Entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) may be surprised to learn that use of certain online tracking technology may result in inadvertently sharing information protected under HIPAA with unauthorized third parties. On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued guidance with far-reaching implications for HIPAA regulated entities highlighting their HIPAA compliance obligations when using third-party online tracking technologies designed to collect and analyze information pertaining to a user’s interaction with the regulated entity’s webpages and mobile apps. The OCR’s guidance followed a June 2022 article co-published by The Markup and STAT1 alleging several hospitals were sharing unauthorized sensitive medical information from their websites collected via online tracking tools sending shock waves throughout the health care community and resulting in a number of class action lawsuits against hospitals and technology companies. While the OCR acknowledges regulated entities may utilize online tracking technologies for permissible HIPAA purposes, such use must not be done in a manner that would result in an impermissible use or disclosure or any other HIPAA violation. Although HIPAA does not provide a private cause of action, the OCR guidance has been used to support consumer actions alleging improper use and disclosure of patient information.2 Accordingly, regulated entities (covered entities and business associates alike) should be mindful of such guidance when utilizing tracking technology on: (i) user-authenticated webpages; (ii) unauthenticated webpages even where no patient relationship exists with the webpage visitor; and, (iii) mobile applications offered for or on behalf of the regulated entity.
Below is a brief overview of OCR’s guidance and key takeaways, including some steps regulated entities should consider to reduce risk and ensure compliance.
Tracking technology, such as cookies, web beacons, or tracking pixels, are not uncommon and often provide valuable information regarding users’ online activities, which in the health care arena may be used to improve care or patient experience. Such tracking technologies may be developed internally or by third parties, e.g., tracking technology vendors, and may exist on the regulated entity’s webpages and mobile apps. The OCR’s guidance focuses on regulated entities’ obligations when using third-party tracking technologies.
OCR views information collected using tracking technologies as protected health information if: (i) it is collected by a regulated entity; (ii) it relates to an individual’s past, present, or future healthcare or payment for healthcare regardless of whether an existing patient relationship existed or whether the information collected such as IP address and geographic location included specific treatment or billing information like dates and types of health care service; and, (iii) it can be linked to a specific individual. In other words, tracking information collected by a regulated entity on its webpages and mobile apps from an individual who is not an existing patient of such entity is broadly presumed by OCR to relate to the individual’s past, present, or future healthcare or payment for healthcare as “it is indicative that the individual has received or will receive health care services or benefits from the covered entity.”
OCR describes and provides examples of how HIPAA may apply to regulated entities use of the following online tracking technologies:
- User-authenticated webpages. Regulated entities may have user-authenticated webpages, which require user login access, such as a patient or health plan portal or telehealth platform. These webpages generally contain protected health information that may be collected via tracking tools, such as an individual’s IP address, medical record number, dates of appointment, or other identifying information. Therefore, regulated entities must comply with HIPAA when utilizing such tools on user-authenticated webpages, including entering into a business associate agreement with the tracking technology vendor if such information is to be shared with the vendor.
- Unauthenticated webpages. Regulated entities may have unauthenticated webpages where users are not required to log in and general information about an entity’s services may be shared and accessed by users. The OCR acknowledges that regulated entities’ unauthenticated webpages generally do not have access to an individual’s protected health information and, in such instances, a regulated entity’s use of tracking technology on those pages is not regulated by HIPAA rules. However, the OCR cautions that even some unauthenticated webpages may have access to protected health information and use of tracking technology on those pages would be subject to HIPAA regulation. One example is the login page of a patient portal. The OCR considers a portal login page to be an unauthenticated webpage as a user does not have to provide credentials to navigate to the page. But, the OCR guidance explains that if the visitor enters credential or registration information on that page such as a name or email address, the information identifies the individual and is protected health information subject to HIPAA. As such, the OCR concludes that use of tracking technology on a patient portal webpage that can collect information the individual supplies to log in or register would be subject to HIPAA regulation, requiring a business associate agreement with a tracking technology vendor with whom the data is shared. The OCR cites webpages that address specific symptoms or health conditions, or pages that allow visitors to search for appointments, as additional examples of unauthenticated webpages that have access to protected health information. If tracking technologies are collecting identifying information such as an IP address or email address from a visitor using such pages, the OCR concludes the regulated entity is disclosing protected health information to the tracking technology vendor and HIPAA requirements, including the requirement for a business associate agreement, apply. The OCR’s analysis with respect to such unauthenticated webpages is consistent with the OCR’s broad presumption that tracking information relates to an individual’s health care or payment for care and is protected health information when it is collected by the regulated entity and linked to a specific individual, regardless of whether a patient relationship exists or specific treatment or billing information is included in or tied to the user’s IP address, geographic location, or other identifying information being tracked.
- Mobile app. Regulated entities may offer individuals mobile apps for a variety of health care purposes such as managing their care and paying their bills. Such apps collect a variety of information provided by the app user and app user’s device, such as fingerprints, network location, geolocation, and device ID, which could qualify as protected health information. Therefore, regulated entities that collect and share such information with the mobile app vendor, tracking technology vendor, or any other third party must comply with HIPAA. OCR acknowledges that HIPAA would not apply to a user’s voluntary download or input of information into mobile apps not developed or offered by the regulated entity although other laws3 may apply. However, if the mobile app is offered for or on behalf of the regulated entity then HIPAA applies.
If protected health information collected from a regulated entity’s tracking technologies is to be shared with third parties, OCR expects such data sharing to comply with HIPAA. The guidance outlines some HIPAA requirements regulated entities would be required to meet and specifically calls out establishment of business associate agreements with technology vendors meeting the definition of a business associate. Notably, absent a low probability of compromise, OCR presumes a breach has occurred when protected health information is shared with the tracking technology vendor and there is: (i) no HIPAA permission to disclose; and, (ii) no business associate agreement in place.
OCR’s guidance has significant and far reaching consequences for HIPAA regulated entities using online tracking technologies on their webpages (user-authenticated and unauthenticated) and mobile apps offered for or on their behalf. Therefore, regulated entities should evaluate what data, if any, is being collected and shared by such technologies on their information systems and, at a minimum, take the following steps to reduce risk and ensure compliance:
- Conduct a HIPAA compliant risk assessment of any online tracking technologies utilized.
- Evaluate whether required business associate agreements or patient authorizations exist to permit sharing the tracking data collected.
- Evaluate and address any potential breaches from tracking technology usage, particularly if no required business associate agreement exists.
- Update applicable policies, procedures and training materials.
- Determine whether any other laws, besides HIPAA, apply to the tracking data collected.
Although the guidance does not change the requirements of the HIPAA Privacy Rule, it does provide clarity and insight on how those requirements will be applied with respect to use of online tracking technologies. As lawsuits seeking redress for alleged privacy violations associated with such usage continue to grow, HIPAA regulated entities should proceed with caution and deliberation when using online tracking technologies.
A copy of the OCR bulletin may be found by clicking here.
1See Feathers, T., Fondrie-Teitler, S., Waller, A., and Mattu, S., Facebook Is Receiving Sensitive Medical Information from Hospital Websites, THE MARKEKUP and STAT (June 16, 2022).
2Complaints against Cedars-Sinai Medical Center and Christ Hospital expressly cite the OCR bulletin.
3The OCR bulletin cites as an example the Federal Trade Commission (FTC) Act or FTC’s Health Breach Notification Rule.