The Federal Commerce Fee joined the U.S. Well being and Human Providers Workplace for Civil Rights this week in reminding healthcare organizations about their duties for third-party disclosures of protected well being info underneath HIPAA, the FTC Act and the FTC Well being Breach Notification Rule.

WHY IT MATTERS 

Whereas OCR has addressed the privateness and safety dangers associated to healthcare organizations that knowingly or unknowingly use third-party monitoring instruments that may analyze, collect and share delicate medical information with promoting companions underneath HIPAA, the FTC can be utilizing its authority to guard shoppers’ well being info from “potential misuse and exploitation.” 

“These monitoring applied sciences collect identifiable details about customers, normally with out their data and in methods which might be onerous for customers to keep away from, as customers work together with a web site or cellular app,” the businesses stated of their announcement in regards to the joint letter, posted on the HHS web site, on Thursday.

They go on to explain how built-in instruments on hospital and telemedicine web sites can’t solely ship PHI info straight again, however third events like Google and Meta/Fb might proceed to trace and collect details about sufferers even after they navigate away.

A number of lawsuits allege that on-line monitoring corporations share PHI with their promoting companions, which goal the affected person with advertisements and different content material. The category motion lawsuits may additionally search that any revenue that hospitals might have comprised of promoting the info be paid to affected person victims, damages which some Louisiana hospitals may be facing. 

The letter reiterates that HIPAA Guidelines apply when the knowledge {that a} regulated entity collects by means of monitoring applied sciences or discloses to 3rd events (e.g., monitoring know-how distributors) consists of PHI. 

In December 2022, OCR launched a bulletin about the usage of on-line monitoring applied sciences by HIPAA-regulated entities and offers a common overview of how the HIPAA Guidelines apply.

The FTC provides a warning about shopper safety legal guidelines. 

“Even if you’re not lined by HIPAA, you continue to have an obligation to guard in opposition to impermissible disclosures of private well being info underneath the FTC Act and the FTC Well being Breach Notification Rule.”

“That is true even in the event you relied upon a 3rd get together to develop your web site or cellular app and even when you don’t use the knowledge obtained by means of use of a monitoring know-how for any advertising functions.” 

THE LARGER TREND

When OCR issued guidance on the use of online tracking tools, it reminded regulated entities of their obligations to adjust to HIPAA’s Privateness, Safety and Breach Notification Guidelines and defined what steps healthcare organizations and others should take to guard PHI on user-authenticated and different relevant webpages and types.

“In these circumstances, regulated entities should be sure that the disclosures made to such distributors are permitted by the privateness rule and enter right into a enterprise affiliate settlement with these monitoring know-how distributors to make sure that PHI is protected in accordance with the HIPAA Guidelines,” OCR stated within the bulletin.

OCR stated it continues to be involved about disclosures of well being info to 3rd events.

“Though on-line monitoring applied sciences can be utilized for helpful functions, sufferers and others shouldn’t should sacrifice the privateness of their well being info when utilizing a hospital’s web site,” Melanie Fontes Rainer, OCR’s director, stated in a press release in regards to the joint letter with the FTC. 

ON THE RECORD

“When shoppers go to a hospital’s web site or search telehealth companies, they need to not have to fret that their most personal and delicate well being info could also be disclosed to advertisers and different unnamed, hidden third events,” stated Samuel Levine, director of the FTC’s Bureau of Client Safety, in a press release. 

“The FTC is once more serving discover that corporations have to train excessive warning when utilizing on-line monitoring applied sciences and that we are going to proceed doing every little thing in our powers to guard shoppers’ well being info from potential misuse and exploitation.”

Andrea Fox is senior editor of Healthcare IT Information.
E mail: afox@himss.org
Healthcare IT Information is a HIMSS Media publication.