HIPAA Requirements for Using Online Tracking Technologies—What Health Care Providers Need to Know
Health care providers should evaluate their use of “tracking technologies” on their websites and mobile applications (apps) for compliance with HIPAA.
On December 1, 2022, the Office for Civil Rights (OCR) issued a bulletin that addresses providers’ HIPAA obligations when they use tracking technology. The bulletin may be in response to an article in The MarkUp, Facebook Is Receiving Sensitive Medical Information from Hospital Websites, dated June 16, 2022, about the widespread use of Facebook’s Meta Pixel tracking technology by hospitals, and in response to various lawsuits nationwide against providers for privacy violations based on tracking technologies. Relatedly—for North Carolina—Novant Health (on August 12, 2022) and WakeMed (on October 14, 2022) issued statements about a potential data breach arising from use of a Facebook tracking pixel and indicating they had ceased using the pixel. Hence, the bulletin raises serious matters that providers should consider because of the “proliferation of tracking technologies collecting sensitive information.”
What is a tracking technology?
According to OCR, tracking technology is a script or code on a website or mobile app that is used to gather information about users as they interact with the website or mobile app. OCR focuses on tracking technology that (a) is developed by third-party vendors, (b) is placed on a provider’s website or mobile app to collect user information, and (c) transmits the information to the vendor for analysis. The information is analyzed to create insights about users’ online activities, including potentially for improving care and patient experience. Tracking technologies collect information and track users in various ways, many of which are not apparent to the users.
OCR warns how surprisingly easy it is for the information the technology vendors collect to constitute protected health information (PHI). For example, an individual’s identifying information collected by a vendor is PHI, even if the individual is not a current patient of the provider and even if the information does not include specific treatment information. This is so because the information identifies the individual and associates the individual with the provider—according to OCR, these two factors are sufficient to cause the information to be PHI. If the information the technology vendor accesses is PHI, the access will violate HIPAA unless a HIPAA exception permits the access and the vendor has signed a business associate agreement with the provider.
Tracking on user-authenticated webpages
Provider websites typically have “user-authenticated webpages”—which are pages users can access only after entering a user ID and password, such as a patient portal. OCR concludes that tracking technologies on these pages generally have access to PHI (e.g., an individual’s IP address, medical record number, home or email addresses, dates of appointments, or other identifying information the individual provides when interacting with the webpage, and “may even have access to an individual’s diagnosis and treatment information, prescription information, billing information, or other information within the portal”).
Tracking on unauthenticated webpages
Providers also have unauthenticated webpages (i.e., pages that do not require log in) such as pages with general information about the provider. Ordinarily, tracking technologies on these pages will not have access to PHI, and consequently, those tracking technologies are not regulated by HIPAA. However, OCR takes an expansive view and warns that sometimes tracking technologies, even on those pages, may have access to PHI, triggering HIPAA obligations. OCR’s examples include:
- The login page of a patient portal, and a user registration webpage where an individual creates a login for the patient portal, generally are unauthenticated because the individual does not provide credentials to access those pages. If the individual enters credential information on that login webpage or enters registration information (e.g., name, email address) on that registration page, such information is PHI, even though the information contains no specific treatment or care information. HIPAA obligations are triggered if the tracking technology collects that information.
- Webpages that address specific health conditions, such as pregnancy or miscarriage, or let individuals search for doctors or schedule appointments without entering credentials may have access to PHI. For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits the webpage to search for appointments. In this example, the regulated entity is disclosing PHI to the tracking technology vendor, and the HIPAA obligations apply.
Tracking within mobile apps
Mobile apps that providers offer to individuals (e.g., to help manage their health information and pay bills) collect a variety of information provided by the app user, including information typed or uploaded into the app, as well as information provided by the app user’s device, such as fingerprints, network location, geolocation, device ID, or advertising ID. OCR takes the position that all of this information is PHI, and HIPAA is triggered if the PHI is collected by the vendor. For example, as OCR notes, HIPAA applies to any PHI collected by a health clinic through the clinic’s mobile app used by patients to track health-related variables associated with pregnancy (e.g., menstrual cycle, body temperature, contraceptive prescription information). (Of course, HIPAA does not apply if individuals use a mobile app that is offered by a party who is not regulated by HIPAA, such as a FitBit.)
HIPAA compliance obligations for providers when using tracking technologies
If a provider permits a tracking technology vendor to collect PHI, then examples of the HIPAA obligations the provider must meet include:
- Ensuring that all disclosures of PHI to tracking technology vendors are for a purpose specifically permitted by HIPAA and the vendor has signed a business associate agreement with the provider. (Note that HIPAA does not permit disclosures of PHI to a tracking technology vendor based solely on the provider informing individuals in its privacy policy, notice, or terms and conditions of use that it plans to make such disclosures.)
- Alternatively, if HIPAA does not permit the disclosure or the vendor is not a business associate, then the individuals must sign a HIPAA-compliant authorization before the PHI is disclosed to the vendor. OCR notes that website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization.
- Critically important, the HIPAA obligations cannot be met by the vendor agreeing to remove PHI from the information it receives or agreeing to de-identify the PHI before the vendor saves the information.
- Addressing the use of tracking technologies in the provider’s HIPAA risk analysis and risk management processes, and implementing HIPAA security measures (e.g., encrypting ePHI that is transmitted to the vendor) to protect the ePHI.
- Providing breach notices of an impermissible disclosure of PHI to a tracking technology vendor, such as when the disclosure is not permitted by HIPAA and there is no business associate agreement in place with the vendor.
For further assistance on these issues, contact a member of our Brooks Pierce Health Care Team.