Letters originally sent out in July have now been published by the OCR and FTC regarding pixel use.
This spring, a report revealed that 98.6% of hospitals use pixel tracking through third parties, including Meta, which may put patient privacy at risk. Many hospitals have become reliant on third parties for a variety of reasons, with some assisting in operations, website upkeep, and more.
While the Office for Civil Rights (OCR) released a guidance discussing the risks and potential HIPAA violations, how many hospitals have changed their operating procedures is unclear.
In July, the OCR and the Federal Trade Commission (FTC) issued a further warning following a slew of lawsuits against healthcare providers who allegedly caused privacy violations by using third parties.
Read more: HHS and FTC issue stern warning on online tracking in healthcare
Recently, the OCR and FTC publicly released the letter that was sent to over 100 healthcare and telehealth organizations. Every organization was directly named in the letters.
The letters include warnings against the use of pixel tracking tools and the type of data that may be vulnerable depending on the use of the pixels. For instance, if pixels are involved in log-in portals, sensitive data from within that portal may have become available to third parties.
While the OCR and FTC identified organizations to send these letters to, the letters do not confirm the use of pixels by any organization.
The letters, signed by OCR Director Melanie Fontes Rainer and FTC Director Samuel Levine, warn against using pixels and provide information regarding HIPAA, the FTC Act, and the FTC Health Breach Notification Rule.
The letters state that the departments are writing to inform organizations of “serious privacy and security risks related to the use of online tracking technologies that may be present on your website or mobile application (app) and impermissibly disclosing consumers’ sensitive personal health information to third parties.”
The letter highlights that using the Meta pixel and Google Analytics could infringe on privacy protections.
While not all letter recipients must comply with HIPAA, the letter reminded HIPAA-regulated organizations that they may not use tracking if it would result in impermissible personal health information disclosure.
Other organizations may also find themselves liable to protect personal health information under the FTC Act and FTC Health Breach Notification Rule.
Read more: What is the Health Breach Notification Rule?
The OCR and FTC continue to monitor the situation to develop best practices regarding pixel use, especially for organizations that have become reliant on third parties.
While these organizations continue to evaluate the situation, the letter encourages all healthcare entities to “review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.”
Related: HIPAA Compliant Email: The Definitive Guide