tracking technologies

Does Your Website or App Use Illegal Tracking Technologies? Warnings by FTC & HHS Office for Civil Rights


July 26, 2023 | Reading Time: 3 Minutes

Please support’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

The Escalating Concern Around Tracking Technologies

In the modern digital age, healthcare professionals and organizations face an evolving landscape of opportunities and challenges. Among the most discussed issues is the use of online tracking technologies in the healthcare sector. Notably, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), and Federal Trade Commission (FTC) have issued warnings about the potential privacy and security risks these technologies present.

Now that several in-depth US federal investigations have proven the realities of previously unthinkable, senators and federal agencies have stepped in to clarify the issues and issue clear warnings to clinicians and their organizations. This article will summarize these events and explain the federal government’s recent actions.

Unpacking the Function of Tracking Technologies

Tracking technologies are commonly used to collect and analyze how users interact with websites or mobile apps. This data aids healthcare providers in refining their services and enhancing user experience. However, the use of these technologies can also have unintended consequences. Particularly concerning is that some tracking technologies, often developed by third parties, may continue to gather and relay user PHI to these marketing websites even after users have left the original website.

Since January, readers will have noted several articles devoted to the topic. See BetterHelp Investigation by FTC & Privacy Update by DOJ. An earlier report described a research study naming 50 top telehealth platforms potentially using tracking technologies to share protected health information (PHI) with Google, Amazon, and Facebook for marketing purposes. See Some Telehealth Platforms Are Tracking Sensitive Patient Data: Are They Violating HIPAA? for details.

Upholding Privacy and Security Standards with Tracking Technologies

The OCR administrates and enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. These rules set forth the minimum standards for safeguarding identifiable health information. Parallel to this, the FTC is tasked with protecting the public from deceptive or unfair business practices, emphasizing the criticality of preserving patient privacy in the era of tracking technologies.

Assessing the Influence of Tracking Technologies on Patient Privacy

Melanie Fontes Rainer, the OCR Director, has been outspoken about balancing the potential benefits of tracking technologies with preserving patient privacy. Her office is dedicated to enforcing HIPAA and tackling concerns over improper disclosures of health information to third parties.

Similarly, Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, insists that when patients visit a hospital’s website or use telehealth services, they should be able to trust in the privacy of their health information.

Regulatory Directives and Enforcement Regarding Tracking Technologies

The OCR and FTC jointly issued a letter to approximately 130 hospital systems and telehealth providers to underscore their concerns. Downloadable from the FTC website announcement, the letter highlighted the potential risks associated with specific technologies such as Meta/Facebook pixel and Google Analytics. These tracking technologies can trace a user’s online activities, often without explicit knowledge.

Sending their warning to hospital systems and providers is particularly noteworthy, given the research article reported by on May 1, describing the study by researchers Friedman and colleagues. It concluded that 98.6% of the 6,162 hospital websites analyzed actively used pixel-tracking software. The OCR is now conducting nationwide investigations to ensure compliance.

Tracking Technologies: The Implications for Non-HIPAA Entities

Although many companies had successfully avoided legal action related to the sharing of PHI due to their lack of “covered entity” status, the OCR and FTC’s positions have now officially shifted. The obligation to safeguard against unauthorized disclosure of personal health information extends to business entities not covered by HIPAA.

Recent FTC enforcement actions against startup companies such as BetterHelp, GoodRx, and Premom have reinforced this new stance. The FTC now expects all entities to monitor the flow of health information to third parties, mainly when such information is gathered through tracking technologies.

Ensuring Health Information Protection in Light of Tracking Technologies

The shifting digital landscape requires healthcare professionals and organizations to understand and comply with all federal and state privacy laws associated with their websites and other digital services. Protecting both PHI and consumer trust is becoming increasingly urgent. Practitioners and organizations needing basic HIPAA and additional essential legal professional development can conveniently earn CMEs and CEs at

Stay tuned to the newsletters for telehealth and technology news updates. The OCR encourages anyone concerned about potential violations to file a complaint here.

Therapist AI & ChatGPT: How to Use Legally & Ethically

Immerse yourself in our highly-engaging eLearning program and delve into the uncharted territory of Artificial Intelligence (AI) in Behavioral Healthcare!

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Advanced Telehealth Regulations & Ethical Issues: Best Practices & Informed Consent

Essentials of practice guidelines published by the leading professional associations, explained with a focus on what-to-do rather than theory that leaves you empty-handed.

Telehealth Law & Ethical Course Bundle

This Telehealth Legal & Ethical Course Bundle provides the most important risk management and telehealth compliance training available anywhere to help meed telehealth, regardless of the size of your telehealth services.

Disclaimer: offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Privacy Policy and Terms and Conditions.

Please share your thoughts in the comment box below.

Notify of
Inline Feedbacks
View all comments

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Blog Topics

You May Also Like…