On December 1, 2022, the U.S. Department of Health and Human Services (“HHS”) issued a bulletin regarding electronic tracking technologies and their interaction with the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”). The bulletin defines tracking technologies, acceptable and unacceptable uses, and outlines actions covered entities should take to ensure compliance.
Tracking technologies collect information about users and their activities on a website. These technologies include cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts. As technology continues developing in general, cookies and other tracking technologies have exploded, with an estimated 85% of the top 10,000 using at least one version of a tracking technology. Tracking technologies are used for a variety of purposes, from targeted advertising to remembering and auto-filling a site’s login information. HHS’ bulletin specifically focuses on situations in which covered entities use tracking technologies developed by third parties.
To serve their purpose, tracking technologies collect information, including individually identifiable health information (“IIHI”) from website users, including their IP address, geographic location, home or email address, and medical appointment dates. HHS generally considers that when an individual visits an entity’s website or mobile app, they are indicating that they have received or plan to receive medical services from that entity, and therefore either have a current patient-provider relationship or plan to have a future one. Therefore, HHS considers all IIHI collected on a regulated entity’s website or mobile app to be Protected Health Information (“PHI”), and therefore subject to the HIPAA Rules.
Covered entities may use tracking technologies on different types of webpages and platforms. Unauthenticated webpages do not require a user to log in and may include general information about an entity and their services, policies, or procedures. Typically, tracking technologies used on unauthenticated webpages do not have access to PHI; however, there are a few notable exceptions. First, login pages for an entity’s patient portal are usually unauthenticated but may contain PHI such as credentials or registration information.
Additionally, unauthenticated webpages that contain information about specific symptoms or health conditions or allow individuals to search for a provider or schedule an appointment may also contain PHI. HHS specifically emphasizes webpages that contain information about pregnancy or miscarriage-related care as containing PHI. If a tracking technology vendor collects information from these users, the covered entity is considered to be disclosing PHI.
User-authenticated webpages require users to log in before they can fully access the webpage. Unlike unauthenticated webpages, user-authenticated webpages almost always contain PHI, which is disclosed to the tracking technology vendor. Additionally, covered entities may offer mobile apps to individuals. These apps may also collect PHI, such as fingerprints, billing information, geolocation, and device IDs. PHI collected by tracking technologies may only be disclosed for permissible purposes, or there must be prior authorization from the individual. Banners that ask users to opt-in or -out of tracking technologies and notices of privacy policies or terms and conditions are not considered a valid HIPAA authorization.
Any vendor that provides tracking technology on a user-authenticated webpage, app, or an unauthenticated webpage that contains PHI is considered a business associate under the HIPAA Privacy Rule, and a Business Associate Agreement (“BAA”) must be in place. Additionally, if a covered entity uses an app that discloses PHI to the app’s vendor or any other third party, or if the tracking technology vendor stores the protected information, the entity must comply with the HIPAA Rules and protect information appropriately.
COVERED ENTITIES SHOULD TAKE CAREFUL STEPS TO MAKE SURE THEIR TRACKING TECHNOLOGY PRACTICES COMPLY WITH THE HIPAA RULES INCLUDING:
- Ensuring that all disclosures of PHI to tracking technology vendors are specifically permitted;
- Using a tracking technology vendor that meets the definition of “business associate” and using an appropriate BAA;
- In cases of impermissible disclosures, providing breach notifications to the affected individuals and HHS.
As technology continues to develop, so will the rules regarding its acceptable uses. By staying up to date on HHS guidance and reviewing practices related to collecting, storing, and transferring PHI, providers can stay in compliance and stay focused on providing the best healthcare possible.
If you have questions or concerns about workplace practices and initiatives, please do not hesitate to reach out to any member of Gardner Skelton’s employment team.