FTC, HHS say tracking technology may impermissibly disclose personal health data

Privacy, Cyber Risk & Data Security Federal Issues FTC FTC Act Consumer Protection Health Breach Notification Rule Department of Health and Human Services

On July 20, the FTC and U.S. Department of Health and Human Services for Civil Rights issued a joint letter cautioning hospitals and telehealth providers of the risks related to the use of online tracking technologies within their systems that may impermissibly disclose consumers’ personal data to third parties. Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said “when consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties.” According to the letter, recent research has highlighted concerns about the use of technology to track users’ online activities and sensitive data including, health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, and where an individual seeks medical treatment. The FTC warned that the impermissible disclosures of personal data can result in identity theft, financial loss, discrimination, and more. The letter included a reminder that under the FTC Act and the FTC Health Breach Notification Rule, even if they are not covered by HIPAA, hospitals and telehealth providers remain obligated to protect against impermissible disclosures of personal health information.