VT
Cedars-Sinai Medical Center, CA Honor Health, AZ New York Presbyterian Hospital, NY Sarasota Memorial Health Care System, FL Wexner Medical Center, OH
Chesapeake Regional Healthcare, VA Houston Methodist, TX Northwestern Medicine Central DuPage Hospital, IL Scripps Memorial Hospital La Jolla – Scripps Health, CA Willis-Knighton Health System, LA
Children’s Wisconsin, WI Inova Health System, VA Northwestern Memorial Healthcare, IL Sharp Healthcare, CA Wisp, CA
Cone Health, NC Invigor Medical, WA Nue Life, FL Sparrow Health Systems, MI Wondermed, CA
Cove, NY Johns Hopkins Hospital, MD Nurx, CA St. Joseph Mercy Health System, MI Workit, FL
Covenant Health, TN K Health, NY Oar, NY St. Luke’s Health System, ID Yale New Haven Health, CT
Curology, CA Keeps, NY Ophelia, NY St. Tammany Health System, LA

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist