On December 1, 2022, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) issued a Bulletin on the obligations of covered entities and business associates (regulated entities) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies, such as cookies, web beacons and pixels.
The Bulletin aims to clarify when identifiable information collected by such tracking technologies may constitute protected health information (“PHI”) as defined and interpreted under the HIPAA Rules. The Bulletin provides guidance to help regulated entities review their use of tracking technologies to ensure that the technologies they utilize either do not collect and transmit PHI or meet the prerequisites outlined in the Bulletin. Several key points from the Bulletin are summarized below.
Background
Organizations usually implement tracking technologies in order to better understand how their websites are used and the effectiveness of ads and other website features. Generally, tracking technologies developed by third parties (e.g., tracking technology vendors) send information directly to the third parties who developed such technologies. These technologies include cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts. Common tracking technologies include Meta (Facebook) Pixel, Google Analytics, Microsoft Clarity, Adobe Analytics, Salesforce, Hotjar and SiteImprove. Typically, tracking technologies collect information about unique website visitors and begin to develop a profile about each visitor. Mobile apps can capture similar details about users through code directly embedded in the app.
The potential disclosure of PHI by regulated entities through tracking technologies was brought to light by an article in The Markup that was published on June 16, 2022, which was cited by OCR in the Bulletin. Since that article was published, several regulated entities have reported breaches arising from the use of tracking technologies.
For more information on this issue and the increasing scrutiny into the use of web tracking technology by health care organizations, see our previous alert on the topic.
Bulletin Summary
The Bulletin provides a clear picture of how OCR believes HIPAA applies to the use of web tracking technologies by regulated entities. The following are some significant takeaways from the Bulletin:
1. Information disclosed to tracking technology vendors through tracking technologies placed on a regulated entity’s website or mobile app is likely PHI when it includes any individually identifiable information because such information connects the individual to the regulated entity.
The information disclosed through the use of tracking technologies could include a variety of identifiers, including an individual’s email address, IP address, dates of appointments, geographic location and various other details about website visitors and mobile app users. OCR’s guidance specifically notes that when a regulated entity collects and transmits an individual’s individually identifiable information through its website or mobile app, the information connects the individual to the regulated entity which indicates that the individual is, or may become, an individual receiving or paying for health care services or benefits from the covered entity. Said otherwise, if the information collected from an individual and transmitted through the use of tracking technologies includes any information that identifies the individual, even indirectly, or for which there is a reasonable basis to believe it can be used to identify the individual, the presence of the tracking technology itself may be enough to create an inference that the information is related to the health of an individual, and thus is individually identifiable health information (“IIHI”) under HIPAA.
Further, OCR clarified that all IIHI collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI does not include specific treatment or billing information. An individual does not have to be a patient of the health care provider or a beneficiary of the health plan for the information to be PHI, nor does the information need to include specific treatment information like diagnoses or medical history.
2. The specific page that an individual interacts with on a regulated entity’s website impacts whether or not the information is PHI. Tracking tools on authenticated pages of a website are more likely to collect PHI.
Unsurprisingly, OCR takes the position that any tracking technologies implemented on a website for which the regulated entity requires a user to log in before further accessing certain content (i.e., user-authenticated pages) must be managed in accordance with the HIPAA Rules. This would include a patient or health plan beneficiary portal or a telehealth platform, among other user‑authenticated webpages. OCR reasons that tracking technologies on user-authenticated webpages tend to have access to sensitive PHI, such as an individual’s IP address, medical record number, home or email addresses, dates of appointments or other identifying information that the individual may provide when interacting with the webpage.
With respect to unauthenticated webpages with general information about the regulated entity, OCR notes that those pages generally do not have access to PHI, in which case they would not be regulated by the HIPAA Rules. However, in some cases, tracking technologies on unauthenticated webpages may have access to PHI where individuals interact with the webpage rather than simply browsing for general information. OCR provides the following examples of unauthenticated webpages where a tracking technology would capture PHI by virtue of collecting individually identifiable information:
- Login pages of a patient portal or a user registration webpage where an individual creates a login for the patient portal; if the individual enters credential information on that login webpage or enters registration information (e.g., name, email address) on that registration page, such information is PHI that could be collected by tracking technologies.
- Webpages that address specific symptoms or health conditions, such as pregnancy or miscarriage (e.g., symptom checkers or health assessments).
- Webpages where users can search for a provider or schedule an appointment, even if the page does not require a login to perform the search.
3. Filtering mechanisms or de-identification procedures employed by a tracking technology vendor upon receipt of information is insufficient for HIPAA compliance.
Some tracking technology vendors indicate that the information transmitted through the use of tracking technologies is filtered or de-identified prior to the vendor processing or storing such information. However, the Bulletin makes it clear that the initial disclosure of PHI to a tracking technology vendor is still a disclosure of PHI that must comply with HIPAA, regardless of what the vendor does with the information once it is received. Accordingly, such initial disclosures of PHI would not comply with the HIPAA Rules unless there is a business associate agreement (“BAA”) between the regulated entity and the tracking technology vendor or the disclosure has been made pursuant to a HIPAA-compliant authorization.
4. Regulated entities must enter into BAAs with tracking technology vendors who meet the definition of a business associate.
Where a tracking technology vendor meets the definition of a business associate under HIPAA, a regulated entity must enter into a BAA with the vendor. Furthermore, the BAA must specify the permitted uses and disclosures and otherwise meet all HIPAA requirements for BAAs.
5. Disclosures of PHI through tracking technologies without a BAA require a HIPAA‑compliant authorization.
The Bulletin clearly states that disclosures of PHI to tracking technology vendors are permissible under HIPAA if there is a BAA between the vendor and the regulated entity or if the regulated entity obtains HIPAA-compliant authorization from the individual whose PHI is disclosed. However, OCR is careful to note that website privacy policies that describe the use of tracking technologies or website banners that ask users to accept or reject a website’s use of cookies do not constitute HIPAA-compliant authorizations, and thus are insufficient.
6. Regulated entities must include the use of tracking technologies in their risk analysis and risk management processes.
The HIPAA Security Rule requires regulated entities to perform a periodic risk analysis of the risks and vulnerabilities to electronic PHI (“ePHI”) and to develop a plan for addressing and managing the risks to ePHI. Regulated entities that utilize web tracking technologies must ensure that any use of tracking technologies is subject to those risk analysis and risk management processes.
7. Where impermissible disclosures of PHI to tracking technology vendors have occurred, regulated entities must provide breach notification to appropriate parties.
In the event that a regulated entity determines that impermissible disclosures of PHI have occurred through tracking technologies, the regulated entity is required to notify individuals and OCR of such disclosures. The Bulletin reiterates that where a disclosure of PHI occurs without an applicable exception or authorization and where no BAA exists, there is a presumption that there has been a breach of unsecured PHI that can only be overcome if the regulated entity can demonstrate that there is a low probability that the PHI has been compromised.
Practical Takeaways
1. Conduct a prompt and thorough investigation.
The issue of whether or not a regulated entity is engaging in the impermissible disclosure of PHI through the use of these tracking technologies requires an extremely complex analysis. It is difficult to understand the full scope of information each tracking technology collects and what information it transmits. Accordingly, we cannot overstate the importance of a detailed forensic review in order to fully determine the nature and extent of the information that the tracking technologies are collecting and transmitting. Regulated entities utilizing third-party tracking technologies on any webpages should work with legal counsel to undertake a detailed forensic investigation to better understand the scope and scale of the tracking technology implementation and determine whether or not a HIPAA violation may have occurred.
Details related to the placement and configuration of tracking technologies are critical in determining what information is transmitted. In working with a highly experienced forensic investigation firm on many of these cases, we identified situations in which a tracker, or code related to tracking functions, has been deployed on client webpages unexpectedly, in unconventional ways, and without the organization’s full knowledge.
2. Be careful to not interpret the term PHI too narrowly in this context.
In our work with regulated entities on these investigations, it is common to spend significant time evaluating whether information collected through the entity’s website is PHI. Notably, certain information such as an individual user’s IP address, device identifiers and web URL are just a few of the types of information that HIPAA says identifies or could be used to identify, individuals. Certainly, there are some situations in which an IP address or geographic location of an individual’s device by itself is not PHI. However, it is important to note that an IP address or geographic location combined with other information provided by users through a webpage or mobile app potentially could be used to identify the individual and therefore may be PHI.
Additionally, the Bulletin clarifies that information does not have to relate to the past, present or future health care (or payment for care) of a patient, but to any identifiable individual. The Bulletin states that an individual does not have to have an existing relationship with the regulated entity in order for the information to be PHI. This is consistent with the fact that HIPAA refers to the subjects of the information as individuals, not patients.
3. Carefully consider and document any HIPAA breach risk assessment that is performed.
If a regulated entity determines that an impermissible disclosure of PHI has occurred from the use of web tracking technology, notification obligations under the HIPAA Breach Notification Rule will follow unless the regulated entity can demonstrate through a risk assessment of at least four factors that there is a low probability that the PHI has been compromised. While OCR did not preclude the possibility of a low probability conclusion, the Bulletin helps to clarify how receptive OCR might be to a low probability of compromise conclusion based on those factors:
- Nature and extent of the PHI. With respect to this factor, an overly narrow interpretation of what is PHI, as described above, could influence the risk assessment toward a lower probability of compromise than OCR may be willing to accept.
- Recipient of the PHI. While these investigations aren’t finding that tracking technology vendors are likely to engage in some of the nefarious actions that are common to data breaches (e.g., identity theft), tracking technology vendors often are organizations whose primary purpose is to gather as much data as possible about individuals to use for a variety of commercial purposes, and regulators such as OCR have consistently demonstrated concern with the commercial use of PHI (and in some cases even PHI that has been de‑identified) by data-focused companies like Meta and Google.
- Was the PHI acquired or viewed? Regulated entities could potentially argue that the probability of compromise is low because tracking technology vendors, such as Meta, take steps to filter out or de-identify any PHI that they receive. However, statements from Meta to date regarding their filtering mechanism have been carefully worded and very narrow in scope. We believe that OCR is likely to be skeptical of any claims that rely on trust in the effectiveness of such filtering mechanisms.
- Other Mitigating Factors. A regulated entity may want to argue that the probability of compromise is mitigated because the entity has a website privacy policy that notifies users of the presence or tracking technologies, or because the entity’s website contains banners or click-throughs that ask users to accept or reject cookies. However, it is not clear how much weight OCR would give to that argument in circumstances where OCR believes that authorization is required, given that the Bulletin views those types of acknowledgments from individuals as insufficient to meet HIPAA’s authorization requirements.
4. Enter into BAAs with all tracking technology vendors who will receive PHI.
Additionally, entities should determine whether a BAA is in place with any tracking technology vendor which includes written satisfactory assurances that it will appropriately safeguard PHI. Regulated entities must be sure that any such BAA contains all required HIPAA elements and that it specifically covers the vendor’s tracking technology-related activities. Some tracking technology vendors perform other types of activities for regulated entities and the BAA in place with those vendors may not cover the use of tracking technologies. Regulated entities should be sure to review any existing BAAs with tracking technology vendors to ensure that they are sufficiently comprehensive.
5. Implement reasonable and appropriate safeguards for the use of tracking technologies.
Regulated entities must address the use of tracking technologies in their risk analysis and risk management processes, as well as implement other administrative, physical and technical safeguards in accordance with the HIPAA Security Rule. Examples of other safeguards include encrypting ePHI that is transmitted to the tracking technology vendor, and enabling and using appropriate authentication, access, encryption and audit controls when accessing ePHI maintained in the tracking technology vendor’s infrastructure.
If your organization is using web tracking technologies on your website, or is unsure whether it is, and would like to discuss next steps, we encourage you to reach out to:
- Mark Swearingen at (317) 977-1458 or mswearingen@hallrender.com;
- Melissa Markey at (248) 310-4876 or mmarkey@hallrender.com; or
- Your primary Hall Render contact.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot give legal advice outside of an attorney-client relationship.
