On December 1, 2022, the HHS Office for Civil Rights (OCR) issued a notice describing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements for online tracking technologies to protect the privacy and security of health information. This notice explains how HIPAA rules apply to the use of online tracking technologies by regulated entities on their web pages and mobile applications.
Online tracking technologies consist of code or scripts that share information about how a visitor interacts with that web page or mobile application. Tracking technologies commonly found on websites include cookies, tracking pixels, and other web beacons, while mobile applications often use tracking technologies embedded in the application to share user information. Tracking user information can help improve the patient experience and get more relevant information to those who need it, but disclosing this information carries risks. While some website or mobile app creators may write their own tracking technologies, tracking technologies are most commonly developed by third parties such as Meta/Facebook and Google.
Healthcare providers may be in violation of HIPAA rules if they disclose protected health information (PHI) to third-party tracking technology vendors. OCR’s announcement explains that personally identifiable health information (IIHI) includes an individual’s medical record number, home address, email address, appointment date, IP address or geographic location, medical device ID or unique identifier. This information is generally considered PHI even if the IP address or geographic location is not connected to a specific healthcare service or billing information. The announcement states that even if a website visitor has no existing relationship with the provider, the information is considered PHI because when a tracking technology collects a visitor’s IIHI, there is an indication that the visitor has received or will receive health care services from that provider.
The announcement describes the application of HIPAA tracking technology on user authentication pages (pages where users must log in, such as patient portals), tracking non-authentication pages (users are not required to log in), and mobile applications. On the page of user authentication, Providers must ensure that, if any tracking technologies are present, they will only use and disclose PHI in accordance with the HIPAA Privacy Rules and Security Rules. Tracking Technology Vendors are Business Associates and require a Business Associate Agreement (BAA) involving PHI disclosure when the vendor regularly receives, maintains, or transmits PHI on behalf of the provider to perform a covered function (eg, healthcare operations) or provide services.
For unauthenticated web pages, HIPAA rules apply if tracking technologies on those pages have access to PHI. For example, if a tracking technology collects someone’s email address or IP address when they visit their provider’s web page and search for available appointments, that information is PHI and protected by HIPAA. HIPAA rules also apply to any PHI collected through a provider’s mobile app, such as someone tracking menstrual cycles, temperature or prescription information. Mobile application PHI includes information entered or uploaded into the application, information provided by the application user’s device, such as fingerprints, network location, geolocation, device ID, or advertising ID. However, HIPAA does not protect information entered into mobile applications provided by entities not regulated by HIPAA.
The OCR Bulletin sets out additional considerations for regulated entities using tracking technologies. They must ensure that HIPAA privacy rules permit the disclosure of any PHI to tracking technology vendors. Notifying individuals in a privacy policy or the terms and conditions of PHI’s disclosure to tracking technology vendors is not sufficient. Likewise, a website banner asking a visitor to accept or decline a website’s use of tracking technology is not a valid HIPAA authorization, nor is it sufficient for a tracking technology vendor to agree to delete or de-identify PHI from information it receives. If provided If the supplier discloses any PHI to the supplier without the individual’s authorization, the supplier must sign the BAA and must be permitted by the applicable privacy rules. The OCR Bulletin also outlines considerations for establishing a BAA with a tracking technology vendor that meets the definition of a “business associate.”
The full text of the HHS OCR Notice, “Use of Online Tracking Technology by Entities and Business Associates Covered by HIPAA,” is available here.