FTC, OCR ship warning letter to hospitals about on-line monitoring pixels

The Federal Commerce Fee joined the U.S. Well being and Human Companies Workplace for Civil Rights this week in reminding healthcare organizations about their tasks for third-party disclosures of protected well being data underneath HIPAA, the FTC Act and the FTC Well being Breach Notification Rule.

WHY IT MATTERS 

Whereas OCR has addressed the privateness and safety dangers associated to healthcare organizations that knowingly or unknowingly use third-party monitoring instruments that may analyze, collect and share delicate medical information with promoting companions underneath HIPAA, the FTC can also be utilizing its authority to guard customers’ well being data from “potential misuse and exploitation.” 

“These monitoring applied sciences collect identifiable details about customers, normally with out their information and in methods which can be exhausting for customers to keep away from, as customers work together with a web site or cell app,” the companies stated of their announcement concerning the joint letter, posted on the HHS web site, on Thursday.

They go on to explain how built-in instruments on hospital and telemedicine web sites cannot solely ship PHI data immediately again, however third events like Google and Meta/Fb could proceed to trace and collect details about sufferers even after they navigate away.

A number of lawsuits allege that on-line monitoring firms share PHI with their promoting companions, which goal the affected person with adverts and different content material. The category motion lawsuits might also search that any revenue that hospitals could have comprised of promoting the info be paid to affected person victims, damages which some Louisiana hospitals could also be going through. 

The letter reiterates that HIPAA Guidelines apply when the data {that a} regulated entity collects by monitoring applied sciences or discloses to 3rd events (e.g., monitoring expertise distributors) consists of PHI. 

In December 2022, OCR launched a bulletin about using on-line monitoring applied sciences by HIPAA-regulated entities and gives a common overview of how the HIPAA Guidelines apply.

The FTC provides a warning about shopper safety legal guidelines. 

“Even if you’re not lined by HIPAA, you continue to have an obligation to guard towards impermissible disclosures of private well being data underneath the FTC Act and the FTC Well being Breach Notification Rule.”

“That is true even in the event you relied upon a 3rd social gathering to develop your web site or cell app and even when you don’t use the data obtained by use of a monitoring expertise for any advertising functions.” 

THE LARGER TREND

When OCR issued steerage on using on-line monitoring instruments, it reminded regulated entities of their obligations to adjust to HIPAA’s Privateness, Safety and Breach Notification Guidelines and defined what steps healthcare organizations and others should take to guard PHI on user-authenticated and different relevant webpages and kinds.

“In these circumstances, regulated entities should be sure that the disclosures made to such distributors are permitted by the privateness rule and enter right into a enterprise affiliate settlement with these monitoring expertise distributors to make sure that PHI is protected in accordance with the HIPAA Guidelines,” OCR stated within the bulletin.

OCR stated it continues to be involved about disclosures of well being data to 3rd events.

“Though on-line monitoring applied sciences can be utilized for useful functions, sufferers and others mustn’t need to sacrifice the privateness of their well being data when utilizing a hospital’s web site,” Melanie Fontes Rainer, OCR’s director, stated in an announcement concerning the joint letter with the FTC. 

ON THE RECORD

“When customers go to a hospital’s web site or search telehealth providers, they need to not have to fret that their most non-public and delicate well being data could also be disclosed to advertisers and different unnamed, hidden third events,” stated Samuel Levine, director of the FTC’s Bureau of Client Safety, in an announcement. 

“The FTC is once more serving discover that firms must train excessive warning when utilizing on-line monitoring applied sciences and that we are going to proceed doing every little thing in our powers to guard customers’ well being data from potential misuse and exploitation.”

Andrea Fox is senior editor of Healthcare IT Information.

E mail: afox@himss.org

Healthcare IT Information is a HIMSS Media publication.