In a December 2022 bulletin published by the Office for Civil Rights at the U.S. Department of Health and Human Services (HHS), HHS made clear that the use of third-party tracking technologies by covered entities and business associates is subject to HIPAA privacy and security rules. The use of tracking technologies developed by third-party vendors is increasingly common, and much of the LTCi industry is subject to HIPAA privacy and security rules as either covered entities or business associates. HHS noted in the bulletin that covered entities and business associates “are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of [protected health information (“PHI”)] to tracking technology vendors or any other violations of the HIPAA Rules.” And, as applied to the use of tracking technologies, HHS’s view of what constitutes PHI may be broader than expected.
What Are Tracking Technologies?
Tracking technologies (including cookies, pixels, and other similar technologies) collect information about individuals who interact with an entity’s website or mobile application (“mobile app”). Businesses use a variety of tracking technologies on websites and mobile apps to improve functionality and learn more about users’ activities. Tracking technologies developed by third parties generally involve the sharing of data back to that third party, so when a HIPAA-covered entity or business associate uses these tracking technologies, they must be cognizant of what data is being shared, to who, and for what purpose.
In its recent bulletin, HHS highlighted cookies, pixels, and session replay scripts, among other tracking technologies. Cookies are small text files that are placed on an individual’s browser by a website to collect data about that individual. Not all cookies are tracking cookies. For example, an entity can place cookies on its own website for purposes such as to ensure functionality of the website. Tracking pixels (also called web beacons) are small image files on a website that load when an individual opens an email or visits a website. Pixels can track user behaviors on a website or mobile app (e.g., interactions with ads or other features). Session replay scripts record user’s interactions with the website or app (e.g., mouse movements and typing).
How Does HIPAA Apply to the Use of Tracking Technologies?
A key part of understanding how HIPAA is applied to this information sharing comes in understanding the definition of PHI. PHI is individually identifiable health information (“IHII”) that is created or received by a covered entity (or business associate) that relates to the past, present or future health of an individual, provision of healthcare services to an individual, or payment for healthcare services provided to an individual, and that identifies or could reasonably be used to identify the individual. 45 C.F.R. § 160.103.
When individuals access a covered entity or business associate’s website or mobile app, tracking technologies may automatically obtain the user’s IP address and other identifying information. Users may also be prompted to or have an opportunity to enter a variety of identifying information (name, e-mail, policy number, phone number, address), which may be picked up by tracking technologies. HHS concluded that a variety of identifiers, even standing alone, may constitute PHI:
[Information disclosed to tracking vendors] might include an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, medical device IDs, or any unique identifying code. All such IIHI collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services.1
The bulletin highlights a number of specific examples and provides guidance related to the use of tracking technologies in a variety of contexts (e.g., on user-authenticated webpages).
Practical Implications for Covered Entities and Business Associates
The bottom line is that covered entities and business associates must review tracking technologies on their website and mobile app to ensure that they are consistent with HIPAA’s privacy and security rules, and that business associate agreements are in place with tracking technology vendors that may receive PHI. There are several key steps that covered entities and business associates should consider in response to this bulletin. Covered entities and business associates should:
- determine what tracking technologies are used on their website and mobile app (both by them, by downstream business associates, and by any other third parties) and verify what information is collected by and disclosed using these tracking technologies;
- review relationships with all tracking technology vendors to determine if the vendors meet the definition of a business associate, and if so, consider entering into business associate agreements with these vendors;
- ensure that any PHI disclosures that are permitted by HIPAA are limited to the minimum necessary to achieve the intended purpose of the disclosure (and consider whether the use of tracking technologies is necessary);
- review and update their security management process, including both the risk analysis and risk management, regarding the use of tracking technologies, to ensure that the proper policies and procedures are in place; and
- review and update their privacy policy to include information disclosures through tracking technologies (if necessary).
[1] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.