Office of Civil Rights Issues Guidance on the Use of Third-Party Tracking Technologies by HIPAA-Regulated Entities
The U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) issued guidance regarding the obligations of HIPAA Covered Entities and Business Associates under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when they use online third-party tracking technologies (“tracking technologies”) as part of their operations.
HIPAA Covered Entities may employ tracking technologies (directly or through vendors) to analyze how customers interact with the entity’s website or mobile app. The HIPAA Rules apply when a covered entity’s use of tracking technologies leads to the collection or disclosure of protected health information (PHI). The collection or disclosure of PHI (including the sharing of PHI with third-party vendors for marketing purposes) must have HIPAA-compliant authorizations.
As explained more below, the most important takeaway from the OCR’s new guidance is that an IP address itself constitutes “individually identifiable health information” (“IIHI”) when it is collected through tracking technology on a covered entity’s website or mobile app.
Covered Uses of Tracking Technologies
The guidance defines tracking technologies as “script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app.” The most common tracking technologies are cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts.
Under the guidance, IHII includes:
- Individual’s medical record number,
- Home or email address,
- Dates of appointments,
- An individual’s IP address or geographic location,
- Medical device IDs, or
- Any unique identifying code.
The guidance states that the foregoing IIHI is also PHI because “when a regulated entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the regulated entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity.)”
The guidance addresses the use of tracking technologies on user-authenticated web pages, unauthenticated web pages, and within mobile apps.
Key Takeaways from OCR’s Guidance
- An IP address alone is IHII
The guidance states that an IP address alone is IHII, even where the individual does not have an existing relationship with the covered entity, or even if the IP address is not connected to treatment information (dates and types of healthcare service) or billing information. The OCR reasons that the IP address alone is IHII because when it is collected from a healthcare entity website, “it is indicative that the individual has received or will receive healthcare services or benefits from the covered entity.” Thus, OCR takes the position that the IP address “relates to the individual’s past, present, or future health or health care or payment for care.”
- A covered entity must have a Business Associate Agreement (BAA) with tracking technology vendors if they have access to user-authenticated pages
User-authenticated pages on a covered entity’s website (e.g., a patient portal) contain PHI. Thus, use and disclosure of that PHI are subject to the HIPAA Privacy Rule. Under the guidance, a tracking technology vendor is a “Business Associate” if it “create[s], receive[s], maintain[s], or transmits[s] PHI on behalf of a regulated entity for a covered function (e.g., health care operations) or provide[s] certain services to or for a covered entity (or another business associate) that involve[s]the disclosure of PHI.” Thus, the covered entities must enter BAAs with the vendors to comply with the HIPAA Rules.
- A covered entity must have a Business Associate Agreement (BAA) with tracking technology vendors for unauthenticated pages if the authenticated pages contain PHI.
Generally, unauthenticated pages do not contain PHI. However, a covered entity must have a BAA with a tracking technology vendor if it is conducting tracking on an unauthenticated page that contains PHI. Examples include:
- The login page of the registration page to a patient portal because the user is providing credentials.
- Unauthenticated pages that provide general information about specific symptoms or conditions (e.g., pregnancy or miscarriage), or allow a user to schedule an appointment because when combined with the user’s email address or IP, it becomes PHI.
- A covered entity must have a BAA with tracking technology vendors for tracking of PHI within a mobile app.
Under the guidance, the following constates PHI:
- Information input by the user (including credentials)
- App user’s device
- Network location
- Device ID
- Advertising ID
The covered entity must have a BAA with a tracking technology vendor if the vendor is collecting any of the foregoing information. The guidance makes clear that the HIPAA rules do not apply to the information that a user voluntarily enters into an app maintained by an entity that is not regulated by HIPAA.
- The BAA must comply with the HIPAA Rules
The guidance provides additional direction surrounding the sharing of PHI with technology-tracking vendors:
- A BAA is necessary even if the website or mobile app has terms or a policy that discloses that tracking technologies are being used and that information is being shared with a third-party vendor.
- A vendor’s de-identification of the data before it saves it does not obviate the need for the covered entity to enter a BAA with the vendor.
- If the vendor is not a BAA (and no other applicable Privacy Rule permission exists), the covered entity must obtain HIPAA-compliant authorizations before sharing PHI with a tracking technology vendor. A website banner requesting consent to use tracking technologies is not HIPAA compliant.
- Ensure that the vendor meets the definition of a “Business Associate.” Entering a BAA with an entity that does not meet the definition of “Business Associate” is not valid under HIPAA rules.
- The covered entity must include the use of tracking technologies in its risk analysis and risk management process.
- The OCR considers an impermissible disclosure of PHI to a technology tracking vendor “that compromises the security or privacy of PHI” as an incident that requires breach notification.
- It is unclear whether the OCR’s position that an IP address alone is IHII (and in turn PHI when collected on the covered entity’s website or mobile app) is consistent with the statutory definitions. Nonetheless, covered entities should comply with the guidance until the OCR, congress, or a court provides further guidance.
- Covered entities should immediately analyze the extent of the use of tracking technologies on their websites and mobile apps.
- The guidance likely is not retroactive. However, covered entities employing tracking technology should immediately enter the appropriate BAAs with their vendors.
- Covered entities should analyze whether the continued use of tracking technologies is worth the risk of a potential HIPAA violation.
- Covered entities who continue to use tracking technologies should incorporate the use into their HIPAA risk analysis and risk management procedures.
Clark Hill’s attorneys can help you determine what HIPAA obligations (if any) are triggered by an entity’s use of tracking technology, and what the entity needs to do to comply with those obligations.
The views and opinions expressed in the article represent the view of the authors and not necessarily the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is it intended to be a substitute for professional legal advice.
Clark Hill Mexico City Grand Opening Reception
Celebrate our new Mexico City Office with a reception and educational event.
We will toast our new office space and location with a cocktails and small bites with Mexico and US-based colleagues and friends.