A notice from the Office for Civil Rights at the HHS warned that online tracking technology posed a security risk to personal health information.
The Office for Civil Rights (OCR) at the US Department of Health and Human Services is warning telehealth providers of the security risks that online tracking technologies present to apps and websites that collect and store sensitive health data.
In a notice, OCR direct Melanie Fontes Rainer said that recent research and reports were highlighting the risks that tracking technologies like Meta/Facebook pixel and Google Analystics posed to telehealth companies.
The notice said that these tracking technologies are gathering identifiable information on users as they interact with websites and apps in ways that are unavoidable and unknown to users. The data could include health information that is being stored or transmitted through telehealth apps.
If this personal health data is able to be collected by third parties, it could result in harm. Sensitive information about health conditions, diagnoses, medications, treatments or other health data could be used for identity theft, cause financial loss, or result in discrimination or a number of other negative consequences to the users of these apps and services.
For telehealth providers, the accidental health information disclosures could also violate HIPAA Privacy, Security, and Breach Notification Rules related to protected health information (PHI) that is transmitted, or maintained in any form or medium.
The HIPAA Rules apply when the information that a regulated entity collects through tracking technologies or discloses to third parties (e.g., tracking technology vendors) includes PHI. HIPAA regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to third parties or any other violations of the HIPAA Rules.
Even if a business isn’t covered by HIPAA, the notice warned that companies have an obligation to protect against impermissible disclosures of personal health information under the FTC Act and FTC Health Breach Notification Rule.