On December 1, 2022, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) issued a Bulletin on the obligations of covered entities and business associates (regulated entities) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules) when using online tracking technologies, such as cookies, web beacons and pixels. The Bulletin aims to provide further clarity on when identifiable information collected by such tracking technologies may also constitute protected health information (PHI) as defined and interpreted under the HIPAA Rules. In such instances, the Bulletin instructs that the technology vendor may be seen as providing a service to the regulated entity that would, in light of the use and disclosure of PHI, create a direct or downstream business associate relationship. Accordingly, the Bulletin states that the regulated entities would need to enter into a business associate agreement (BAA) with the vendor of the technology (and the vendor would, in turn, become a regulated entity) and meet other requirements under the HIPAA Rules. The Bulletin provides long-awaited guidance to help regulated entities review their positions and procedures concerning tracking technologies to ensure that the trackers they implement either do not collect PHI or meet the prerequisites outlined in the Bulletin.

IN DEPTH

The Bulletin analyzes the application of the HIPAA Rules to regulated entities' use of tracking technologies, such as cookies, web beacons and pixels. In particular, the Bulletin addresses the following:

  • Tracking on user-authenticated web pages
  • Tracking on unauthenticated web pages
  • Tracking within mobile apps
  • HIPAA compliance obligations for regulated entities when using tracking technologies.

Although the Bulletin suggests that identifiable information collected through a tracking technology deployed on a regulated entity's website or mobile app is generally going to be considered PHI, it recognizes that there are exceptions to this default rule based on the context in which the information is collected. The dividing line remains gray, but it pivots around an analysis of whether the identifiable information collected by the tracking tool is indicative that the individual has received or will receive health care services or benefits from the covered entity, and thus relates to the individual's past, present, or future health or healthcare or payment for care. Put another way, if the individual is seen as raising her hand to seek out or obtain information, the individual is signaling an intention to enter into a plan member or patient relationship with the regulated entity that the HIPAA Rules would seek to recognize and then protect.

If a regulated entity can demonstrate that the information collected by the tracker is not indicative that the individual has received, seeks to receive, or will receive healthcare services or benefits, then the information is potentially not PHI. In either case, the information may also be subject to other regulatory regimes. The Bulletin identifies the different contexts where this line of reasoning may be viable and when it is likely not viable.

TRACKING ON USER-AUTHENTICATED WEB PAGES

User-authenticated web pages are areas of a website that require users to log in before they can access the webpage, such as a patient or health plan beneficiary portal or a telehealth platform. OCR reasons that because user-authenticated web pages contain PHI, tracking technologies placed on these pages would in general have access to PHI. OCR, therefore, cautions regulated entities that they should (1) ensure that the disclosure of PHI collected on user-authenticated web pages is permissible (i.e., the vendor is providing a service to the regulated entity) and (2) enter into a BAA with tracking technology vendors that access such PHI. For example, OCR notes that a tracker on an appointment portal might result in the technology vendor automatically receiving information about an individual's appointment and connecting it with the individual's IP address. Per the Bulletin, such information would constitute PHI, and a BAA would be required with the tracking technology vendor.

TRACKING ON UNAUTHENTICATED WEB PAGES

The Bulletin distinguishes unauthenticated web pages from user-authenticated web pages, noting that unauthenticated web pages consist of publicly available websites that do not require the user to log in. Importantly, the Bulletin concludes that, unlike user-authenticated web pages, tracking technologies generally do not have access to PHI from users browsing unauthenticated web pages and therefore are not regulated by HIPAA Rules. Even on unauthenticated web pages, OCR warns that regulated entities must be mindful of the type of information that trackers have access to and ensure that no PHI is disclosed. The Bulletin offers two examples of unauthenticated web pages that may disclose PHI to trackers:

Example 1: The Bulletin notes that the login page on a healthcare provider's patient portal or a user registration webpage, although unauthenticated, may nevertheless collect PHI from individuals. As a result, a tracking technology vendor that collects an individual's login or registration information via such web pages would need to be a business associate of the regulated entity.

Example 2: The Bulletin notes that unauthenticated web pages that address specific symptoms or health conditions may provide vendors access to PHI in certain circumstances. The Bulletin unfortunately does not elaborate on the certain circumstances under which information collected from the browsing of these web pages would be PHI. It seems based on the initial default rule presented by the Bulletin, however, that if the information collected by the tracker relates to the past, present or future healthcare of the individual or payment for care (e.g., the fact that the user searched for available appointments with the healthcare provider, or that the user visited a page about a specific symptom or health condition in such a way that there is reason to believe the individual is seeking out care for herself or a household member, as opposed to, for example, researching a school paper), OCR may consider such information to be PHI.

This second example may give regulated entities some pause, as it is unclear how detailed the information about an individual's visit to a webpage addressing symptoms or health conditions would need to be to constitute PHI. Non-patient visitors to a healthcare provider's website may, for example, seek information about a particular treatment or symptom because they are conducting market research—not because they have a particular symptom or disease. Nevertheless, regulated entities will need to exercise caution and fully vet the information collected by tracking technologies related to diseases and symptoms on their websites. In addition, regulated entities may consider other user experience set-ups to distinguish reasonably between individuals seeking or receiving care and those who are not.

TRACKING WITHIN MOBILE APPS

Mobile apps offered by regulated entities collect various types of information that is considered PHI, including geolocation, device ID and advertising ID. Regulated entities must comply with the HIPAA Rules with respect to this information, including in cases of subsequent disclosures to the mobile app vendor, tracking technology vendor or any other recipient of such information.

Example: OCR suggests that the HIPAA Rules apply to any PHI that a covered health clinic collects through the clinic's mobile app that patients use to track health-related variables associated with pregnancy (e.g., menstrual cycle, body temperature or contraceptive prescription information).

OCR distinguishes the data collected through mobile apps offered by regulated entities from the data collected through mobile apps offered by non-regulated entities. For the latter, the HIPAA Rules do not protect the privacy and security of information that users voluntarily download or enter into mobile apps not developed or offered by or on behalf of regulated entities. Instead, other rules, such as the Federal Trade Commission (FTC) Act, the FTC's Health Breach Notification Rule and state consumer privacy laws (like the California Consumer Privacy Act) may apply.

COMPLIANCE OBLIGATIONS WHEN USING TRACKING TECHNOLOGIES

The Bulletin reminds regulated entities that they must follow all HIPAA Rules when using and disclosing PHI to a vendor of tracking technologies. For example:

  • Regulated entities should evaluate their relationships with tracking technology vendors to determine whether such vendor meets the definition of a business associate and ensure that the disclosures made to such vendors are permitted by the Privacy Rule. If there is a business associate relationship in place, the vendor must sign a BAA. The Bulletin cautions, however, that signing a BAA does not make a tracking technology vendor a business associate if the tracking technology vendor does not meet the business associate definition.
  • A regulated entity must obtain an individual's HIPAA-compliant authorization before disclosing PHI to a vendor in situations where there is no business associate relationship in place. Privacy notices, website terms or website banners that ask users to accept or reject the website's use of cookies and other tracking technologies do not constitute a valid HIPAA authorization. When such an authorization is presented, it cannot be presented in such a way that it results in a patient or member's otherwise access to treatment, payment or healthcare operations becoming conditioned on signing the authorization.
  • A regulated entity's Risk Analysis and Risk Management processes under the Security Rule must address the use of tracking technologies.
  • Deidentification of the data by the tracking vendor before it begins processing the data does not absolve the vendor of HIPAA compliance obligations because, according to the Bulletin, the tracking vendor would in that instance receive PHI prior to deidentification. In these circumstances, the regulated entity would need to take steps to either ensure that the vendor is a business associate and agrees to a BAA or take steps to obtain an individual's HIPAA-compliant authorization.

When tracking technologies collect information that is not considered PHI, regulated entities must still consider whether other privacy laws apply, such as the California Consumer Privacy Act. Starting in 2023, the California Consumer Privacy Act and other US state consumer privacy laws will more strictly regulate the use of cookies—particularly those that involve a "sale" or "sharing" of a user's personal information. Regulated entities should be mindful of these legal requirements, particularly when the information collected via the cookie could be considered sensitive personal information (e.g., health information) under such laws, requiring the regulated entity to obtain opt-in consent in certain states prior to collecting the data.

The Bulletin does not address how OCR will approach enforcement of these cases, including whether the regulated entity is more at risk because a BAA is not in place and/or the regulated entity should have known that it was sharing PHI with a vendor. This may cause some regulated entities to rethink their strategies when deploying tracking technologies from vendors that do not sign BAAs, are not currently set up to comply with the HIPAA Rules or publicly state that they do not comply with the HIPAA Rules.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.