Warning Letters Issued Jointly by OCR and FTC Concerning Online Tracking Technology

The Federal Trade Commission (FTC) and the Department of Health and Human Services’ Office for Civil Rights (OCR) have sent letters to hospital systems and telehealth companies in July 2023 informing them about the privacy risks connected with website tracking technologies like Google Analytics and Meta Pixel.

The extensive usage of these tools on hospital sites and the chance of impermissible disclosures of protected health information (PHI) made OCR release guidance for HIPAA-covered entities in December 2022. OCR mentioned in the guidance that it is not permitted to use these tools under HIPAA except if permission is acquired through HIPAA authorizations or when there is a legal business associate relationship entered with the technology company and an equivalent HIPAA-compliant business associate agreement (BAA). The FTC has likewise reviewed these tools and charged non-HIPAA-covered entities with violations of the FTC’s Health Breach Notification Rule and the FTC Act for using tracking technologies.

The July 2023 letters make clear that critical privacy and security problems were discovered with web tracking technologies and the people receiving the letters were cautioned that their web pages and mobile apps may have these tracking tools that may be sharing consumers’ sensitive personal health data to third parties. The kinds of data exposed are dependent on the web page that the tracking technologies were included. In case they’ve been put into consultation scheduling apps or inside the logins of patient websites they could expose highly sensitive data to third parties including medical conditions, diagnoses, prescription drugs, treatment data, treatment areas, frequency of visits, and more, together with identifiers that associate that data to people. The exposed data may be employed by third parties for marketing purposes and can possibly bring about financial loss, identity theft, discrimination, judgment, psychological anguish, or other critical negative effects to the reputation, wellness, or physical security of the person or to other people.

The letter recipients, which consist of a varied selection of HIPAA-regulated entities and non-HIPAA-regulated entities that acquire health data, were informed to check OCR and FTC guidance, evaluate the degree to which tracking codes are added, and make sure they are totally safeguarding the privacy and security of health data of individuals.

The letter recipients are now open to the public in the 387-page PDF file https://www.hhs.gov/sites/default/files/ocr-ftc-letters-re-use-online-tracking-technologies.pdf jointly released by FTC and OCR on their web pages. Although there is a reason why OCR and the FTC had to issue the letters to these companies, acceptance of a letter doesn’t suggest that tracking technologies are presently being utilized or that the FTC Act, HIPAA, or the Health Breach Notification Rule were violated. The healthcare organizations that received the letters are mentioned below.

Advocate Aurora Health, WI
ADHD Online, MI
Alfie, NY
Alpha, CA
Apostrophe, CA
Array Behavioral Care, NJ
Ascension, MO
Barnes-Jewish Hospital, MO
Barton Healthcare System, CA
Beaumont Health System, MI
Bellin Health, WI
Bicycle Health, MA
Bon Secours Mercy Health, OH
Boulder Care, OR
Brigham and Women’s Faulkner Hospital, MA
Brightline, CA
Brightside, CA
Calibrate, NY
CallonDoc, TX
Cedars-Sinai Medical Center, CA
Chesapeake Regional Healthcare, VA
Children’s Wisconsin, WI
Cone Health, NC
Cove, NY
Covenant Health, TN
Curology, CA
DearBrightly, CA
Dorsal, NY
Duke University Health System, NC
Eleanor Health, MA
Elektra Health, NY
El Camino Hospital, CA
Everlywell, TX
Facet, NY
Favor, CA
Folx, MA
Found, CA
Froedtert Hospital and the Medical College of Wisconsin, WI
Gennev, WA
Grady Health System, GA
Henry Ford Hospital, MI
Hers, CA
Hims, CA
Hone Health, NY
Honor Health, AZ
Houston Methodist, TX
Inova Health System, VA
Invigor Medical, WA
Johns Hopkins Hospital, MD
K Health, NY
Keeps, NY
Kick Health, WA
KwikMed, AZ
Lemonaid, CA
LCMC Health System, LA
Loyola Medicine, IL
Mantra Health, NY
Marshall Medical Center, CA
MedStar Health, MD
Memorial Healthcare System, FL
MemorialCare Long Beach Medical Center, CA
Mercy Medical Center, MD
Mindbloom, FL
Minded, NY
Mistr, FL
MultiCare Health System, WA
Musely, CA
My Ketamine Home, FL
Nemours Children’s Health, FL
New York Presbyterian Hospital, NY
Nue Life, FL
Nurx, CA
Oar, NY
Ophelia, NY
Penn Medicine, PA
Penn Medicine Chester County Hospital, PA
Picnic, NY
Piedmont Healthcare, GA
Plume, CO
Push Health, CA
QCare Plus, FL
Quick MD, CA
Remedy Psychiatry, CA
Renown Health, NV
Relief Labs, Inc. d/b/a Clearing, NY
Riverside Health System, VA
Rochester Regional Health, NY
Roman, NY
Rush University Medical Center, IL
Salem Health, OR
Sanford USD Medical Center, SD
Sarasota Memorial Health Care System, FL
Scripps Memorial Hospital La Jolla – Scripps Health, CA
Sharp Healthcare, CA
Sparrow Health Systems, MI
St. Joseph Mercy Health System, MI
St. Luke’s Health System, ID
St. Tammany Health System, LA
Strut Health, TX
Talkiatry, NY
Talkspace, NY
Tampa General Hospital, FL
Texas Health Resources, TX
The Wellness Company, RI
Thomas Jefferson Hospital, PA
Tufts Medical Center, MA
UCLA Reagan Medical Center, CA
UC Davis Health, CA
UCSF Office of Legal Affairs, CA
UnityPoint Health, IA
University Hospitals Cleveland Medical Center, OH
University of Chicago Medicine, IL
University of Iowa Hospitals and Clinics, IA
University of Kansas Health System, KS
University of Pittsburgh Medical Center, PA
University of Texas Southwestern Medical Center, TX
University of Vermont Health Network, VT
Wexner Medical Center, OH
Willis-Knighton Health System, LA
Wisp, CA
Wondermed, CA
Workit, FL
Yale New Haven Health, CT

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone