Web Tracking Tools Collect PHI, Put Patients at Risk

Collectors of Online Patient Data Must Observe HIPAA and FTC Requirements for Data Privacy, or Suffer the Consequences

For nearly a year, the HHS Office for Civil Rights and the Federal Trade Commission Bureau of Consumer Protection have been educating members of the healthcare industry about the many risks associated with the use of online tracking tools on websites and mobile applications. Now, we are witnessing a shift to more aggressive compliance enforcement and more frequent penalties.

The alarm has sounded, and it’s time for CISOs and other security executives to make sure they clearly understand their organizations’ uses of online tracking tools and to address the use of those tools in their HIPAA and FTC compliance initiatives. This includes providers who outsource tracking to third-party companies. 

How Web Tracking Tools Collect PHI

Generally, tracking technology includes scripts or code (such as cookies) that companies embed in their websites or mobile apps to gather information about visitors. Whenever patients access a healthcare provider’s patient portal, for example, or an online medical chart sharing application, an online payment program, or a mobile telehealth application—chances are high that tracking technology is in use and cookies, pixels, or similar tools are actively collecting data about the patient.

Cookie Laws and Cookie Policies

Whether the patient is aware of the tracking tools depends a lot on geography. In 2011, the United Kingdom and European Union enacted laws that require websites and apps to disclose the use of tracking tools. Commonly known as the Cookie Laws, they govern cookies as well as similar tools like Flash and HTML5 Local Storage and were designed to protect online privacy by making consumers aware of how information about them is collected and used online and giving them a choice whether to allow it or not. 

In the United States, no such federal laws exist, other than the Children's Online Privacy Protection Act (COPPA), which governs the activity of websites and online services targeting children younger than 13 years of age. However, individual states may regulate the use of cookies through privacy legislation such as the California Consumer Privacy Act, the California Privacy Rights Act, and the Virginia Consumer Data Protection Act.

As a matter of practice, many websites in the U.S. that employ cookies or similar tracking tools have elected to disclose their use, and some offer individual options for modifying exactly how the cookies are used. Where cookies are used, a Cookie Policy should be posted on the website or application disclosing how tracking tools are being used and what is done with the data they collect.

Undisclosed Tracking, Data Sharing Incur Serious Consequences

The FTC, OCR, and legal practices throughout the U.S. are beginning to pressure organizations who use tracking tools without disclosing them, and who sell or otherwise share protected health information with advertisers and marketers. Following are four examples in the past year.

• In August 2023, Advocate Aurora Health settled a $12.25 million class action lawsuit after announcing a data breach in October 2022 resulting from the use of tracking pixels. The pixels were embedded in its online patient portal and mobile app to help track and evaluate the patterns and preferences of patients using those platforms. In addition to not being disclosed on the website or mobile app, the tracking tool was over-sharing protected health information (PHI) with the third-party vendor who provided the tool.
• In February 2023, the FTC imposed a $1.5 million civil penalty on GoodRx, a telehealth and discount prescription drug provider, for failing to disclose to consumers that it was sharing their patient data with advertisers, including Facebook and Google.
• In December 2022, Community Health Network discovered that the configuration of certain pixels on its website, portal, and apps was allowing more patient information to be collected and transferred to third-party vendors, including Facebook and Google than it realized. At least one lawsuit is pending.
• A similar lawsuit, filed in November 2022, accuses WakeMed Health & Hospitals of transmitting the personal health information of almost 500,000 patients to Facebook for advertising purposes and profit, without patient consent.

In addition to these settlements, penalties may still be imposed by the HHS OCR and the FTC. The clear message is that organizations need to be fully aware of their online tracking procedures, including web tracking tools that collect PHI, and make sure they comply, at a minimum, with HIPAA Rules and the FTC Act.

HHS OCR Issues Landmark Guidance on Use of Online Tracking

In response to the increased use of online tracking and the rise in data breaches resulting from tracking, the Office for Civil Rights recently emphasized the HIPAA compliance requirements that apply to the use of tracking technologies in the healthcare industry.

In a landmark bulletin published in December 2022, titled Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, the OCR identifies the risks to PHI and enumerates specific actions organizations must take to protect the security and privacy of PHI collected and used by tracking technology vendors and their clients. The bulletin states in part:

• Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.
• Disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, constitute impermissible disclosures, which are HIPAA violations.

Following is explicit guidance from the OCR bulletin concerning HIPAA compliance obligations, which requires regulated entities to take very specific actions:

• Comply with HIPAA Rules when using tracking technologies with access to PHI. Ensure that (1) all disclosures of PHI to tracking vendors are specifically permitted by the Privacy Rule and (2) only the minimum necessary PHI to achieve the intended purpose is disclosed.

• Evaluate each relationship with a tracking technology vendor to (1) determine whether the vendor meets the definition of a business associate and (2) ensure that the disclosures made to such vendors are permitted by the Privacy Rule. 
• Address the use of tracking technologies in risk assessments and risk management processes. Implement other administrative, physical, and technical safeguards in accordance with the Security Rule (such as encrypting ePHI that is transmitted to the tracking technology vendor).
• Enable and use appropriate authentication, access, encryption, and audit controls to protect ePHI when accessing ePHI that is maintained in the tracking vendor's infrastructure.

The bulletin also instructs entities to provide appropriate data breach notifications when an impermissible disclosure of PHI to a tracking technology vendor compromises the security or privacy of that PHI. All CISOs should be well aware of the details of this bulletin.

New Warning Letter Puts Healthcare Industry on Notice

Eight months after that landmark OCR bulletin was published, the Federal Trade Commission and the Department of Health and Human Services sent highly publicized warning letters to targeted hospitals and telehealth companies. The letters warn explicitly that the use of online tracking tools in websites or mobile apps potentially violates federal data privacy and security regulations. Although 130 organizations initially received this correspondence, the message clearly applies to all healthcare industry members who use tracking tools.

Following are key excerpts from the FTC/OCR warning letter describing the serious risks of improper PHI sharing:

• The HHS Office for Civil Rights and the Federal Trade Commission are writing to draw your attention to serious privacy and security risks related to the use of online tracking technologies that may be present on your website or mobile application and impermissibly disclosing consumers' sensitive personal health information to third parties.
• Recent research, news reports, FTC enforcement actions, and an OCR bulletin have highlighted risks and concerns about the use of technologies, such as the Meta/Facebook pixel and Google Analytics, that can track a user's online activities.
• These tracking technologies gather identifiable information about users as they interact with a website or mobile app, often in ways which are not avoidable by and largely unknown to users. Impermissible disclosures of an individual's personal health information to third parties may result in a wide range of harm to an individual or others.
• Such disclosures can reveal sensitive information including health conditions, diagnoses, medications, medical treatments, frequency of visits to healthcare professionals, where an individual seeks medical treatment, and more.
• In addition, impermissible disclosures of personal health information may result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others.
  

The warning letter also cites FTC and HIPAA compliance requirements that apply to the use of online tracking tools, especially web tracking tools that collect PHI:

• The HIPAA Rules apply when the information that a regulated entity collects through tracking technologies or discloses to third parties, such as tracking technology vendors, includes PHI. HIPAA-regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to third parties or any other violations of the HIPAA Rules.
• Even if you are not covered by HIPAA, you still have an obligation to protect against impermissible disclosures of personal health information under the FTC Act and the FTC Health Breach Notification Rule. This is true even if you relied upon a third party to develop your website or mobile app and even if you do not use the information for any marketing purposes.
• As recent FTC enforcement actions demonstrate, it is essential to monitor data flows of health information to third parties via technologies you have integrated into your website or app.

The warning letter closes with a stern reminder that the “OCR and FTC remain committed to ensuring that consumers' health privacy remains protected with respect to this critical issue.”

Summary

The opportunity to profit from various commercial uses of PHI is a siren song to certain advertising and marketing entities, which has spurred regulators to intensify their focus on protecting patients and their PHI from the risks associated with online tracking tools. Both the HHS Office for Civil Rights and the Federal Trade Commission have published clear guidance regarding the use of online tracking tools by healthcare industry organizations and third-party tracking technology vendors acting on their behalf. Increasingly, PHI data breaches are incurring civil monetary penalties and law suit settlements as web tracking vulnerabilities continue to come to light. Look for a shift to more aggressive compliance enforcement and more frequent penalties from both the FTC and OCR.

Don’t Forget! October is National Cybersecurity Awareness Month. Join 24By7Security and thousands of other organizations in supporting this vital initiative!