How Healthcare Providers Interpret Tracking Technology Compliance – The National Law Review
The use of online tracking technologies, which provide valuable insights into the behaviors of website and mobile application users, has become routine in today’s online ecosystem. Companies employ tracking technologies to determine how online visitors interact with such companies’ websites or apps, including what content or features draw visitors and which pages they browse. Insights gleaned from such tracking are used to enhance the functionality of websites and apps and update user interfaces to better align with user needs and preferences.
The healthcare industry has not shied away from using this technology, often leveraging these tools to help improve the patient experience. However, growing scrutiny by the Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA), requires covered entities and business associates to proceed with caution in their use of such technologies.
In 2022 alone, several major health systems have had to disclose to OCR and millions of patients that their use of tracking technologies may have led to unauthorized disclosure of protected health information (PHI). Amid a growing number of these incidents and related class action lawsuits, OCR issued a bulletin on Dec. 1, 2022 (“Bulletin”) reminding covered entities and business associates that they “are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” [1] In the Bulletin, OCR makes clear that regulated entities need to deliberately consider and, if needed, take certain precautions in their use of such technologies.
In the Bulletin, OCR defines a tracking technology as “a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app.” For websites, these technologies can come in the form of cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts. Mobile apps, on the other hand, often embed tracking code within the app to enable collection of both information directly provided by the user and the user’s mobile device-related information.
OCR does not limit all uses of tracking technologies by covered entities and business associates, provided that the collection and processing of PHI are for permissible purposes in furtherance of the organization’s healthcare operations under HIPAA. Instead, the guidance addresses situations where the technology sends information directly to third party tracking technology vendors, who provide insights based upon the information collected from the tracking. For example, Google and Meta (formerly Facebook) each offer the use of tracking “pixels,” or code embedded in a website, to gain these insights.
The recent lawsuits and news articles regarding use of these technologies demonstrate that third party technology tracking vendors who receive PHI often are not operating under Business Associate Agreements (BAAs). This may be because some of these technologies are provided free to users, and the vendors in most instances disavow any need to collect PHI and accordingly instruct users to avoid sending PHI or other personally identifiable information.[2] Ultimately, covered entities and business associates may not disclose PHI to third parties unless such disclosure is to a business associate pursuant to a BAA or the disclosure is made pursuant to an individual’s HIPAA-compliant authorization. In this arena, it is typically impractical for organizations to secure BAAs with the vendors or HIPAA-compliant authorizations from individuals.
HIPAA applies when information that covered entities and business associates collect through tracking technologies or disclose to tracking technology vendors includes PHI. The Bulletin broadly defines PHI to include all individually identifiable health information (IIHI) that is collected on a regulated entity’s website or mobile app. Information such as an individual’s medical record number, IP address, appointment dates, or geographic location are considered PHI under HIPAA if they relate to the individual’s past, present, or future physical or mental health or condition, provision of healthcare, or payment for care.
In a conclusory fashion, OCR asserts that IIHI collected on a website or mobile app “generally, is PHI, even if the individual does not have an existing relationship” with the entity, since “the information connects the individual to the regulated entity.” According to OCR, this connection is “indicative that the individual has received or will receive healthcare services or benefits from the covered entity” regardless of whether the IIHI is limited to IP address or geographic location.[3] In other words, if inferences regarding a person’s health or treatment may be gleaned from the tracking information — whether or not those inferences are accurate — OCR deems the tracking information PHI. If those individual identifiers are shared with third party vendors, HIPAA regulated entities must ensure that the PHI is not shared unless an appropriate BAA is in place or patient authorizations have been obtained.
The Bulletin highlights the significant risk of user-authenticated websites (i.e., where the individual logs in to his or her online profile, such as through a patient portal), since the tracking technologies would have increased access to detailed treatment information, including diagnostic and billing information, on those sites. Although unauthenticated websites generally do not provide such access to an individual’s PHI, the disclosure of PHI can still occur. For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a hospital’s webpage to search for available appointments with a healthcare provider, and such information in this context is PHI. A medical practice’s mobile application that collects network location, geolocation, device IDs or advertising IDs would be collecting PHI.
OCR emphasizes that if a tracking technology vendor is not a business associate and the disclosure is not otherwise permitted by the Privacy Rule, then individuals’ authorizations are required before PHI may be disclosed to the vendor. Although website banners could provide an easy avenue for obtaining consent (by having individuals click to accept or reject the website’s use of cookies), the Bulletin asserts that the use of such banners does not constitute a valid HIPAA authorization, presumably because a valid authorization must include certain specific statements along with the individual’s signature. Instead, regulated entities must explicitly request and obtain an individual’s written authorization to share her PHI with third parties who are not business associates for tracking purposes. It is foreseeable that most reasonable individuals would decline to authorize the use of their PHI for such purposes, resulting in an inconclusive data set and skewed analytics results for the regulated entity. Not only would sharing PHI without an authorization under these circumstances contravene HIPAA, but there is the further possibility of complaints to the Federal Trade Commission that the collection and use of individuals’ tracking data constitute unfair and deceptive trade practices.
The Bulletin implies that healthcare providers must also broach the topic of tracking technologies with their business associates. For instance, if a provider is utilizing an e-prescribing service, and that service has third party tracking technologies enabled on its websites, the disclosure of PHI is not permitted unless the service has configured the websites so that they do not share PHI with the tracking vendors.
Although the safest strategy would be to refrain from using third-party tracking technologies, the insights gained from such tracking provide valuable business benefits. To continue using tracking technologies in a way that diminishes litigation and regulatory risk, covered entities and business associates should work with their information technology, compliance, and legal teams to fully assess the scope and extent of their tracking behaviors. Steps that may be taken to reduce risk include:
Create an inventory of all existing third-party tracking activities on the regulated entity’s websites and/or apps, as well as an inventory of whether an entity’s business associates are utilizing tracking technologies.
Ensure business associates are not impermissibly sharing PHI through their own use of tracking technologies.
Determine if the tracking activities result in a disclosure of PHI to a third party and, if possible, configure the tracking technology so that it does not disclose PHI.
For all tracking activities that disclose PHI to a third party, ensure either (1) the entity executes a BAA with the third party, or (2) the entity obtains appropriate authorizations from patients prior to disclosing their PHI.
Consider developing in-house tracking technology that does not share data with third parties.
Eliminate or limit the placement of tracking technologies on user-authenticated webpages.
Conduct a risk assessment following a potential breach of PHI through tracking technologies, and make any required breach notifications.
By conducting this type of risk analysis, covered entities and business associates can take steps to benefit from tracking technologies while avoiding noncompliance with HIPAA.
[1] HHS Press Office, HHS Office for Civil Rights Issues Bulletin on Requirements under HIPAA for Online Tracking Technologies to Protect the Privacy and Security of Health Information | HHS.gov (Dec. 1, 2022).
[2] See, e.g., Best practices to avoid sending Personally Identifiable Information (PII) – Analytics Help (google.com).
[3] OCR fails to address those instances when a visitor to a website may never form any relationship with the organization.
About this Author
Trish represents healthcare providers and related organizations across the country on an array of healthcare regulatory compliance, reimbursement, licensure, and operational matters, with a special focus on issues surrounding health information privacy, security, and technology. Trish provides strategic and practical advice regarding HIPAA and other data privacy and security laws, information blocking and interoperability requirements, telehealth and health information exchange initiatives, technology licensing and services arrangements, cybersecurity risks and data…
Brad counsels clients in responses to cybersecurity and other data incidents and provides guidance in ensuing governmental investigations and actions. He has extensive experience across a broad range of cyber incidents, including ransomware attacks, network intrusions, business email compromises, and denial of service attacks, affecting a multitude of industries, including the healthcare, retail, automotive, manufacturing, information technology, and education sectors. In addition to his incident response practice, Brad assists businesses with risk mitigation against…
You are responsible for reading, understanding and agreeing to the National Law Review’s (NLR’s) and the National Law Forum LLC’s Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.
Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com intended to be a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional. NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us.
Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.
The National Law Review – National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521 Telephone (708) 357-3317 or toll free (877) 357-3317. If you would ike to contact us via email please click here.