Mid-Atlantic Health Law TOPICS
HIPAA Update– Tracking Technologies
In December 2022, the Office of Civil Rights (OCR) issued a new bulletin warning Health Insurance Portability and Accountability Act (HIPAA) covered entities and business associates about the use of online tracking technologies, which are often inherent in an entity’s website or mobile application.
A. PHI
HIPAA is implicated when regulated entities collect information that includes protect¬ed health information (PHI) through tracking technologies or disclose PHI to tracking technology vendors. One example provided by OCR is that disclosures of PHI to technology vendors for marketing purposes would violate HIPAA unless the covered entity obtained individuals’ HIPAA-compliant authorizations.
OCR defined “tracking technology” as “a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app.” The information is then analyzed to gain insights about users’ online activities. The information captured may be assigned an identification enabling the owner or vendor of the website or app to create individual profiles about each user.
Information that may be disclosed includes individually identifiable health information (IIHI) such as the individual’s medical record number, home or email address, dates of appointments, IP address or geographic location, or medical device identification.
In the bulletin, the OCR stated that when that information is collected through a regulated entity’s website or app, that IIHI will generally be PHI, even if the individual does not have a relationship with the regulated entity and the IIHI does not include any treatment or billing information.
OCR reasons that this is because the IIHI collected connects the individual to the regulated entity indicating that the individual has or will receive health care services from the covered entity, and therefore, that the information “relates to the individual’s past, present or future health or health care or payment for care.”
B. Authenticated Webpages
The risk that PHI is disclosed to tracking technology vendors is highest when the regulated entity uses a user-authenticated webpage, where the individual logs in to a portion of the website. This is because the information stored beyond the login tends to be the type of information that may include diagnosis, prescriptions, and other treatment information.
The OCR cautions that tracking technology vendors may be business associates necessitating a business associate agreement (BAA), depending on how the vendor interacts with the PHI.
C. Unauthenticated Webpages
It is less likely that a webpage will collect PHI when it is unauthenticated, meaning that the individual doesn’t need to log into the website.
However, PHI may be collected even by an unauthenticated webpage when the webpage collects information to allow the individual to register or to search for and schedule an appointment with a provider when the web-site is specific to a particular type of medical condition.
D. Mobile Apps
If a regulated entity provides an app to individuals, the information collected will be considered PHI and any sharing of that information with the mobile app vendor or tracking technology vendor must comply with HIPAA.
If, however, an individual voluntarily down¬loads and enters information into an app that is not developed or offered by or on behalf of a covered entity, that information will not be PHI, even if the individual obtains information from their medical record created by a regulated entity.
E. Conclusion
If a regulated entity identifies that its website or app discloses PHI to a tracking technology vendor, the regulated entity must ensure that the disclosure complies with HIPAA, including ensuring that HIPAA permits the disclosure, and, if permitted, entering into a BAA with the vendor and restricting the disclosure to just that which is necessary to provide the service.
If HIPAA does not provide permission for the disclosure or the vendor is not a business associate, then the regulated entity must obtain the individuals’ HIPAA-compliant authorizations before the PHI is disclosed. OCR cautions that “Website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization.”
Darci M. Smith
410-576-4153 • dsmith@gfrlaw.com