Introduction

Compliance with the Health Insurance Portability and Accountability Act (HIPAA) is crucial for healthcare organizations and entities handling Protected Health Information (PHI) to ensure that the data is safeguarded against breaches and unauthorized access. When almost every website stores cookies and third-party vendors increasingly access users’ personal information, how can we ensure that tracking technologies are not violating HIPAA?

In this article, we aim to discuss what tracking technology is and what the latest guidelines say about how the HIPAA rules apply to them. We will also discuss the compliance obligations and enforcement of these rules.

What is a Tracking Technology?

Tracking technologies include scripts or codes on websites or mobile apps that gather user information. These technologies can be beneficial in improving user experience and healthcare services but also pose risks if misused. Common tracking technologies include cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts. Mobile apps may use unique identifiers like device or advertising IDs to collect user information.

Tracking technologies can reveal highly sensitive information, such as medical conditions, treatment details, and other personal health information. Unauthorized disclosures of PHI can lead to identity theft, financial loss, discrimination, and other serious harms.

HIPAA and Online Tracking Technologies

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has issued a bulletin to remind HIPAA-covered entities and business associates about their obligations under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies. These technologies collect and analyze user interactions with websites or mobile applications, often as part of healthcare operations. HIPAA rules apply if the collected data includes PHI. 

OCR initially issued these guidelines on December 1, 2022. The first bulletin was issued after a June 2022 article and various lawsuits against providers for privacy violations due to tracking technologies. In the article, one-third of hospital websites were found to have tracking codes transmitting user data to Meta, Google, and others, with seven cases involving password-protected patient portals. This suggested that many more hospitals likely transferred sensitive data without the appropriate agreements and without patient consent. Another speculation is that following the U.S. Supreme Court’s June 2022 decision in Dobbs v. Jackson Women’s Health Organization, OCR issued its initial guidance to protect patient anonymity. 

The original guidance broadly defined third-party tracking technologies and their potential to collect PHI, requiring HIPAA compliance whenever individually identifiable health information (IIHI) was collected. OCR indicated that IIHI, such as a medical record number, email address, dates of appointments, IP address, or any unique identifier collected from a regulated entity’s website or app, is generally considered PHI. This applies even if the user has no existing relationship with the entity at the time of collection and even if the information does not include treatment or billing details. 

This led to a joint letter from OCR and the Federal Trade Commission (FTC) in July 2023 to over 130 regulated entities, emphasizing compliance risks. In November 2023, the American Hospital Association (AHA) filed a lawsuit against HHS and OCR to challenge the guidance. In response, OCR issued the updated guidance on March 18, 2024, to clarify when information collected by technology vendors may be considered PHI and to provide more flexibility for regulated entities in handling such data. It also emphasized that OCR’s enforcement priority would be the HIPAA Security Rule. In this article, we will be referring to the 2024 guidelines as the standard.

Guidance for Using Tracking Technologies

To ensure compliance with HIPAA, regulated entities should consider the following when using tracking technologies.

How do the HIPAA Rules Apply?

1. User-Authenticated Webpages

Websites that require user login often collect PHI. For example, a patient portal or telehealth platform may collect an individual’s IP address, medical record number, home or email address, and dates of appointments. Tracking technologies on these pages must comply with the HIPAA Privacy Rule, ensuring PHI is only used and disclosed appropriately, and the HIPAA Security Rule, ensuring the security of electronic PHI (ePHI).

2. Unauthenticated Webpages

Public pages that do not require a login can also collect PHI. For example, if a webpage allows users to schedule appointments or use a symptom-checker tool, it may collect identifiable health information. If tracking technologies on these pages access PHI, the HIPAA Rules apply. 

Non-PHI Collection: A user visits a hospital’s webpage for job postings or visiting hours. The collection of the user’s IP address and geographic location does not involve PHI as it is not related to health care.

PHI Collection: A user visits a hospital’s webpage for oncology services to seek a second opinion. Collecting the user’s IP address and visit information involves PHI as it relates to their health care.

This distinction is one of the most significant updates made in the 2024 guidelines, but there still needs to be more clarity on how intent behind visiting a webpage can be checked. Legally, this point is still murky.

3. Mobile Applications

Mobile apps collect various user-provided information, including data typed into the app and device-related information like fingerprints, geolocation, device ID, or advertising ID. For instance, a diabetes management app might collect glucose levels and insulin doses. This information is considered PHI, and the app must comply with HIPAA Rules for using and disclosing this data.

However, HIPAA Rules do not protect information users voluntarily download or enter into mobile apps not developed by regulated healthcare entities. For example, HIPAA does not apply to health information entered into a non-regulated mobile app, even if the information comes from a medical record. For instance, healthcare data stored on your FitBit or iPhone will not be covered by HIPAA. In such cases, other laws like the FTC Act and the Health Breach Notification Rule (HBNR) may apply if a mobile health app impermissibly discloses user health information.

HIPAA Compliance Obligations

Regulated entities must comply with the HIPAA Rules when using tracking technologies that access PHI. Here are some key obligations:

Disclosure of PHI: Disclosures to tracking technology vendors must comply with the HIPAA Privacy Rule, ensuring only the minimum necessary PHI is shared. Informing users through a privacy policy or website banners asking them to permit cookies does not suffice for HIPAA authorization. 

Business Associate Agreements (BAAs): Entities must have BAAs with tracking technology vendors that meet the definition of business associates. These agreements should detail the protection and use of PHI. The 2024 updates further state that if a tracking technology vendor does not provide satisfactory assurances via a BAA to safeguard PHI, the regulated entity can establish a BAA with another vendor, such as a Customer Data Platform vendor, to de-identify the information before disclosing it to the original vendor. However, it remains to be seen how useful this is since vendors usually seek identifiable information.

If the regulated entity does not want a business associate relationship, it cannot disclose PHI to the vendor without the individual’s authorization.

Risk Analysis and Management: Entities must include tracking technologies in their risk analysis and implement safeguards to protect ePHI, such as encryption and access controls.

Breach Notification: Entities must notify affected individuals, the Secretary, and the media (if applicable) in case of an impermissible disclosure of PHI.

OCR’s Enforcement Priorities

The OCR prioritizes compliance with the HIPAA Security Rule, ensuring that entities have mitigated risks associated with ePHI in tracking technologies. Investigations are fact-specific and involve reviewing technical information about a regulated entity’s use of tracking technologies.

On June 20, 2024, the U.S. District Court for the Northern District of Texas issued a significant ruling that vacated part of the guidance concerning the use of online tracking technologies under HIPAA. The court declared unlawful the guidance that HIPAA obligations are triggered when an online technology connects an individual’s IP address with a visit to an unauthenticated public webpage addressing specific health conditions or healthcare providers. The HHS is currently evaluating its next steps in response to this ruling.

The bulletin released does not have the force and effect of the law but is meant to provide clarity to the public about the existing guidelines. If you believe your health privacy rights have been violated, you can file a complaint with the OCR online.

Conclusion

In conclusion, ensuring compliance with HIPAA rules amidst the use of tracking technologies is essential for safeguarding PHI. Recent updates and guidelines emphasize the need for regulated entities to carefully manage and secure PHI accessed through these technologies, including through proper disclosures, business associate agreements, and robust risk management practices. Vigilance in adhering to these standards remains crucial amid evolving legal interpretations and enforcement priorities.