The Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS) have recently issued a joint statement warning hospital systems and telehealth providers about online tracking technologies' potential privacy and security risks. In addition to the joint statement, the two agencies sent a joint letter to approximately 130 hospital systems and telehealth providers to alert them about the risks and concerns of using cookies and other online analytics and advertising technologies. 

The letter highlights the key risk that both agencies have prioritized over the last year, which is that the use of these technologies on websites with healthcare content could reveal sensitive information such as "health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, where an individual seeks medical treatment." Notably, the letter highlights the potential harm of discrimination, stigma, mental anguish and other negative consequences to reputation, along with the more traditional harms of identity theft, financial loss and impact on physical safety. 

As a reminder, HIPAA-covered entities must comply with the HIPAA Privacy, Security, and Breach Notification Rules, which apply to online trackers when that technology results in the disclosure of PHI to third-party vendors. The OCR’s December 2022 bulletin provides a good overview of how these rules apply. 

Entities that are not covered by HIPAA are still subject to the FTC Act and FTC Health Breach Notification Rule (HBNR). Disclosing health information to a third-party technology tracking vendor without authorization may violate the FTC Act and qualify as a breach of security under the HBNR (in some cases). The FTC has initiated several enforcement actions against companies under the HNBR in the last few months.  

This latest statement and letter is just another reminder to companies to carefully audit their websites, understand what tracking technologies may be on their websites or used in their mobile apps, what information those technologies are collecting/disclosing (and what that information may reveal) and take steps to address the FTC and HHS concerns ahead of what will inevitably be more enforcement.