A bipartisan group of senators has written to three telehealth companies demanding answers about the use of third-party tracking technologies on their websites and details of the sensitive health data that they share with third parties such as Meta, Google, and social media networks.
In the summer of 2022, The Markup/STAT conducted an investigation into the use of tracking technologies on the websites of U.S. hospitals and found that around one-third of the hospitals investigated had these technologies on their websites. Website tracking code could capture and transmit identifiable health information to third parties, which could be further disclosed and used for targeted advertising. In December 2022, a similar investigation was conducted on the use of the code by telehealth companies. The investigation revealed 49 out of the 50 telehealth websites they investigated were sharing consumer data with third parties through pixels and other website tracking technologies, despite the companies maintaining that any information disclosed to them by consumers would be kept private and confidential.
Maria Cantwell (D-WA), Chair of the Senate Commerce Committee, Amy Klobuchar of (D-MN), Susan Collins (R-ME), and Cynthia Lummis (R-WY) wrote Cerebral in California, Monument in New York, and Workit Health in Michigan about these disclosures. The senators say the telehealth industry has been valued at over $30 billion and has allowed Americans to get easy access to the care they need, especially individuals in rural communities with limited physical access to healthcare facilities. However, the convenience of telehealth should not be at the expense of privacy and sensitive health information should not be exposed to the world’s largest advertising ecosystem.
Cerebral operates a website that was used by more than 200,000 patients in 2020 and 2021. Users of its website are asked to complete medical questionnaires, which include questions about medical conditions such as depression, anxiety, and bipolar disorder. That information, along with details of the medications they purchase through the website, is sent to third parties who can monetize that information. Website users are told that their health data will remain private and confidential and were not informed about these disclosures.
Workit Health’s website was used by more than 20,000 individuals in 2021. Its users were similarly asked to complete medical questionnaires, including questions about substance use and mental health, and that information was discovered to have been shared with platforms such as Google and Facebook along with identifiable information. Workit Health stated on its website that any information shared by users would be kept private and would be protected by its HIPAA-compliant software
Monument’s website was used by more than 30,000 patients in 2021. Users of the website were asked questions about mental health and alcohol use. Monument claims on its website that consumers’ health information is kept 100% confidential and that Monument is HIPAA compliant but The Markup/STAT investigation revealed information was being shared with platforms such as Google and Facebook without the knowledge of website users.
The senators asked the telehealth companies to provide a list of all questions consumers may be asked, the types of information that are shared with third parties, and whether information has ever been shared with a third party that would allow an individual to be identified as seeking treatment for a specific mental health or substance abuse condition. They also asked the companies to commit to protecting patient privacy and informing patients, in clear, easy-to-understand, plain language, the exact types of information that will be shared with third parties and for what specific purposes.
Last year, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance to HIPAA-regulated entities on the use of website tracking technologies. OCR confirmed that HIPAA-covered entities are not permitted to share protected health information via these tracking technologies unless consent to do so is obtained from individuals in advance, or if the provider of the technology is a HIPAA business associate, a valid business associate agreement is in place, and the disclosure is expressly permitted by the HIPAA Privacy Rule.
The Federal Trade Commission is also taking an interest in the use of these tracking technologies on health apps and websites and recently announced its intention to fine GoodRx, a provider of discounts for medications and telehealth services, $1.5 million for violations of the FTC Health Breach Notification Rule. GoodRx is alleged to have failed to notify consumers that their health information had been disclosed to third parties such as Facebook and Google after claiming users’ health data would be kept private.
The post Senators Demand Answers from Telehealth Firms on Pixel-Related Data Sharing Practices appeared first on HIPAA Journal.