The HHS’ Office for Civil Rights has recently issued guidance on online tracking technologies and HIPAA for covered entities and business associates to help them avoid violations of HIPAA and patient privacy.
Online tracking technologies consist of a script or code that is added to websites and applications for the purpose of tracking the activities of users. These technologies are often used to identify user journeys on websites, such as the pages they visit, the time they spend on certain pages, whether individuals have made purchases, the pages they exited on, and other information about site use. That information is valuable to owners of websites and applications as it can be used to improve services. The insights gained by healthcare providers can be used to improve care and the patient experience.
Tracking technologies can include cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts. These technologies can track users on a specific website, but also as they navigate the web. These technologies often use unique identifiers taken from the user’s device, such as a device ID or an IP address. The information collected allows the owner of a website, mobile app, and any third party that is provided with the collected information to build up a profile of the user. When these technologies are added to websites and applications, they are often invisible to users, and while these technologies have benefits there is also potential for misuse, which can include stalking, harassment, or even identity theft.
When it comes to online tracking technologies and HIPAA, there are important considerations for regulated entities as there is considerable potential for HIPAA violations to occur, especially when third-party tracking technologies are used. Many big tech firms offer tracking code snippets, including Google, Meta (Facebook), and other social media platforms. The code snippets capture data for use by website and mobile app owners, but the data collected is usually transmitted to the third parties that developed the code. Individuals may also continue to be tracked once they have navigated away from the original website or application.
This summer, an investigation was conducted by The Markup into the use of online tracking technologies by hospitals, which found that one-third of the top 100 hospitals in the United States were using tracking technologies on their websites and, in some cases, had added the code to their patient portals. Recently, a second study was conducted into the use of tracking technologies by telehealth providers, which found 49 of the 50 websites tested were using tracking technologies on their sites. These studies revealed that individually identifiable health information was being transferred to third parties via these technologies.
The HIPAA Privacy Rule does not prohibit the use of tracking technologies on websites and applications; however, HIPAA does apply if these technologies collect and transmit individually identifiable health information because that information is generally considered PHI. OCR confirmed that if an individual is on a healthcare provider’s website or is using their application, it is indicative that the individual has received or will receive healthcare services or benefits from the covered entity. PHI is individually identifiable information that relates to an individual’s past, present, or future health or healthcare or payment for care.
If PHI is transmitted to a third party there must either be a business associate agreement in place or a HIPAA-compliant patient authorization is required. OCR confirmed that “tracking technology vendors are business associates if they create, receive, maintain, or transmit PHI on behalf of a regulated entity for a covered function (e.g., health care operations) or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI.” In such cases, prior to any disclosure of PHI – i.e. adding the tracking technology to a website – a signed business associate agreement must be obtained. HIPAA-regulated entities must also ensure that the disclosure of PHI to the business associate is expressly permitted by the HIPAA Privacy Rule, and if so, the information disclosed is subject to the minimum necessary standard.
If the HIPAA Privacy Rule does not permit the disclosure of PHI to the vendor, then a HIPAA-regulated entity must obtain HIPAA-compliant authorizations from patients. OCR stressed that stating that tracking technologies are in use in a website notice of privacy practices and/or using website banners and popups that ask a user to accept or reject the use of tracking technologies such as cookies does not constitute valid HIPAA authorizations.
“If a regulated entity does not want to create a business associate relationship with these vendors, or the chosen tracking technology vendor will not provide written satisfactory assurances in the form of a BAA that it will appropriately safeguard PHI, then the entity cannot disclose PHI to the vendors without individuals’ authorizations,” explained OCR.
Following the investigation by the Markup, several hospitals reported the use of tracking technologies to OCR as impermissible disclosures of PHI. They were right to do so. OCR confirmed that any HIPAA-regulated entity that has used online tracking code on their websites or applications that involved the transfer of PHI to a third party without a business associate agreement in place or HIPAA-compliant authorizations must report these incidents as impermissible disclosures and breach notifications must be sent to the affected individuals.
You can read about online tracking technologies and HIPAA in OCR guidance on the HHS website.