On December 1, 2022, the Centers for Medicare and Medicaid Services’ Office of Civil Rights (OCR) issued new guidance to covered entities and business associates regarding website and application user data tracking and how that tracking interacts with HIPAA.
In short, CMS is taking a broad stance that individually identifiable user data, even if that data does not contain specific treatment or billing information on the user, is in many circumstances, protected health information (PHI). This is because, in CMS’ view, when a covered entity or business associate “collects the individual’s [individually identifiable health information] through its website or mobile app, the information connects the individual to the entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or health care or payment for care.”
So what is website or mobile application tracking? Tracking technology collects information about the user when that user interacts with a website or application. If your website or app uses the following technology, you are using tracking technology:
- Web beacons/tracking pixels
- Session replay scripts
- Fingerprinting scripts; and
- Embedded tracking code within mobile applications
Covered entities that engage in website or application tracking and share the collected data internally or with outside vendors, the covered entity must share that data in a HIPAA-compliant way.
CMS describes two main categories of website interaction tracking: 1) Tracking on user-authenticated webpages; and 2) Tracking on unauthenticated webpages.
- Tracking on user-authenticated webpages. These are website locations where the user needs to enter log in information to access a website. Typical webpages that fall into this category include patient portals or telehealth platforms. Tracking technologies on these website locations will almost always include user PHI. Thus if covered entities use tracking technologies on these user-authenticated websites, the entity must ensure that the tracked user data is shared in a HIPAA compliant manner.
- Tracking on unauthenticated webpages. Public facing websites that do not require users to provide login information generally do not track user PHI. Thus user data tracked is not subject to HIPAA regulations, however some exceptions do apply:
- Public facing login or registration pages (i.e. pages that collect user ID passwords before granting more restricted website access) do collect PHI via username/registration name and password data collection and thus is subject to HIPAA protections.
- Tracking technology on a specific health condition or symptom related webpages on covered entity’s websites, or webpages that allow users to search for physicians or schedule appointments may track user data considered to be PHI. For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits an entity’s webpage to search for available appointments with a provider. This tracked data would be considered PHI.
CMS has outlined the following steps to take if choosing to keep user tracking information on your website or mobile application:
- Make sure your website or technology vendor that receives any such tracking data meets the HIPAA definition of a “business associate” and has signed a business associate agreement (BAA) and require that data sharing to that vendor follows HIPAA’s minimum necessary standards.
- Even if your company keeps all tracking information internal and does not share with outside vendors, make sure you are still following HIPAA’s minimum necessary standards and only sharing the necessary information required for each individual in your organization to do their job.
- Make sure that if your company uses tracking technologies, these are included in the your companies Risk Analysis and Risk Management processes, and follow the Security Rule’s encryption standards when sharing such information with your business associate tracking vendor.
- Make sure that any collected PHI is used only for a HIPAA permissible use or otherwise obtain a HIPAA-compliant authorization from the individual.