In a joint letter, HHS's Office of Civil Rights (OCR) and the Federal Trade Commission (FTC) have warned telehealth providers and hospital systems about the risks of using tracking technologies (such as the Meta/Facebook Pixel and Google Analytics) on websites and mobile apps (OCR letter (July 20, 2023); see related press release). The agencies' letter warned recipients that the use of tracking technologies may result in impermissible disclosures of personal health information. The agencies reminded the telehealth providers and hospitals that their use of online tracking technologies must comply with (as applicable):

For compliance resources addressing the HIPAA Rules, see HIPAA Privacy, Security, and Breach Notification Toolkit.

As background, tracking technologies collect and analyze information about how users interact with websites or mobile apps. Tracking technologies typically send information directly to the third parties who developed the technologies. In some cases, the technologies may continue tracking users (and collecting their information) even after the users move from the initial website to different ones.

In 2022 bulletin guidance, HHS addressed:

(See Legal Update, HIPAA Compliance and Tracking Technologies for Apps and Webpages.)

The July 2023 letter also emphasizes that unauthorized disclosure of an individual's protected health information (PHI) can have negative consequences for individuals, including:

According to the agencies, website or mobile app users are often unaware of how tracking technologies are gathering the users' identifiable information when users interact with a website or app. However, unauthorized disclosures can reveal highly sensitive information about an individual, such as:

In their July 2023 letter, the agencies reminded CEs and BAs that the HIPAA Rules apply when information collected through tracking technologies (or disclosed to third parties, such as tracking technology vendors (TTVs)) includes PHI. Accordingly, CEs and BAs may not use tracking technologies in a way that:

The July 2023 letter directed CEs and BAs to the December 2022 bulletin for more information on tracking technologies and HIPAA compliance.

The letter also reminds entities that are not subject to HIPAA that they must comply with the FTC Act and the FTC's Health Breach Notification Rule.

HHS's 2023 letter largely leans on its earlier guidance (from December 2022) regarding the agency's substantive positions on HIPAA compliance and tracking technologies. In issuing its 2023 letter, however, HHS noted that it is pursuing "active investigations nationwide" to ensure HIPAA compliance, which presumably includes review of tracking technology issues where relevant. For its part, the FTC noted that it has recently completed enforcement actions against several entities concerning their tracking technology practices. Given the agencies' renewed emphasis on tracking technologies in the July 2023 letter, perhaps HHS will follow suit in the future.

For more information, see Practice Note, HIPAA Enforcement: Settlement Agreements.