On December 1, 2022, the HHS Office for Civil Rights (OCR) issued a bulletin on the requirements imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for online tracking technologies regarding protecting the privacy and security of health information. This bulletin explains how HIPAA rules apply to regulated entities’ use of online tracking technologies on their webpages and mobile apps.
Online tracking technologies consist of code or scripts that share information about how a visitor interacts with that webpage or mobile app. Common tracking technologies on websites include cookies, tracking pixels, and other web beacons, while mobile apps often use tracking technology embedded in the app to share user information. Tracking user information can help improve the patient experience and lead to more relevant information being received by those who want it, but disclosure of this information carries risk. While some website or mobile app creators may write their own tracking technologies, tracking technologies are developed most commonly by third parties such as Meta/Facebook and Google.
Healthcare providers risk running afoul of HIPAA rules if they disclose protected health information (PHI) to third party tracking technology vendors. OCR’s bulletin explains that individually identifiable health information (IIHI) includes an individual’s medical record number, home address, email address, dates of appointments, IP address or geographic location, medical device IDs, or unique identifying codes. This information is generally considered PHI, even when the IP address or geographic location isn’t connected to specific healthcare services or billing information. The bulletin notes that information is considered PHI even when the website visitor does not have an existing relationship with the provider because when the tracking technology collects a visitor’s IIHI there is an indication that the visitor either has or will receive healthcare services from that provider.
The bulletin describes HIPAA’s application to tracking technology on user-authenticated pages (where a user must log in, such as a patient portal), tracking non-authenticated pages (where a user does not have to log in), and on mobile apps. On user-authenticated pages, the provider must ensure that if there are any tracking technologies they only use and disclose PHI in compliance with the HIPAA Privacy Rule and Security Rule. The tracking technology vendor is a business associate, and a business associate agreement (BAA) is required when the vendor regularly receives, maintains, or transmits PHI on behalf of the provider for a covered function (e.g., health care operations) or provides services that involve PHI disclosure.
For non-authenticated webpages, if tracking technologies on these pages have access to PHI, then HIPAA rules apply. For example, if tracking technologies collect a person’s email address or IP address when she visits her provider’s webpage and searches for available appointments, this information is PHI and protected by HIPAA. HIPAA rules also apply to any PHI collected through a provider’s mobile app, such as a person tracking her menstrual cycle, body temperature, or prescription information. Mobile app PHI includes information typed or uploaded into the app, information provided by the app user’s device, such as fingerprints, network location, geolocation, device ID, or advertising ID. However, HIPAA does not protect information entered into mobile apps that are offered by an entity that is not regulated by HIPAA.
The OCR bulletin lists additional considerations for regulated entities using tracking technologies. They must ensure that any disclosures of PHI to tracking technology vendors are permitted by the HIPAA Privacy Rule. Informing an individual in a privacy policy or in terms and conditions of PHI disclosures to a tracking technology vendor is not enough. Similarly, website banners that ask visitors to accept or reject the website’s use of tracking technologies are not a valid HIPAA authorization, nor would it be sufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI. If a provider discloses any PHI to a vendor without individuals’ authorization, then the vendor must sign a BAA and there must be an applicable Privacy Rule permission. The OCR bulletin also lists considerations for establishing a BAA with a tracking technology vendor that meets the definition of “business associate.”
The full text of the HHS OCR bulletin, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” is available here.
