Regulators warn hospitals and telehealth companies about privacy risks of Meta, Google tracking tech

Federal regulators are warning hospital systems and telehealth providers about the data privacy risks of using third-party tracking technologies.

These services, like Meta Pixel or Google Analytics, could violate the Health Insurance Portability and Accountability Act (HIPAA) or Federal Trade Commission (FTC) data security rules, officials said.

The FTC and the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) issued a rare joint release announcing that 130 hospital systems and telehealth providers received a letter warning them about the data privacy and security risks related to the use of online tracking technologies integrated into their websites or mobile apps.

These technologies may be impermissibly disclosing consumers’ sensitive personal health data to third parties, the FTC and OCR cautioned in the letter. Agency officials urged providers and telehealth companies to consider a "privacy and security check-up at their business" to ensure they are complying with applicable laws.

The agencies specifically called out Meta/Facebook Pixel and Google Analytics technologies that can track a user’s online activities. These tracking technologies gather identifiable information about users, usually without their knowledge and in ways that are hard for users to avoid, as users interact with a website or mobile app, agency officials said.

“Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, OCR director. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.”

HIPAA-regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to third parties or any other violations of the HIPAA rules, OCR officials said in the letter (PDF).

An investigation by The Markup published in June 2022 detected Meta's Pixel tracker on about a third of large hospitals’ websites. That report found evidence that, in some instances, the sensitive data transferred to third parties met the criteria for a HIPAA violation.

In a more recent study published in Health Affairs, researchers analyzed 3,700 hospital homepages and found that almost every hospital's homepage is sending visitors' data to third parties.

“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement. “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.”

In the letter, the FTC and OCR reiterated the risks posed by the unauthorized disclosure of an individual’s personal health information to third parties. For example, the disclosure of such information could reveal sensitive information including health conditions, diagnoses, medications, medical treatments, frequency of visits to healthcare professionals and where an individual seeks medical treatment.

Impermissible disclosures of personal health information may result in identity theft, financial loss, discrimination, stigma, mental anguish or other serious negative consequences to the reputation, health or physical safety of the individual or to others," agency officials wrote in the letter.

OCR has called out these technologies in the past. In April, the agency issued a bulletin reminding healthcare organizations covered by HIPAA of their responsibilities to protect health data from unauthorized disclosure under the law.  

Since that time, OCR confirmed it has active investigations nationwide to ensure compliance with HIPAA.

The agencies also called out digital health apps that collect sensitive user information.

"Even if you are not covered by HIPAA, you still have an obligation to protect against impermissible disclosures of personal health information under the FTC Act and the FTC Health Breach Notification Rule," the agencies said in the joint letter.

That applies to digital health companies that used an outside company to design their website or apps, noted Lesley Fair, a senior attorney with the FTC's Bureau of Consumer Protection, in a blog post.

"The compliance buck still stops with you. Furthermore, your company is legally responsible even if you don’t use the data obtained through tracking technologies for marketing purposes," Fair wrote in the blog post.

The FTC recently fined Teladoc-owned mental health app BetterHelp, drug discount provider GoodRx and Easy Healthcare, operator of the fertility app Premom, for allegedly violating the FTC Health Breach Notification Rule. The agency also issued recent guidance putting companies on notice that they must monitor the flow of health information to third parties that use tracking technologies integrated into websites and apps. 

In May, the FTC issued proposed changes to its Health Breach Notification Rule to underscore the rule’s applicability to health apps. The changes aim to protect consumers' data privacy and provide more transparency about how companies collect their health information, the agency said.

Many health systems, including Advocate Aurora Health and WakeMed Health and Hospitals, are now facing patient-led, class-action lawsuits related to sharing their personally identifying information through website trackers.