FTC, OCR ship warning letter to hospitals about on-line monitoring pixels


The Federal Commerce Charge joined the U.S. Nicely being and Human Suppliers Office for Civil Rights this week in reminding healthcare organizations about their duties for third-party disclosures of protected effectively being data beneath HIPAA, the FTC Act and the FTC Nicely being Breach Notification Rule.


Whereas OCR has addressed the privateness and security risks related to healthcare organizations that knowingly or unknowingly use third-party monitoring devices which will analyze, gather and share delicate medical data with selling companions beneath HIPAA, the FTC may be using its authority to protect consumers’ effectively being data from “potential misuse and exploitation.” 

“These monitoring utilized sciences gather identifiable particulars about clients, typically with out their data and in strategies that are arduous for patrons to steer clear of, as clients work along with a site or cell app,” the companies acknowledged of their announcement regarding the joint letter, posted on the HHS site, on Thursday.

They go on to elucidate how built-in devices on hospital and telemedicine websites cannot solely ship PHI data instantly once more, nevertheless third occasions like Google and Meta/Fb would possibly proceed to hint and gather particulars about victims even after they navigate away.

Plenty of lawsuits allege that on-line monitoring companies share PHI with their selling companions, which objective the affected particular person with adverts and completely different content material materials. The class movement lawsuits could search that any income that hospitals might need constructed from selling the knowledge be paid to affected particular person victims, damages which some Louisiana hospitals is also going by way of

The letter reiterates that HIPAA Tips apply when the data {{that a}} regulated entity collects through monitoring utilized sciences or discloses to third occasions (e.g., monitoring experience distributors) consists of PHI. 

In December 2022, OCR launched a bulletin concerning the utilization of on-line monitoring utilized sciences by HIPAA-regulated entities and provides a traditional overview of how the HIPAA Tips apply.

The FTC offers a warning about shopper security authorized tips. 

“Even if you happen to’re not lined by HIPAA, you proceed to have an obligation to protect in opposition to impermissible disclosures of personal effectively being data beneath the FTC Act and the FTC Nicely being Breach Notification Rule.”

“That’s true even within the occasion you relied upon a third event to develop your site or cell app and even when you do not use the data obtained through use of a monitoring experience for any promoting capabilities.” 


When OCR issued guidance on the utilization of on-line monitoring devices, it reminded regulated entities of their obligations to regulate to HIPAA’s Privateness, Security and Breach Notification Tips and outlined what steps healthcare organizations and others ought to take to protect PHI on user-authenticated and completely different related webpages and varieties.

“In these circumstances, regulated entities ought to guarantee that the disclosures made to such distributors are permitted by the privateness rule and enter proper right into a enterprise affiliate settlement with these monitoring experience distributors to guarantee that PHI is protected in accordance with the HIPAA Tips,” OCR acknowledged inside the bulletin.

OCR acknowledged it continues to be concerned about disclosures of effectively being data to third occasions.

“Although on-line monitoring utilized sciences may be utilized for helpful capabilities, victims and others should not have to sacrifice the privateness of their effectively being data when using a hospital’s site,” Melanie Fontes Rainer, OCR’s director, acknowledged in an announcement regarding the joint letter with the FTC. 


“When consumers go to a hospital’s site or search telehealth firms, they should not have to stress that their most private and delicate effectively being data is also disclosed to advertisers and completely different unnamed, hidden third occasions,” acknowledged Samuel Levine, director of the FTC’s Bureau of Shopper Security, in an announcement. 

“The FTC is as soon as extra serving uncover that companies should prepare extreme warning when using on-line monitoring utilized sciences and that we’re going to proceed doing all of the issues in our powers to protect consumers’ effectively being data from potential misuse and exploitation.”

Andrea Fox is senior editor of Healthcare IT Data.
E mail: afox@himss.org

Healthcare IT Data is a HIMSS Media publication.


Please enter your comment!
Please enter your name here