Protecting Consumer Health Information From Misuse and Exploitation

By Melissa M. Bayona Torres, Ferraiuoli LLC

Websites or mobile apps used by some hospitals and telemedicine service providers may be sharing sensitive personal health information of their patients with third parties. Therefore, the Federal Trade Commission (FTC) and the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services issued a joint statement addressing the security and privacy risks associated with the use of online tracking technologies.

The two agencies sent the joint letter to approximately 130 hospital systems and telehealth providers to alert them about the risks and concerns about the use of technologies, such as the Meta/Facebook pixel and Google Analytics, that can track a user’s online activities. These tracking technologies gather identifiable information about users, usually without their knowledge and in ways that are hard for users to avoid, as users interact with a website or mobile app.

The statement emphasizes that websites or mobile apps used by some hospitals and telemedicine service providers may be sharing sensitive personal health information of their patients, such as health conditions, diagnoses, medications, medical treatments, and frequency of visits to healthcare professionals. This could lead to a number of risks to the individual whose health information has been shared, ranging from privacy or financial risks to mental or health risks.

“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.”

The statement also discusses the responsibilities of hospitals, telemedicine service providers, and intermediaries in handling personal health information:

-Health Insurance Portability and Accountability Act (HIPAA) regulated entities must not use tracking technologies in a manner that results in impermissible disclosures of personal health information to third parties. This includes disclosing personal health information to tracking technology providers for marketing or advertising purposes without the individual's prior authorization.

-Protecting personal health information and prevent impermissible disclosures is not unique to HIPAA-regulated entities. Under the FTC Act, this obligation also extends to other entities that handle personal health information, even if they are not HIPAA-regulated entities.

-Entities that handle or obtain personal health information must monitor the flow and movement of such data, especially when it is shared with third parties through technologies integrated within websites and/or mobile applications.

By following these tips, hospitals, telemedicine service providers, and intermediaries can help to protect the privacy and security of personal health information.

This article was originally published in Spanish in Microjuris on August 14, 2023.