Not so fast: HHS OCR warns that HIPAA applies to online tracking technologies | Hogan Lovells

Like other entities with an online presence, many health organizations deploy common third-party tracking technologies on their websites and mobile applications to analyze user online interactions, such as pages a user views, buttons clicked, and form field submissions. They can be used for a variety of purposes, from internal analytics to targeted advertising. While these technologies are pervasive throughout the internet, use by entities in the streaming, finance and health sectors in particular have come under strict scrutiny as recent media coverage, regulator inquiries, and litigation have raised questions regarding whether the use of those tracking technologies results in the impermissible disclosure of sensitive information to third parties. The Guidance makes clear that OCR’s position is that specific areas of health organizations’ online properties are regulated by HIPAA and online tracking technologies may be used in those areas only in accordance with the HIPAA Rules.

How do the HIPAA Rules apply to use of tracking technologies?

The Guidance reiterates that the HIPAA Rules always apply to protected health information (PHI) as defined under HIPAA, but also seeks to address an important question for health organizations that have websites or mobile apps: what data collected online is PHI? On that question, OCR says it depends on the website or app—and even the page or screen within that website or app—through which the data was collected and the context for its collection.

Notably, the Guidance provides that:

  • Individually identifiable health information collected through tracking technologies is likely to be considered as PHI. In the context of information collected through tracking technologies, the Guidance indicates PHI may include IP addresses, mobile device identifiers, and home or email addresses, among other data elements, even if that information does not include specific treatment or billing information, and even if the regulated entity does not have a pre-existing relationship with an individual. The Guidance also makes it clear that HIPAA compliance obligations apply even when a third-party tracking technology vendor de-identifies the tracking data before further processing that data.

  • Tracking technologies inside of a user authenticated account or patient or health plan beneficiary portal likely collect and transmit PHI. Tracking technologies within such locations are likely to have access to PHI, according to the Guidance, including specific information regarding an individual’s health conditions or treatments and billing information. The Guidance provides, for example, that “if an individual makes an appointment through the [authenticated] website of a covered health clinic for health services and that website uses third party tracking technologies, then the website might automatically transmit information regarding the appointment and the individual’s IP address to a tracking technology vendor.” Thus, regulated entities are expected to address HIPAA compliance obligations for the collection and transmission of information through tracking technologies deployed on user authenticated webpages.

  • Tracking technologies outside of a user authenticated account or patient or health plan beneficiary portal are less likely to transmit PHI, but may nonetheless trigger HIPAA compliance obligations. While tracking technologies on unauthenticated webpages typically do not access an individual’s PHI, the Guidance notes that HIPAA will apply in “certain circumstances.” Those circumstances are not fully described; instead, the Guidance provides a few examples. In OCR’s view, information transmitted through tracking technologies on a patient portal log-in page, user registration webpage, appointment scheduling tool, or find a doctor functionality is likely to include PHI. The Guidance further provides that trackers on unauthenticated webpages that address specific symptoms of health conditions, “such as pregnancy or miscarriage,” may also transmit PHI. (The callout to pregnancy and miscarriage information is notable given increased focus on the privacy of reproductive health information following the decision in Dobbs v. Jackson Women’s Health Organization.)

If a website or mobile application contains PHI, the Guidance outlines key compliance steps that HIPAA-regulated entities must take in order to comply with the HIPAA Rules when using tracking technologies on such websites or mobile applications.

  • Privacy Rule Compliance. HIPAA-regulated entities generally must confirm that there is a permissible purpose (e.g., health care operations) for disclosing PHI to, and enter into a Business Associate Agreement (“BAA”) with, third-party tracking technology vendors. Otherwise, an authorization may be required.

  • Security Rule Compliance. HIPAA-regulated entities that collect PHI through third-party tracking technologies must comply with the HIPAA Security Rule by (i) addressing use of such technologies in their risk analysis, risk management, and evaluation processes and (ii) confirming appropriate administrative, physical, and technical safeguards are in place to protect PHI collected through tracking technologies.

  • Breach Notification Rule Compliance. Where there has been an impermissible disclosure of PHI to unauthorized individuals, including third-party vendors that support website operations and related data, third-party tracking technology vendors, or others (e.g., where there is no BAA in place with the vendor), HIPAA-regulated entities must analyze notice obligations under applicable data breach notification requirements.

Considerations for non-HIPAA-Covered Webpages and Mobile Applications

Although the HIPAA Rules do not apply to the use of tracking technologies by non-HIPAA regulated entities, or non HIPAA-covered portions of HIPAA-regulated entity websites and mobile applications, state and federal consumer protection and privacy laws still may apply. The Guidance identifies practices, such as identifying use of tracking technologies in a privacy policy or terms of use, or utilizing cookie banners that, while insufficient for meeting HIPAA obligations, may assist with meeting obligations under such other laws. It also highlights that the impermissible disclosure of health information by non-HIPAA regulated entities may be subject to the FTC Breach Notification Rule, a rule for which the FTC has issued recent guidance, and views as applying broadly to consumer-facing health applications.

Next Steps

In light of the Guidance and recent scrutiny over the use of third-party tracking technologies in the health sector, health organizations may now want to analyze their website and mobile operations and how any tracking technologies are deployed. Key steps include:

  • Inventory use of tracking technologies. Review use of tracking technologies to identify where they are deployed and potential disclosures of PHI or other sensitive data to third-party tracking technology vendors.

  • Conduct review of websites and mobile apps. Review existing internet-facing properties to determine which pages and/or screens within unauthenticated websites and apps collect PHI. Confirm that any identified HIPAA-covered uses of tracking technologies are informing the approach to HIPAA compliance, including Security Rule risk analysis and evaluation processes.

  • Enter into BAAs with third-party tracking technology vendors. Where there is a permissible purpose for disclosing PHI to a third-party tracking technology vendor, enter into a BAA with the vendor for use of the technology on any HIPAA-covered websites or mobile applications. Where a BAA is not possible, consider whether to obtain individual authorization in compliance with HIPAA or terminate third-party tracking technology on affected parts of the website or app.

  • Analyze any potential notification obligations. To the extent PHI has been disclosed to unauthorized individuals, including third-party vendors that support website operations and related data, third-party tracking technology vendors, or others, absent a BAA or other permissible basis, conduct an assessment under HIPAA to determine whether the incident amounts to a notifiable breach under the HIPAA Breach Notification Rule.

  • Assess obligations under federal and state consumer protection and privacy laws. Review compliance with legal requirements under other state and federal laws that regulate the use of tracking technologies, including the California Consumer Privacy Act (“CCPA”) and additional state privacy laws that will soon take effect in Colorado, Connecticut, Utah, and Virginia.

* Pariss Briggs is a Law Clerk in the Washington, DC, office.