FTC, OCR ship warning letter to hospitals about on-line monitoring pixels

The Federal Commerce Fee joined the U.S. Well being and Human Companies Workplace for Civil Rights this week in reminding healthcare organizations about their obligations for third-party disclosures of protected well being data underneath HIPAA, the FTC Act and the FTC Well being Breach Notification Rule.

WHY IT MATTERS 

Whereas OCR has addressed the privateness and safety dangers associated to healthcare organizations that knowingly or unknowingly use third-party monitoring instruments that may analyze, collect and share delicate medical knowledge with promoting companions underneath HIPAA, the FTC can also be utilizing its authority to guard customers’ well being data from “potential misuse and exploitation.” 

“These monitoring applied sciences collect identifiable details about customers, normally with out their data and in methods which are exhausting for customers to keep away from, as customers work together with an internet site or cellular app,” the businesses mentioned of their announcement in regards to the joint letter, posted on the HHS web site, on Thursday.

They go on to explain how built-in instruments on hospital and telemedicine web sites can’t solely ship PHI data straight again, however third events like Google and Meta/Fb could proceed to trace and collect details about sufferers even after they navigate away.

A number of lawsuits allege that on-line monitoring firms share PHI with their promoting companions, which goal the affected person with advertisements and different content material. The category motion lawsuits may additionally search that any revenue that hospitals could have created from promoting the information be paid to affected person victims, damages which some Louisiana hospitals could also be going through. 

The letter reiterates that HIPAA Guidelines apply when the data {that a} regulated entity collects by way of monitoring applied sciences or discloses to 3rd events (e.g., monitoring expertise distributors) contains PHI. 

In December 2022, OCR launched a bulletin about the usage of on-line monitoring applied sciences by HIPAA-regulated entities and offers a basic overview of how the HIPAA Guidelines apply.

The FTC provides a warning about shopper safety legal guidelines. 

“Even if you’re not lined by HIPAA, you continue to have an obligation to guard towards impermissible disclosures of non-public well being data underneath the FTC Act and the FTC Well being Breach Notification Rule.”

“That is true even when you relied upon a 3rd get together to develop your web site or cellular app and even when you don’t use the data obtained by way of use of a monitoring expertise for any advertising functions.” 

THE LARGER TREND

When OCR issued steerage on the usage of on-line monitoring instruments, it reminded regulated entities of their obligations to adjust to HIPAA’s Privateness, Safety and Breach Notification Guidelines and defined what steps healthcare organizations and others should take to guard PHI on user-authenticated and different relevant webpages and types.

“In these circumstances, regulated entities should be certain that the disclosures made to such distributors are permitted by the privateness rule and enter right into a enterprise affiliate settlement with these monitoring expertise distributors to make sure that PHI is protected in accordance with the HIPAA Guidelines,” OCR mentioned within the bulletin.

OCR mentioned it continues to be involved about disclosures of well being data to 3rd events.

“Though on-line monitoring applied sciences can be utilized for helpful functions, sufferers and others shouldn’t should sacrifice the privateness of their well being data when utilizing a hospital’s web site,” Melanie Fontes Rainer, OCR’s director, mentioned in a press release in regards to the joint letter with the FTC. 

ON THE RECORD

“When customers go to a hospital’s web site or search telehealth providers, they need to not have to fret that their most personal and delicate well being data could also be disclosed to advertisers and different unnamed, hidden third events,” mentioned Samuel Levine, director of the FTC’s Bureau of Client Safety, in a press release. 

“The FTC is once more serving discover that firms must train excessive warning when utilizing on-line monitoring applied sciences and that we’ll proceed doing every little thing in our powers to guard customers’ well being data from potential misuse and exploitation.”

Andrea Fox is senior editor of Healthcare IT Information.

Electronic mail: afox@himss.org

Healthcare IT Information is a HIMSS Media publication.