HHS Releases New Guidance For Online Tracking Technologies Under HIPAA: Covered Entities And Business Associates Are Likely To Be Widely Impacted

On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) released much-anticipated guidance on the use of online tracking technologies by Covered Entities and Business Associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The guidance bulletin was issued amid a backdrop of class action lawsuits, state and federal regulator inquiries and media scrutiny with respect to tracking technologies on websites and mobile applications by healthcare organizations and other HIPAA-regulated entities. The guidance has far-reaching implications for HIPAA regulated entities that utilize online platforms, and many organizations will need to update their use of tracking technologies in order to maintain compliance with HIPAA. Read on to find out how this new guidance may affect your organization.

What Does the OCR Guidance Say?

Tracking technologies, such as cookies, web beacons and pixels, are generally used to collect and analyze user interactions (like page views or buttons clicked). When the information that a HIPAA regulated entity collects through tracking technologies or shares with tracking technology vendors includes Protected Health Information (PHI), the HIPAA rules apply. The guidance analyzes how the HIPAA rules apply to user-authenticated webpages (i.e., user login is required before the user can access the webpage), unauthenticated webpages (i.e., publicly-available websites that do not require a user login to access the webpage) and mobile apps, and makes it clear that HIPAA regulated entities are not allowed to use tracking technologies in a way that would result in impermissible disclosures of PHI or any other violations of the HIPAA rules.

Under what circumstances could data collected by online tracking technologies be considered PHI?  The guidance indicates that it will depend on the website or mobile app (and, in some instances, the page or screen within that website or mobile app) through which the data was collected, and the overall context. According to the OCR, certain categories of tracked information may be more or less likely considered to be PHI:

• Individually identifiable health information collected through tracking technologies is presumed to be PHI, even if the individual does not have an existing relationship with the regulated entity

• Data tracked inside of a user’s account (i.e., on a user-authenticated webpage) very likely constitutes PHI

• Data tracked from users browsing unauthenticated webpages are less likely to be PHI, but there are still circumstances where the information being tracked could be PHI

• Network location, geolocation, device IDs or advertising IDs collected by a mobile app is likely collecting PHI. However, the OCR distinguishes between mobile apps offered by HIPAA regulated entities and mobile apps offered by non-regulated entities - for the latter, HIPAA does not apply to mobile apps not developed or offered by or on behalf of HIPAA regulated entities, but cautions that other laws, like state consumer privacy laws, may apply.

What Does This New Guidance Mean for HIPAA Regulated Entities?

HIPAA regulated entities must handle all PHI in accordance with the Privacy Rule, Security Rule, and Breach Notification Rule when using and disclosing PHI in connection with tracking technologies.

In light of the OCR guidance, HIPAA regulated entities should take the following steps:

• Assess your organization’s use of tracking technologies. Compile a comprehensive list of all tracking technologies that your organization uses on your online platforms and mobile applications and the categories of information that they collect. Consider changes to technology used or removing tracking technologies.
• Ensure PHI is only shared for a permitted purpose with a business associate agreement (BAA) or patient authorization. In sharing PHI with third parties, Covered Entities and Business Associates generally need to have a BAA and/or patient authorization. If your organization is sharing information collected through online tracking technologies with third parties, assess whether such information is PHI and whether the third party meets the definition of a Business Associate; if so, the vendor must sign a BAA. If the information is PHI and the vendor does not meet the definition of a Business Associate, then a HIPAA-compliant individual authorization must be obtained prior to disclosure.
• Implement appropriate safeguards. Review the administrative, physical, and technical safeguards that your organization has in place to protect information collected by online tracking technologies. If these safeguards are materially weaker than the safeguards your organization has implemented to protect PHI, then you will need to improve such safeguards.
• Conduct a breach risk assessment and analyze potential notification obligations. Evaluate your use of tracking technologies and whether, in light of the new guidance, any potential HIPAA breaches have occurred. A breach requires notice to affected individuals, HHS and, in certain cases, the media and/or state regulators.
• Review existing privacy notices and terms of use. Generally, privacy notices, website terms of use or website banners that ask users to accept or reject the use of cookies or other tracking technologies do not constitute a valid HIPAA authorization.

While the OCR’s guidance provides general categories of collected information and the likelihood that such information is PHI, the OCR emphasizes that determining what collected information is PHI will require a careful analysis of your organization’s unique circumstances. For assistance with assessing how this guidance may impact your business, please contact a member of McGrath North’s Privacy and Cybersecurity team.