On December 1, 2022, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a bulletin to clarify existing requirements regarding the use of third-party tracking technologies in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) under the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules), which apply to regulated entities—covered entities and business associates. Notably, the bulletin highlights that a regulated entity could violate the HIPAA Rules even if its website or app only collects an IP address without collecting treatment or billing information. The bulletin (a) explains what tracking technologies are and how they are used, (b) provides insight and examples of impermissible disclosures of electronic protected health information (ePHI) to tracking technology vendors, and (c) sets forth guidance to ensure compliance with the HIPAA Rules. This alert summarizes the relevant portions of the bulletin. Health care providers must be aware of how this technology may implicate their obligations under the HIPAA Rules.
Tracking Technologies: Definition and Purpose
The OCR explains that tracking technology is generally a script or code on a website or mobile app that collects information and tracks users. Websites typically use cookies, web beacons or tracking pixels, session replay and fingerprinting scripts. Mobile apps typically collect information entered directly by the user and may also collect information from the user’s mobile device.
Tracking technologies that are developed by third parties generally transmit information directly from a regulated entity’s website or mobile app to the third party. This disclosure might include information such as a user’s:
- Login or user registration information
- Home or email address
- Medical record number
- Dates of appointments
- IP address or geographic location
- Fingerprints or other identifying biometrics
- Medical device IDs
- Any unique identifying code
The OCR has determined that this information is ePHI on the basis that it connects the user to a regulated entity. Therefore, according to the OCR, the HIPAA Rules apply. Many websites and mobile apps contain or are functionally connected to a web analytics service operated by a third-party vendor. This service may track the user’s activity by collecting the user’s IP address or mobile device identifier. Some vendors or regulated entities might not view an IP address, in and of itself, as ePHI. However, the OCR explains that this information can, in fact, be ePHI because, when a regulated entity collects this information through its website or mobile app, the information connects the individual to the regulated entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity) and, thus, relates to the individual’s past, present, or future health, health care, or payment for care.
Impermissible Disclosures of ePHI
Disclosure of ePHI to a tracking technology vender is permissible only when:
- The HIPAA Privacy Rule (Privacy Rule) permits the disclosure and there is a signed Business Associate Agreement (BAA) in place with the vendor; or
- The individual has given HIPAA-compliant authorization.
Tracking technologies subject to the HIPAA Rules are used with three distinct platforms: (1) user-authenticated webpages, (2) unauthenticated webpages, and (3) mobile apps.
The HIPAA Rules do not apply to user-provided information entered into a mobile app when the app owner is not a regulated entity. However, impermissible disclosures to nonregulated entities may still violate a Federal Trade Commission regulation.i
1) User-Authenticated Webpages
User-authenticated webpages are those that require the user to be logged in (e.g., a patient or health plan portal). In addition to the list of information above, ePHI disclosed from user-authenticated webpages may include the user’s diagnosis and treatment information, prescription information, and billing information. As such, according to the OCR, the HIPAA Rules apply to all user-authenticated webpages. Disclosures made from these webpages are permissible only when the tracking technology vendor is a business associate with a signed BAA.
2) Unauthenticated Webpages
Unauthenticated webpages are those that do not require the user to be logged in. For nonregulated entities, access to ePHI is generally a nonissue. However, when a user enters the user’s credentials on a regulated entity’s login or user registration page, that information is considered ePHI. According to the OCR, the HIPAA Rules apply in this case.
Additionally, a regulated entity’s unauthenticated webpage—that addresses specific symptoms or health concerns or that permits users to run a search for doctors or to schedule appointments—may disclose a user-entered email address or the user’s IP address. According to the OCR, the HIPAA Rules apply in this case.
3) Mobile Apps
Mobile apps of regulated entities may collect a wide variety of ePHI, including fingerprints, network location, geolocation, device ID, or advertising ID. According to the OCR, the HIPAA Rules apply in this case as well.
HIPAA Compliance Action Items for Regulated Entitiesii
The OCR stresses that impermissible disclosures not only violate the Privacy Rule, but may also result in harm such as identity theft, financial loss, discrimination, stigma, or mental anguish, among others. Because the use of tracking technologies has become widespread, the OCR urges regulated entities to take the necessary steps to ensure they disclose ePHI only as expressly permitted or required by the Privacy Rule.
To comply, as explained by the OCR, regulated entities must perform each of the following steps:
- Complete risk analysis and risk management processes that address the use of tracking technologies
- Implement administrative, physical, and technical safeguards—according to the Security Rule—to protect ePHI
- Provide breach notifications to affected individuals, the secretary, and the media (when applicable) in the event an impermissible ePHI disclosure is made to a tracking technology vendor that compromises the security or privacy of PHI—when the Privacy Rule neither requires nor permits the disclosure—an there is no BAA with the vendor.iii
Tracking Technology Vendors That Are Business Associates (With Signed BAA)
The bulletin notes that if a vendor meets the HIPAA definition for a business associate, they are a business associate whether or not a BAA has been executed. The BAA must specify the vendor’s permitted and required uses and disclosures and provide that the vendor will comply with the HIPAA Security and Breach Notification Rules.
Tracking Technology Vendors That Are Not Business Associates (With Signed BAA)
If establishing a BAA is undesirable for whatever reason, disclosure of ePHI is permissible only after obtaining HIPAA-compliant authorizations. Disclosures are not permissible based solely on a regulated entity’s use of 1) its privacy policy, notice, or terms and conditions; 2) a website banner that asks for consent to the use of tracking technologies; or 3) a tracking technology vendor’s agreement to remove or de-identify ePHI before the information is saved.
Mobile Health App Guidance
On December 7, 2022, the OCR announced an updated Mobile Health App Interactive Tool designed to assist app developers with understanding the federal laws and regulations applicable to health-related mobile apps.iv
Barclay Damon provides counseling, contract drafting, and negotiation for matters at the intersection of health care law and information technology. The information provided in the OCR’s bulletin is noteworthy for the health care industry and should be considered in the context of an individual health care provider’s circumstances. For assistance with a particular matter, please contact the authors of this alert.
If you have any questions about the content of this alert, please contact Bridget Steele, counsel, at bsteele@barclaydamon.com; Renato Smith, Trademarks, Copyrights & IP Transactions Practice Area co-chair, at rsmith@barclaydamon.com; Ron Oakes, law clerk, at roakes@barclaydamon.com; or another member of the firm’s Health & Human Services Providers Team or Trademarks, Copyrights & IP Transactions Practice Area.
iSee FTC guidance on online tracking.
iiAdditional HIPAA guidance includes: Health Apps, Security Rule, Cybersecurity, Privacy Rule, and Business Associate Contracts.
iiiOCR provides that in these circumstances, a breach of unsecured PHI is presumed, unless the regulated entity demonstrates a low probability, to have been compromised.
ivDevelopment of the tool was a collaboration between the OCR and the Federal Trade Commission (FTC), the HHS Office of the National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA).