FTC, HHS Raise Privacy Concerns About Patient Data Collected by Health Care Providers

The Federal Trade Commission and the Department of Health and Human Services’ Office for Civil Rights have warned that patient information collected by health care providers through third-party tracking tools is vulnerable to unauthorized use.

OCR officials said in a letter to hospitals and telehealth providers that such tracking tools gather identifiable and sensitive patient information often in unavoidable ways and without the knowledge of users. According to the officials, health care providers covered by the Health Insurance Portability and Accountability Act could be violating the law’s prohibition on the use of tracking technologies that could result in unauthorized disclosures, NextGov/FCW reported.

The prohibition on unauthorized disclosure applies even in patient information not obtained through third-party tools, the letter added.

The FTC-HHS letter also emphasized the limits to the information that HIPAA-covered entities can gather through tracking technologies, like Meta Pixel and Google Analytics, on their websites and apps. As outlined in a December 2022 OCR bulletin, the tracking tools can be used for customer service, business planning and development and business management or general administrative activities.  

Telehealth providers not covered by HIPAA are still subject to the Federal Trade Commission Act and the FTC Health Breach Notification Rule regarding impermissible disclosure, the agencies’ letter said.