HHS Publishes Guidance on Using Online Tracking Technologies Under HIPAA

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a bulletin on December 1, 2022, clarifying that "regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of [protected health information (PHI)] to tracking technology vendors or any other violations of the HIPAA Rules." Tracking technologies generally collect and analyze information about how users interact with websites or mobile applications. The bulletin comes in the wake of multiple lawsuits alleging illegal online tracking technology use by HIPAA-regulated entities.

In light of OCR's guidance and the growing risk of litigation, health care entities should review the use and disclosure of their website data, determining what information constitutes PHI and reviewing compliance with both HIPAA and other laws with respect to any data sharing.

Tracking Technology Tools: How They Work

Entities across industries commonly use tracking technology tools such as cookies, web beacons, pixels, script, or code to gather information about users and their devices as they interact with the website or mobile app. For example, these tools can help entities understand whether online advertising campaigns are proving successful or to detect ways to improve their website. Frequently, entities will use a technology vendor to analyze the collected data and create relevant insights about users' online activities. Usually, the technology vendor provides the entity with a tracking tool to place on website pages. By running the tracker's script or code on the page, the entity can send the vendor selected information from the page that – in the case of a health care entity – can include names, email addresses, phone numbers, doctor's names, medical conditions, appointment times and dates, IP addresses, and other sensitive information particularly if the webpages, for example, are online scheduling pages or inside password-protected patient portals, and the tool collects and sends the data. Mobile apps, such as a clinic's app for patients to track health-related information, can provide information such as the mobile device's fingerprints (device name, type, operating system, and/or IP address), network location, geolocation, device ID, or advertising ID.

Bulletin from the Office for Civil Rights

In the bulletin, OCR clarifies that individually identifiable health information (IIHI) collected on a regulated entity's website or mobile app will qualify as PHI and be regulated by HIPAA. This might include an individual's medical record number, home or email address, or dates of appointments, as well as an individual's IP address or geographic location, medical device IDs, or any unique identifying code. OCR states that all such IIHI collected on a regulated entity's website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services. The bulletin maintains that when a regulated entity collects an individual's IIHI through its website or mobile app, the information connects the individual to the regulated entity (that is, it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual's past, present, or future health or health care or payment for care.

OCR clarifies, however, that not all information collected through a regulated entity's website is necessarily IIHI and PHI. The bulletin distinguishes between user-authenticated webpages that are only available to patients or plan members and unauthenticated webpages that are accessible by anyone. Information on a user-authenticated web page generally will be treated as PHI and subject to HIPAA. For unauthenticated web pages, the analysis is a bit more nuanced. OCR states that tracking technologies deployed on unauthenticated webpages generally do not have access to PHI. For example, the mere fact that a user visited a regulated entity's home page seemingly would not be PHI. OCR further clarifies, however, that in some cases tracking technologies on unauthenticated webpages may access and disclose PHI if a user's login to the patient portal is captured (which would occur on an unauthenticated page and then lead to an authenticated page) or if health-specific information, such as data indicating that the website visitor searched for a doctor or sought to schedule an appointment, is captured and disclosed.

OCR states that "disclosures of PHI to tracking technology vendors for marketing purposes, without individuals' HIPAA-compliant authorizations, would constitute impermissible disclosures." OCR explains that the disclosure and misuse of tracking information can promote "misinformation, identity theft, stalking, and harassment," and lead to a broad range of harms to individuals or others, including discrimination, financial loss, emotional distress, and stigma.

HIPAA-regulated entities may use or disclose PHI only as the HIPAA Privacy Rule expressly permits or requires, unless they obtain an individual's written authorization. Because of the widespread use of tracking technologies that potentially obtain PHI from the HIPAA-regulated entities' webpages and mobile apps, HIPAA-regulated entities might be using tracking technologies without fully appreciating that they may be impermissibly disclosing PHI. The OCR bulletin states that "it is critical for regulated entities to ensure that they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule" and that the tracking technology vendor operate under a business associate agreement ("BAA").

Practical Steps for HIPAA-Regulated Entities to Take

The OCR bulletin does not have the force of law, but does indicate how OCR is interpreting the application of HIPAA to tracked website data. In light of the recent lawsuits and OCR's guidance, HIPAA-regulated entities should consider the following steps to promote HIPAA compliance:

• Identification of Website PHI. Regulated entities can review what data is collected on their website and analyze whether it is PHI. For example, user data on user-authenticated pages for patients or plan members likely qualifies as PHI. User data on a page about employment opportunities likely is not PHI. Organizations should pay particular attention to the scope of data that is collected on unauthenticated pages to identify what data constitutes health information because it may evidence information about a physical or mental condition or identify a webpage visitor seeking health care or benefits from the entity.
• Business Associate Agreements with Tracking Technology Vendors. Regulated entities should check whether they have entered into HIPAA-compliant BAAs with vendors where such vendors meet HIPAA's definition of "business associate." This will largely depend on whether the vendor is receiving access to website data that constitutes PHI. Regulated entities should verify that any of their PHI disclosures to tracking technology vendors are permitted by the Privacy Rule and that the tracking tool is disclosing only the minimum necessary PHI to achieve an intended and permitted purpose. The bulletin states that the HIPAA Privacy Rule does not permit PHI disclosures to tracking technology vendors based solely on privacy policy statements, notices, or terms of conditions of use. Rather, the disclosure must be based on a permissible purpose, such as the covered entity's health care operations, and a BAA must be in place where required.
• HIPAA-compliant Authorizations. Regulated entities should verify whether they need to obtain an individual's HIPAA-compliant authorization before disclosing PHI to a third-party tracking technology vendor if the parties do not enter into a BAA. The bulletin cautions that website banners that provide users the option to accept or reject a website's cookies, for example, would not be a valid form of HIPAA authorization. OCR also warns that having the tracking technology vendor agree to de-identify PHI before the vendor saves the information also is insufficient.
• Risk Analysis and Risk Management Processes. Regulated entities should not forget that tracking technologies would be a part of the entity's Risk Analysis and Risk Management processes.
• Breach Notifications. If a regulated entity has disclosed PHI to a tracking technology vendor in violation of HIPAA, such as without individuals' authorizations or a BAA, then the entity should document a breach risk assessment demonstrating a low probability of compromise or determine if it must provide breach notifications to affected individuals, the Secretary, and the media.
• Compliance with State Laws. Regulated entities also should review their compliance with state consumer privacy laws. Most state privacy laws exempt collection and disclosure of PHI that is subject to HIPAA but may govern the use or disclosure of any website data that the regulated entity determines is not PHI. This is especially true for for-profit entities, as many of the state consumer privacy laws exempt non-profit entities.

Entities that are not HIPAA-regulated but offer mobile apps into which an individual might enter health information should be aware that the FTC Act and the FTC's Health Breach Notification Rule could also apply along with other data privacy laws.

We are happy to assist entities evaluate their HIPAA compliance in light of OCR's bulletin.