OCR Releases Guidance On Use Of Tracking Technologies

Most companies operating websites and mobile apps use some form of tracking technologies on these digital properties. While these types of technologies have been used for some time and serve a variety of purposes, the use of them by organizations regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has garnered more recent attention within the past year. In the wake of recent public concerns, the Office of Civil Rights (OCR) at HHS recently released guidance on the use of these tools by HIPAA-regulated entities. OCR's guidance distinguishes between tracking on authenticated and unauthenticated websites and on mobile apps. We summarize this guidance below.

What is a tracking technology?

Tracking technologies include cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts. These tools can be developed internally (i.e., first party) or by third parties. Companies use these tools to better understand their website visitors. Sometimes this is an at aggregate level. Other times, these tools may collect information about unique visitors in order to develop a profile about the visitor. Mobile apps can capture similar details about users through code directly embedded in the app.

Regulated entities use of tracking technologies

When a regulated entity uses a tracking technology, it may be disclosing individually identifiable health information to vendors. This information could be an email address, IP address, dates of appointment, among other information. When users visit websites that require them to login (e.g., a patient portal), tracking technologies may have access to these visitors' protected health information (PHI). This collection and disclosure of information must be done in accordance with HIPAA.

Tracking technology vendors are business associates if they create, receive, maintain, or transmit PHI on behalf of a regulated entity for a covered function or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI. Regulated entities must ensure that the disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement (BAA) with these tracking technology vendors. By way of example, OCR's guidance notes that if a regulated entity's site permits users to make appointments, a BAA should be in place with any tracking technologies used on that site that is collecting PHI such as dates of appointment or IP addresses.

Even on sites that do not require users to login, HIPAA may still apply to the use of any tracking technologies on these types of sites. For example, tracking technologies may be collecting information on sites that permit users to search for doctors based on specific conditions and that otherwise collect PHI such as an email and/or IP address. In those instances, such disclosures must be done in accordance with the HIPAA Privacy Rule, including the use of BAAs with the tracking tool vendor.

In the context of mobile apps, the OCR guidance reminds companies that HIPAA does not apply to health information entered into a mobile app by an entity that is not otherwise regulated by HIPAA. In instances where HIPAA does not apply to such information, other laws may apply. For example, the FTC Act, the FTC's Health Breach Notification Rule, and other state laws such as the California Privacy Rights Act, may apply.

Complying with HIPAA in the Context of Tracking Technologies

When regulated entities use tracking technologies, several obligations of the HIPAA Privacy, Security, and Breach rule apply. For example, disclosures must be permitted by HIPAA and only the minimum necessary PHI should be disclosed. Regulated entities must ensure that all tracking technology vendors have signed a BAA and that there is an applicable permission prior to a disclosure of PHI. If there is not an applicable permission or if the vendor is not a business associate of the regulated entity, a HIPAA-compliant authorization is required. OCR notes that website cookie banners do not constitute a valid HIPAA authorization. Further, use of tracking technologies should be addressed in an organization's risk analysis and risk management process.

HIPAA regulated entities should carefully audit the use of any tracking technologies on websites and mobile apps to understand whether any PHI is being disclosed to these vendors. If so, these organizations should be taking the steps outlined by OCR to ensure such use complies with HIPAA.