The use of online tracking technologies, which provide valuable insights into the behaviors of website and mobile application users, has become routine in today’s online ecosystem. Companies employ tracking technologies to determine how online visitors interact with such companies’ websites or apps, including what content or features draw visitors and which pages they browse. Insights gleaned from such tracking are used to enhance the functionality of websites and apps and update user interfaces to better align with user needs and preferences.
The healthcare industry has not shied away from using this technology, often leveraging these tools to help improve the patient experience. However, growing scrutiny by the Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA), requires covered entities and business associates to proceed with caution in their use of such technologies.
In 2022 alone, several major health systems have had to disclose to OCR and millions of patients that their use of tracking technologies may have led to unauthorized disclosure of protected health information (PHI). Amid a growing number of these incidents and related class action lawsuits, OCR issued a bulletin on Dec. 1, 2022 (“Bulletin”) reminding covered entities and business associates that they “are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”  In the Bulletin, OCR makes clear that regulated entities need to deliberately consider and, if needed, take certain precautions in their use of such technologies.
1. Definition of Tracking Technologies and When They are (Not) Permitted
In the Bulletin, OCR defines a tracking technology as “a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app.” For websites, these technologies can come in the form of cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts. Mobile apps, on the other hand, often embed tracking code within the app to enable collection of both information directly provided by the user and the user’s mobile device-related information.
OCR does not limit all uses of tracking technologies by covered entities and business associates, provided that the collection and processing of PHI are for permissible purposes in furtherance of the organization’s healthcare operations under HIPAA. Instead, the guidance addresses situations where the technology sends information directly to third party tracking technology vendors, who provide insights based upon the information collected from the tracking. For example, Google and Meta (formerly Facebook) each offer the use of tracking “pixels,” or code embedded in a website, to gain these insights.
The recent lawsuits and news articles regarding use of these technologies demonstrate that third party technology tracking vendors who receive PHI often are not operating under Business Associate Agreements (BAAs). This may be because some of these technologies are provided free to users, and the vendors in most instances disavow any need to collect PHI and accordingly instruct users to avoid sending PHI or other personally identifiable information. Ultimately, covered entities and business associates may not disclose PHI to third parties unless such disclosure is to a business associate pursuant to a BAA or the disclosure is made pursuant to an individual’s HIPAA-compliant authorization. In this arena, it is typically impractical for organizations to secure BAAs with the vendors or HIPAA-compliant authorizations from individuals.
2. Broad Interpretation of What Constitutes PHI for Tracking Purposes
HIPAA applies when information that covered entities and business associates collect through tracking technologies or disclose to tracking technology vendors includes PHI. The Bulletin broadly defines PHI to include all individually identifiable health information (IIHI) that is collected on a regulated entity’s website or mobile app. Information such as an individual’s medical record number, IP address, appointment dates, or geographic location are considered PHI under HIPAA if they relate to the individual’s past, present, or future physical or mental health or condition, provision of healthcare, or payment for care.
In a conclusory fashion, OCR asserts that IIHI collected on a website or mobile app “generally, is PHI, even if the individual does not have an existing relationship” with the entity, since “the information connects the individual to the regulated entity.” According to OCR, this connection is “indicative that the individual has received or will receive healthcare services or benefits from the covered entity” regardless of whether the IIHI is limited to IP address or geographic location. In other words, if inferences regarding a person’s health or treatment may be gleaned from the tracking information — whether or not those inferences are accurate — OCR deems the tracking information PHI. If those individual identifiers are shared with third party vendors, HIPAA regulated entities must ensure that the PHI is not shared unless an appropriate BAA is in place or patient authorizations have been obtained.
3. Important Differences Between User-Authenticated vs. Unauthenticated Sites
The Bulletin highlights the significant risk of user-authenticated websites (i.e., where the individual logs in to his or her online profile, such as through a patient portal), since the tracking technologies would have increased access to detailed treatment information, including diagnostic and billing information, on those sites. Although unauthenticated websites generally do not provide such access to an individual’s PHI, the disclosure of PHI can still occur. For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a hospital’s webpage to search for available appointments with a healthcare provider, and such information in this context is PHI. A medical practice’s mobile application that collects network location, geolocation, device IDs or advertising IDs would be collecting PHI.
4. Individual Authorization to Tracking is Problematic to Obtain
5. Healthcare Providers Must Ensure Their BAs Are Not Improperly Using Tracking Technologies
The Bulletin implies that healthcare providers must also broach the topic of tracking technologies with their business associates. For instance, if a provider is utilizing an e-prescribing service, and that service has third party tracking technologies enabled on its websites, the disclosure of PHI is not permitted unless the service has configured the websites so that they do not share PHI with the tracking vendors.
Although the safest strategy would be to refrain from using third-party tracking technologies, the insights gained from such tracking provide valuable business benefits. To continue using tracking technologies in a way that diminishes litigation and regulatory risk, covered entities and business associates should work with their information technology, compliance, and legal teams to fully assess the scope and extent of their tracking behaviors. Steps that may be taken to reduce risk include:
Create an inventory of all existing third-party tracking activities on the regulated entity’s websites and/or apps, as well as an inventory of whether an entity’s business associates are utilizing tracking technologies.
Ensure business associates are not impermissibly sharing PHI through their own use of tracking technologies.
Determine if the tracking activities result in a disclosure of PHI to a third party and, if possible, configure the tracking technology so that it does not disclose PHI.
For all tracking activities that disclose PHI to a third party, ensure either (1) the entity executes a BAA with the third party, or (2) the entity obtains appropriate authorizations from patients prior to disclosing their PHI.
Consider developing in-house tracking technology that does not share data with third parties.
Eliminate or limit the placement of tracking technologies on user-authenticated webpages.
Conduct a risk assessment following a potential breach of PHI through tracking technologies, and make any required breach notifications.
By conducting this type of risk analysis, covered entities and business associates can take steps to benefit from tracking technologies while avoiding noncompliance with HIPAA.
 HHS Press Office, HHS Office for Civil Rights Issues Bulletin on Requirements under HIPAA for Online Tracking Technologies to Protect the Privacy and Security of Health Information | HHS.gov (Dec. 1, 2022).
 OCR fails to address those instances when a visitor to a website may never form any relationship with the organization.
Copyright ©2022 Nelson Mullins Riley & Scarborough LLPNational Law Review, Volume XII, Number 362