Watch out: OCR and FTC remind providers about third-party, vendor issues. Technology has offered providers a plethora of ways to stay connected to patients and administer care digitally — but some apps use tracking technology and that presents both a privacy and security risk, the feds remind. Details: On July 20, the HHS Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) issued a joint letter to covered entities, business associates, and third-party vendors warning them about using Meta/Facebook pixel and Google Analytics, which can track an individual’s online activities. “These tracking technologies gather identifiable information about users as they interact with a website or mobile app, often in ways which are not avoidable by and largely unknown to users,” the joint letter said.
This isn’t the first notice from OCR as the agency already warned CEs and BAs about the dangers with an updated bulletin last December (see Medicare Compliance & Reimbursement, Vol. 48, No. 24). In the bulletin, OCR “significantly expanded its interpretation of the definition of PHI to include, in some instances, identifiable information gathered by tracking technologies where a user visits a website and does not interact with the entity in any other way,” note attorneys Kathryn F. Edgerton, Lara D. Compton, and Kate F. Stewart with law firm Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. in online legal analysis. The letter also acts as a follow-up to a September 2021 announcement reminding entities about enforcement under the FTC Breach Notification Rule. Bottom line: CEs, their BAs, and their vendors should be on the same page with privacy, strengthen their IT controls, and ensure patients’ protected health information (PHI) is safe and secure. Review the joint letter at www.ftc.gov/system/files/ftc_gov/pdf/FTC-OCR-Letter-Third-Party-Trackers-07-20-2023.pdf.