FTC and HHS Express Concern Over Health Data Disclosed by Online Tracking Technologies

  • The FTC and HHS Office of Civil Rights sent a joint letter to approximately 130 hospital systems and telehealth providers to warn them about the risks of unauthorized disclosure of personal health information (PHI) associated with online tracking technologies such as Google Analytics.
  • In the letter, the agencies warn that these technologies track users’ online activities and can gather their PHI as they interact with a website or mobile app, often in a way that is unavoidable and undetectable. The FTC and HHS letters also remind the recipients of their obligations under HIPAA, the FTC Act, and the FTC’s Health Breach Notification Rule to protect against impermissible disclosure of PHI.
  • Concerns over tracking technologies have gained increasing attention from law enforcement recently. As reported last week, Missouri AG Andrew Bailey filed a lawsuit against several tax preparation companies for allegedly using tracking technology to collect consumers’ sensitive data, which is then used for advertising purposes.