Having a website or mobile app is a normal extension of doing business in the healthcare sector as is the use of online tracking technologies to gain insight about online users for internal analytical purposes and marketing initiatives. A potential issue for covered entities and business associates using such technologies on their websites or mobile apps is when the data collected includes electronic personal health information (ePHI) of their online users in a manner that is not compliant with the Health Insurance Portability and Accountability Act (HIPAA).
This post starts with a brief overview of the current HIPAA regulatory landscape and the use of online tracking technologies followed by recommended approaches to help achieve HIPAA compliance.
Current HIPAA Regulatory Landscape
HIPAA is a federal law that sets forth regulatory requirements that both covered entities (e.g., doctors, nurses, hospitals, etc.) and their business associates who receive access to ePHI must implement to protect the privacy and security of ePHI.
“ePHI" means individually identifiable health information transmitted by or maintained in electronic storage media (e.g., hard drives, digital memory cards, extranets, intranets, private networks, among others) or in any other form or medium. 45 CFR 160.103
"Individually identifiable health information" means a subset of health information, including demographic data, collected from an individual that is created or received by a covered entity (or by a business associate on behalf of a covered entity) and relates to the
"past, present, or future physical or mental health or condition of the individual; the provision of health care to the individual; or the past, present, or future payment for the provision of health care to the individual [],” and does or has the potential to identify the individual.
45 CFR 160.103.
To protect the confidentiality, integrity, and availability of ePHI, HIPAA requires both covered entities and their business associates to implement appropriate administrative safeguards (such as policies and procedures), physical safeguards (such as physical locks), and technical safeguards (such as encryption).
OCR 2022 Bulletin on Online Tracking Technologies
Due to the surge in the usage of websites and mobile apps by HIPAA regulated entities and third-party media reports on the collection of ePHI by tracking technology vendors, the Office for Civil Rights (OCR) at the Department of Health and Human Services issued a bulletin in 2022 addressing the concerns and risks associated with online tracking technologies, the potential collection of ePHI by such technologies, and the application of HIPAA to such data collection practices.
Briefly, tracking technologies (e.g., cookies, pixels and analytics) collect all sorts of online user data. User data can include personal information (e.g., names, email addresses, etc.), behavior, preferences, IP address, location, device type, device identifier, advertising identifier, and browsing activity, among many others. In certain cases, a tracking technology vendor could potentially use the collected data to link back to specific individuals among the online users. This linkage was revealed in two separate news reports published by The Markup, one on Facebook collecting medical information from hospital websites and the other on dozens of Telehealth startups sending health information to big tech companies. In the case of the hospitals, 33 hospital websites reportedly used pixels on their password-protected patient portals that collected data about the patients’ online doctor appointments, including their medical conditions and prescriptions. In the case of the Telehealth startups, 50 websites reportedly used data analytics from big tech companies, such as Google, Meta and TikTok, and some of those data analytics collected their online users’ answers to medical intake questions, such as their names, emails, phone numbers and information about their treatments.
Warning Letter to Hospitals and Telehealth Providers
Roughly six months following the OCR’s 2022 bulletin, the OCR along with the Federal Trade Commission (FTC) sent a joint letter to approximately 130 hospital systems and Telehealth providers warning them that their websites and mobile apps may be using tracking technologies that may be collecting their online users’ ePHI. Google Analytics and the Meta/Facebook pixel were cited as primary examples of the types of tracking technologies capable of collecting ePHI. The OCR reiterated that,
“The HIPAA Rules apply when the information that a regulated entity collects through tracking technologies or discloses to third parties (e.g., tracking technology vendors) includes PHI. HIPAA regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to third parties or any other violation of the HIPAA Rules."
Separately, the FTC warned that where HIPAA does not apply, entities collecting personal health information from their online users have data privacy and security obligations to safeguard such information from unauthorized disclosure and use under the FTC Act, including a duty to report data breaches under the FTC Health Breach Notification Rule.
Approaches to Ensure HIPAA Compliance
When using online tracking technologies on websites or mobile apps, HIPAA regulated entities should develop a plan to manage the use of such technologies in a manner that is designed to be HIPAA compliant. Part of this plan requires identifying whether the tracking technologies collect ePHI from online users and, if so, determining if the tracking technology vendors qualify as HIPAA business associates or whether individual HIPAA authorizations must be obtained.
Identify Tracking Technologies Collecting ePHI
To identify if a website's or mobile app's tracking technologies collect ePHI, review the tracking technology vendor’s privacy policy. The vendor's privacy policy should disclose whether the technologies are designed to comply with HIPAA. If the policy is silent on whether any ePHI is collected, the tracking technology is unlikely designed to be HIPAA compliant. In such a case, a HIPAA regulated entity should remove the tracking technology from its website or mobile app or obtain individual HIPAA authorizations that allow the disclosure of ePHI to the tracking technology vendor to be HIPAA compliant.
Determine Business Associate Qualification
If a tracking technology collects ePHI, determine whether the tracking technology vendor meets the definition of a HIPAA “business associate.”
A "business associate" is a third-party, including a subcontractor of a business associate, that creates, receives, uses, maintains, or transmits ePHI on behalf of a HIPAA regulated entity for a covered function (e.g., treatment, payment processing, administration, or data analysis, among others) or provides a HIPAA regulated entity with certain services involving the disclosure of ePHI to a third-party (e.g., lawyers, accountants, auditors, consultants, data aggregators, de-identification service providers, among others). 45 CFR 160.103
In this respect, online tracking technologies used by a HIPAA regulated entity for purposes of collecting online user data that includes ePHI is considered a service involving the disclosure of ePHI by the HIPAA regulated entity to the third-party tracking technology vendors.
Tracking Technology Vendor is a Business Associate
If a tracking technology vendor meets the definition of a HIPAA business associate, HIPAA requires a Business Associate Agreement (BAA) be entered between the HIPAA regulated entity and the vendor. 45 CFR 164.502(e)(1)(i)-(ii). The BAA should specify the vendor’s permitted and required uses and disclosures of ePHI, its obligation to maintain adequate administrative, physical, and technical safeguards to protect the confidentiality of the ePHI, and a process for breach notifications, among other provisions.
Tracking Technology Vendor is Not a Business Associate
If a tracking technology collects ePHI for purposes other than a covered function or service and the vendor does not qualify as a HIPAA business associate, HIPAA requires the HIPAA regulated entity obtain individual HIPAA authorizations from its online users to allow the disclosure of ePHI to the tracking technology vendor. The same rule applies if the HIPAA regulated entity prefers not to or cannot obtain a BAA from a tracking technology vendor.
The HIPAA authorization form should include the name of the tracking technology vendor, a description of the ePHI the vendor will collect, the purpose for disclosing the ePHI to the vendor, the expiration date of the authorization, a statement notifying the patient of the potential that the patient’s ePHI may be re-disclosed by the vendor and that HIPAA would not apply to such re-disclosure, and the patient’ rights with respect to the authorization (e.g., the right to revoke), among other information. 45 CFR 164.508
Also, while a HIPAA regulated entity's website's or mobile app's privacy policy may cover the use of online tracking technologies, the OCR takes the position that this type of disclosure does not qualify as a valid HIPAA authorization. The OCR takes the same position with website and mobile app cookie banners that request online users to accept or reject cookies.
Closing Remarks
The use of online tracking technologies on websites and mobile apps has many benefits but these benefits also come with data privacy and security obligations. As online tracking technologies are capable of collecting ePHI from online users, they may also be capable of using that data to identify specific individuals among those online users, triggering the application of HIPAA.
Thus, a HIPAA regulated entity must ensure its use of such technologies does not result in making impermissible disclosures of its online users' ePHI to its tracking technology vendors. To mitigate this potential risk, a HIPAA regulated entity should identify the types of user data collected by its tracking technologies to determine if ePHI is included. If ePHI is collected, the HIPAA regulated entity must either obtain a BAA from each applicable tracking technology vendor who qualifies as a HIPAA business associate or secure individual HIPAA authorizations that allow the disclosure of its online users' ePHI to each such vendor.
Absent a BAA or individual HIPAA authorizations, to be HIPAA compliant, a HIPAA regulated entity should avoid using tracking technologies on its website or mobile app. Alternatively, a HIPAA regulated entity should investigate whether the tracking technologies can be configured to exclude the collection of ePHI or be placed on only webpages or mobile screens where collection of data excludes ePHI.
Lastly, another possible option is exploring the implementation of privacy-enhancing technologies that block a tracking technology vendor's ability to link collected ePHI back to any specific individuals.
The information provided here is for general informational purposes only and not intended as legal advice or opinion for any individual matter. Legal development or changes in law or regulations may in the future and the content here may not be the most up-to-date legal or other information at the time of reading. You should consult your own attorney for any legal advice you may require.
If you do not have an attorney and would like explore how Venus Caruso can assist you, you can contact Venus using the website’s contact form or by emailing her at venus@carusolawoffice.com.