On December 1, 2022, the U.S. Department of Health and Human Services' (HHS) Office of Civil Rights (OCR) issued a bulletin (the “Bulletin”) warning that HIPAA covered entities’ and business associates’ (“regulated entities”) use of tracking technology may violate HIPAA.
Until now, regulators have not provided healthcare companies with formal guidance on the intersection of the Health Insurance Portability and Accountability Act (HIPAA) and online tracking technology. These tracking technologies range from strictly necessary cookies that must be used to operate the website/mobile applications (“mobile apps”) to third-party tracking technologies like pixels that reveal a user’s activities across websites/apps for marketing purposes. Because of the wide range of these technologies, the purpose and use of the technologies varies greatly.
OCR is responsible for administering and enforcing HIPAA. Violations of HIPAA may lead to a monetary penalty and even criminal liability in some instances. OCR’s published guidance likely foreshadows enforcement actions related to tracking technologies.
According to an investigation from The Markup, Meta’s pixel tool was found on the website of about one-third of the largest hospitals in the US. Lawsuits have already been filed over issues related to Meta pixels, as certain health systems are facing patient-led suits filed following two separate breach notices involving the technology.
In pertinent part, the OCR Bulletin states:
“Regulated entities disclose a variety of information to tracking technology vendors through tracking technologies placed on a regulated entity’s website or mobile app, including individually identifiable health information (IIHI) that the individual provides when they use regulated entities’ websites or mobile apps. This information might include an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, medical device IDs, or any unique identifying code. All such IIHI collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services. This is because, when a regulated entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the regulated entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or health care or payment for care.”
This broad generalization indicates that OCR assumes any regulated entity’s website or application visitor is treated as a patient, and any IIHI collected could be treated as PHI.
The Bulletin distinguishes between tracking on user-authenticated webpages, unauthenticated webpages, and mobile apps.
• User-authenticated webpages require a user to log in before they can access the webpage. Tracking technologies used on such user-authenticated webpages will likely have access to PHI. A regulated entity must ensure that any tracking technologies on user-authenticated webpages can only use and disclose PHI in compliance with the HIPAA Privacy Rule and any PHI collected through its website is protected and secured in accordance with the HIPAA Security Rule.
• Unauthenticated webpages do not require users to log in before they can access the webpage. While the Bulletin states that tracking technologies on regulated entities’ unauthenticated webpages generally do not have access to PHI, such tracking technologies can still collect PHI and would thus implicate HIPAA. Two examples OCR provides in the Bulletin for unauthenticated webpages in which HIPAA rules would apply are (i) a login or user registration page for a patient portal when an individual provides their credentials and (ii) a webpage that addresses specific symptoms or health conditions or that permits individuals to search for doctors or schedule appointments without entering credentials.
• A regulated entity’s mobile app that collects information typed or uploaded by the individual as well as information provided by the individual’s mobile device is considered PHI. OCR therefore requires the regulated entity to comply with the HIPAA Rules for any PHI that the mobile app uses or discloses, including any subsequent disclosures to the mobile app vendor, tracking technology vendor, or any other third party who receives such information.
Any third-party tracking technology vendor is a business associate or a business associate subcontractor if it creates, receives, maintains, or transmits PHI on behalf of a regulated entity for a covered function under HIPAA (e.g., health care operations, payment, or treatment) or provides certain services for a regulated entity that involves the disclosure of PHI. Per the Bulletin, regulated entities must ensure that all permissible tracking technology vendors have signed a BAA and that there is an applicable permission prior to a disclosure of PHI.Finally, the Bulletin summarizes regulated entities’ HIPAA compliance obligations as they pertain to the use of tracking technologies. The Bulletin emphasizes the following requirements of the HIPAA rules:
• Ensure that all disclosures of PHI are permitted by the Privacy Rule and, unless an exception applies, are the minimum necessary to achieve the intended purpose of disclosure.
• Ensure that the technology tracking vendor that meets the definition of a business associate or business associate subcontractor signs a business associate agreement or that the patient signs a HIPAA compliant authorization prior to the disclosure.
• Analyze the tracking technologies in the entity's HIPAA Risk Analysis and Risk Management process and ensure that transmitted PHI is properly secured.
• Provide breach notification to affected individuals, the Secretary of HHS, and the media (as applicable) for any impermissible disclosure of PHI to a tracking technology vendor under HIPAA.
• Other privacy laws (e.g., the GDPR) have attempted to take into account the different purposes/uses of tracking technologies in their respective requirements, but HIPAA has not. While not stated explicitly in OCR’s guidance, OCR seems to view an impermissible disclosure of PHI to a tracking technology vendor (e.g., a regulated entity providing an IP address of a user to an analytics platform to analyze website traffic) as the same HIPAA violation as a health care provider’s release of sensitive diagnosis information on a patient.
• The compliance risk of tracking technologies is heightened because they are automated. Tracking technologies by design automatically send or store the relevant data, which OCR’s guidance makes clear may be PHI. As a result, an improperly set up website/mobile app may result in frequent and recurring HIPAA breaches. If a webpage has 20,000 visitors in one day, that is potentially 20,000 HIPAA breaches if tracking technologies on the webpage are improperly configured.
Regulated entities should immediately review this Bulletin in connection with their website and application policies. If you have any questions about the Bulletin, please contact us at https://goldsandfriedberg.com/contact/.