The use of online tracking technologies, which provide valuable insights into the behaviors of website and mobile application users, has become routine in today’s online ecosystem. Companies employ tracking technologies to determine how online visitors interact with such companies’ websites or apps, including what content or features draw visitors and which pages they browse. Insights gleaned from such tracking are used to enhance the functionality of websites and apps and update user interfaces to better align with user needs and preferences.

The healthcare industry has not shied away from using this technology, often leveraging these tools to help improve the patient experience. However, growing scrutiny by the Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA), requires covered entities and business associates to proceed with caution in their use of such technologies.

In 2022 alone, several major health systems have had to disclose to OCR and millions of patients that their use of tracking technologies may have led to unauthorized disclosure of protected health information (PHI). Amid a growing number of these incidents and related class action lawsuits, OCR issued a bulletin on Dec. 1, 2022 (“Bulletin”) reminding covered entities and business associates that they “are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” [1] In the Bulletin, OCR makes clear that regulated entities need to deliberately consider and, if needed, take certain precautions in their use of such technologies.

1. Definition of Tracking Technologies and When They are (Not) Permitted

In the Bulletin, OCR defines a tracking technology as “a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app.” For websites, these technologies can come in the form of cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts. Mobile apps, on the other hand, often embed tracking code within the app to enable collection of both information directly provided by the user and the user’s mobile device-related information.

OCR does not limit all uses of tracking technologies by covered entities and business associates, provided that the collection and processing of PHI are for permissible purposes in furtherance of the organization’s healthcare operations under HIPAA. Instead, the guidance addresses situations where the technology sends information directly to third party tracking technology vendors, who provide insights based upon the information collected from the tracking. For example, Google and Meta (formerly Facebook) each offer the use of tracking “pixels,” or code embedded in a website, to gain these insights.

The recent lawsuits and news articles regarding use of these technologies demonstrate that third party technology tracking vendors who receive PHI often are not operating under Business Associate Agreements (BAAs). This may be because some of these technologies are provided free to users, and the vendors in most instances disavow any need to collect PHI and accordingly instruct users to avoid sending PHI or other personally identifiable information.[2] Ultimately, covered entities and business associates may not disclose PHI to third parties unless such disclosure is to a business associate pursuant to a BAA or the disclosure is made pursuant to an individual’s HIPAA-compliant authorization. In this arena, it is typically impractical for organizations to secure BAAs with the vendors or HIPAA-compliant authorizations from individuals. 

2. Broad Interpretation of What Constitutes PHI for Tracking Purposes

HIPAA applies when information that covered entities and business associates collect through tracking technologies or disclose to tracking technology vendors includes PHI. The Bulletin broadly defines PHI to include all individually identifiable health information (IIHI) that is collected on a regulated entity’s website or mobile app. Information such as an individual’s medical record number, IP address, appointment dates, or geographic location are considered PHI under HIPAA if they relate to the individual’s past, present, or future physical or mental health or condition, provision of healthcare, or payment for care.

In a conclusory fashion, OCR asserts that IIHI collected on a website or mobile app “generally, is PHI, even if the individual does not have an existing relationship” with the entity, since “the information connects the individual to the regulated entity.” According to OCR, this connection is “indicative that the individual has received or will receive healthcare services or benefits from the covered entity” regardless of whether the IIHI is limited to IP address or geographic location.[3] In other words, if inferences regarding a person’s health or treatment may be gleaned from the tracking information — whether or not those inferences are accurate — OCR deems the tracking information PHI. If those individual identifiers are shared with third party vendors, HIPAA regulated entities must ensure that the PHI is not shared unless an appropriate BAA is in place or patient authorizations have been obtained.

3. Important Differences Between User-Authenticated vs. Unauthenticated Sites

The Bulletin highlights the significant risk of user-authenticated websites (i.e., where the individual logs in to his or her online profile, such as through a patient portal), since the tracking technologies would have increased access to detailed treatment information, including diagnostic and billing information, on those sites. Although unauthenticated websites generally do not provide such access to an individual’s PHI, the disclosure of PHI can still occur. For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a hospital’s webpage to search for available appointments with a healthcare provider, and such information in this context is PHI. A medical practice’s mobile application that collects network location, geolocation, device IDs or advertising IDs would be collecting PHI.

4. Individual Authorization to Tracking is Problematic to Obtain

OCR emphasizes that if a tracking technology vendor is not a business associate and the disclosure is not otherwise permitted by the Privacy Rule, then individuals’ authorizations are required before PHI may be disclosed to the vendor. Although website banners could provide an easy avenue for obtaining consent (by having individuals click to accept or reject the website’s use of cookies), the Bulletin asserts that the use of such banners does not constitute a valid HIPAA authorization, presumably because a valid authorization must include certain specific statements along with the individual’s signature. Instead, regulated entities must explicitly request and obtain an individual’s written authorization to share her PHI with third parties who are not business associates for tracking purposes. It is foreseeable that most reasonable individuals would decline to authorize the use of their PHI for such purposes, resulting in an inconclusive data set and skewed analytics results for the regulated entity. Not only would sharing PHI without an authorization under these circumstances contravene HIPAA, but there is the further possibility of complaints to the Federal Trade Commission that the collection and use of individuals’ tracking data constitute unfair and deceptive trade practices.

5. Healthcare Providers Must Ensure Their BAs Are Not Improperly Using Tracking Technologies

The Bulletin implies that healthcare providers must also broach the topic of tracking technologies with their business associates. For instance, if a provider is utilizing an e-prescribing service, and that service has third party tracking technologies enabled on its websites, the disclosure of PHI is not permitted unless the service has configured the websites so that they do not share PHI with the tracking vendors.

Strategy Considerations

Although the safest strategy would be to refrain from using third-party tracking technologies, the insights gained from such tracking provide valuable business benefits. To continue using tracking technologies in a way that diminishes litigation and regulatory risk, covered entities and business associates should work with their information technology, compliance, and legal teams to fully assess the scope and extent of their tracking behaviors. Steps that may be taken to reduce risk include:

  • Create an inventory of all existing third-party tracking activities on the regulated entity’s websites and/or apps, as well as an inventory of whether an entity’s business associates are utilizing tracking technologies.

  • Ensure business associates are not impermissibly sharing PHI through their own use of tracking technologies.

  • Determine if the tracking activities result in a disclosure of PHI to a third party and, if possible, configure the tracking technology so that it does not disclose PHI.

  • For all tracking activities that disclose PHI to a third party, ensure either (1) the entity executes a BAA with the third party, or (2) the entity obtains appropriate authorizations from patients prior to disclosing their PHI.

  • Consider developing in-house tracking technology that does not share data with third parties.

  • Eliminate or limit the placement of tracking technologies on user-authenticated webpages.

  • Conduct a risk assessment following a potential breach of PHI through tracking technologies, and make any required breach notifications.

By conducting this type of risk analysis, covered entities and business associates can take steps to benefit from tracking technologies while avoiding noncompliance with HIPAA.


[1] HHS Press Office, HHS Office for Civil Rights Issues Bulletin on Requirements under HIPAA for Online Tracking Technologies to Protect the Privacy and Security of Health Information | (Dec. 1, 2022).

[2] See, e.g., Best practices to avoid sending Personally Identifiable Information (PII) – Analytics Help (

[3] OCR fails to address those instances when a visitor to a website may never form any relationship with the organization. 

Copyright ©2022 Nelson Mullins Riley & Scarborough LLP
National Law Review, Volume XII, Number 362


By admin

Leave a Reply

Your email address will not be published. Required fields are marked *