Hospitals and telehealth providers have been warned by the Federal Trade Commission (FTC) and the Office for Civil Rights (OCR) regarding online tracking technology. According to the FTC and OCR, the technology may be impermissibly disclosing consumers’ sensitive personal health data to third parties.

The two agencies sent the joint letter to approximately 130 hospital systems and telehealth providers to alert them about the risks and concerns about the use of technologies, such as the Meta/Facebook pixel and Google Analytics, that can track a user’s online activities. These tracking technologies gather identifiable information about users, usually without their knowledge and in ways that are hard for users to avoid, as users interact with a website or mobile app.

In their letter, both agencies reiterated the risks posed by the unauthorized disclosure of an individual’s personal health information to third parties. For example, the disclosure of such information could reveal sensitive information including health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals and where an individual seeks medical treatment.

Entities covered by the Health Insurance Portability and Accountability Act (HIPAA) were reminded of their responsibilities to protect health data from unauthorized disclosure under the law. Companies not covered by HIPAA still have a responsibility to protect against the unauthorized disclosure of personal health information — even when a third party developed their website or mobile app.