On December 1, 2022, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) released a bulletin, entitled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” (“the Bulletin”). The Bulletin discusses the use of tracking technologies by Covered Entities and Business Associates, and the possible improper use and disclosure of protected health information (“PHI”) when using such tracking technologies.
Tracking technologies, such as cookies, pixels, web beacons, and session reply scripts have been a topic of much discussion in the field of data privacy in recent years. With the proliferation of state privacy laws in the past few years, tracking technologies and their impact on consumer privacy have garnered a lot of attention. Although there are privacy concerns regarding tracking technologies under state privacy laws, these tracking technologies are permitted in nearly all circumstances. However, this may not always be the case for Covered Entities and Business Associates that have to comply with HIPAA, as discussed in the Bulletin.
Uses of Tracking Technologies
The Bulletin discusses concerns that tracking technologies collect individually identifiable health information (“IHII”) when an individual visits a Covered Entity’s website, such as a provider or health plan website. The tracking technologies may collect information such as geolocation, IP address, and device ID, which the Bulletin states when collected on a regulated entity's website or mobile application would generally be PHI. Although this is a broad interpretation, the Bulletin does go on to state, “[t]his is because, when a regulated entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the regulated entity (i.e., it is indicative that the individual has received or will receive healthcare services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or healthcare or payment for care.”
The Bulletin makes a distinction between the use of tracking technologies on “user-authenticated webpages,” “unauthenticated webpages,” and “web applications.” The Bulletin explains that user-authenticated webpages that require user credentials to access, such as a plan beneficiary portal or patient portal are more likely to have access to PHI. Therefore, if a Covered Entity uses tracking technologies on its user-authenticated web pages, the tracking technologies will likely have access to PHI, possibly even information about an individual’s diagnosis or treatment. Additionally, if the tracking technologies are administered by a third party with access to that PHI, that third party is considered a Business Associate.
The Bulletin goes on to state that although less likely, tracking technologies on unauthenticated web pages may also collect PHI. For example, an individual may visit a provider's home page and then provide their name, email address, and other identifying information to register on the page, which the Bulletin states would constitute as PHI. The Bulletin also addresses that a regulated entities’ mobile app often collects PHI, such as geolocation, device ID, or advertising ID, which can be tracked using tracking technologies.
Key Takeaways Next Steps
HIPAA-regulated entities that use tracking technologies should take several steps to confirm they are not using tracking technologies in a way that would violate HIPAA.
- Identify tracking technologies they are using throughout their websites and applications;
- Determine if they are tracking information that would be considered PHI;
- If yes, then the regulated entity should determine if the use of PHI for the purposes it is being tracked could be considered a permitted use under HIPAA’s Privacy Rule; and
- If the regulated entity is using third-party tracking technologies, there should be a business associate agreement in place or de-identification of the data before it is disclosed to a third party.
Octillo’s Compliance Advisory team works with numerous Covered Entities and Business Associates, including healthcare providers, hospitals, health insurance companies, and healthcare technology companies, to address privacy requirements under HIPAA and other privacy regulations. We continuously monitor developments in the privacy and technology landscapes and provide up-to-date, practical counsel to our clients navigating privacy challenges, including the use of tracking technologies.
*Attorney Advertising: Prior results do not guarantee future outcomes.