Add a bookmark to get started

15 December 20228 minute read

OCR releases important guidance regarding HIPAA and the use of tracking technologies

Earlier this month, the US Department of Health and Human Services’ Office for Civil Rights (OCR) released a bulletin[1] on the use of online tracking technologies and HIPAA compliance. This bulletin impacts all healthcare providers and their business associates that have an online presence and use these types of online tracking technologies.

Overall, the bulletin sets forth OCR’s interpretation of HIPAA as it relates to the use of online tracking technologies and the potential misuse of such technologies that result in impermissible disclosures of protected health information (PHI). Importantly, OCR clearly stated that simply identifying that a regulated entity (ie, a HIPAA Covered Entity or Business Associate) uses tracking technologies on its website or mobile app[2] in a privacy policy, notice, or terms and conditions does not, in of itself, permit disclosures of PHI to online tracking technology vendors. Rather, the disclosures need to comply with the HIPAA Privacy Rule, and if the online tracking technology vendor receives PHI, there needs to be a business associate agreement in place with such vendor.  Notably, many online tracking technology vendors disclaim that their technologies are set up to receive PHI and may be unlikely to sign such business associate agreements.

Further, we note that OCR’s bulletin comes at a pivotal time for online advertising and privacy. There is particular sensitivity surrounding reproductive health information in the wake of the Dobbs decision and the potential for entities to share such information without an individual’s knowledge or consent. Additionally, there have been a growing number of class action lawsuits against healthcare companies for the use of such tracking technologies, and the purported infringement of users’ privacy.

Below, we examine some of the nuances and open questions resulting from OCR’s release of the bulletin. In response to the bulletin, at a minimum, we recommend that Covered Entities and Business Associates should:

  • Assess their use of online tracking technologies
  • Understand what information they share with such online tracking technologies, including determinations whether such information constitutes PHI
  • Determine whether they want to continue using such online tracking technologies and if so, determine whether disclosures to such vendors are subject to HIPAA
  • Examine their vendor contracts to ensure that they maintain appropriate business associate agreements with all such online tracking technology vendors, as needed and
  • Examine whether ongoing HIPAA security risk assessments take into account online tracking technologies and the sharing of such information.

Online tracking technologies

By way of background, online tracking technologies are those technologies that companies use to collect and analyze information about how users interact with websites and mobile applications. These types of technologies include the use of scripts or codes to gather information about users as they interact with the website or mobile application, and include, but are not limited to, web beacons, tracking pixels, session replay scripts, and fingerprinting scripts. In the mobile app context, tracking technologies also relate to advertising IDs and device IDs. 

Individually identifiable health information in the context of tracking technologies

OCR’s bulletin states that when information provided to a tracking technology vendor includes a medical record number, home or email address, date of an appointment, IP address, geographic location, medical device ID, or any other unique identifying code,[3] then such information is individually identifiable health information (IIHI).[4]  OCR takes the position that all such IIHI collected on a regulated entity’s website or mobile app is generally PHI, even if the individual does not have an existing relationship with the regulated entity at the time of collection and even if the IIHI, such as an IP address or geographic location, does not include specific treatment or billing information.  OCR alleges that its broad interpretation of PHI is because, “when a regulated entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the regulated entity (ie, it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or health care or payment for care.”

Accordingly, this bulletin converts what many companies assumed was general personal information subject to state law, eg, IP addresses or geographic locations, into IIHI, thereby extending the definition of PHI and subjecting potential new data sets to HIPAA.  

User-authenticated vs unauthenticated pages

OCR distinguishes between regulated entities having user-authenticated pages, eg, those pages where they require a user to log-in with credentials to access the page, and unauthenticated pages, eg, informational articles, appointment lookup pages, or other tools that do not require a login.

On user-authenticated pages, OCR is clear that a regulated entity must only use online tracking technologies in compliance with the HIPAA Privacy Rule, and that such tracking technology vendors are business associates if they create, receive, maintain, or transmit PHI on behalf of a regulated entity for healthcare operations or another covered function. This position is not controversial.

However, on unauthenticated pages, OCR still has concern over the use of online tracking technologies. Specifically, OCR provides two examples where it asserts that HIPAA still applies: (1) if a regulated entity uses tracking technologies on the login or registration page of a patient portal, then the registration information provided would be PHI; and (2) if a regulated entity uses tracking technologies on unauthenticated webpages that address specific symptoms or health conditions, including pregnancy, or allow for searching for doctors or to schedule appointments. For this latter example, OCR expressed concern that the tracking technologies would collect a user’s email or IP address and that such information would be PHI disclosed to the tracking technology vendor.

Mobile apps

OCR also identified that the use of tracking technologies, advertising IDs, and device IDs on mobile apps triggers the same analysis, such that any information collected by a Covered Entity or Business Associate’s mobile app is PHI and that such entity must comply with the HIPAA Rules for any PHI used or disclosed, including disclosures made to mobile app vendors, tracking technology vendors, or any other third party that receives the information.

However, OCR again clarified that HIPAA does not cover information that consumers voluntarily download or enter into mobile apps that are not developed or offered by or on behalf of regulated entities, regardless of where the information came from.  For example, HIPAA does not apply to health information that an individual enters into a mobile app offered by an entity that is not regulated by HIPAA (even if the information contains sensitive health information). In instances where HIPAA does not apply to such information, however, other laws may apply such as the Federal Trade Commission (FTC) Act and the FTC’s Health Breach Notification Rule (HBNR).

Questions remain 

This bulletin raises some questions. In particular, we note that OCR does not provide a list of specific symptoms or conditions that constitute PHI if collected on an unauthenticated webpage by an online tracking technology. Further, OCR does not explain how a regulated entity would distinguish an individual seeking information about a specific condition for a non-healthcare purpose, eg, research or curiosity, from a potential patient, nor does OCR discuss other possible reasons for accessing unauthenticated webpages, eg, to find out about available job openings or other non-healthcare purposes.

This continues to be an evolving space in health privacy law that we continue to monitor. For information about HIPAA and compliance obligations, please contact your DLA Piper relationship partner, the authors of this alert, or any member of our healthcare industry or privacy groups.

[1] We note that the bulletin does not have the full force and effect of law and is not intended to bind the public in any way. However, the bulletin reflects OCR’s current thinking and interpretation of HIPAA and could inform OCR’s response to any incidents involving tracking technologies.

[2] Separately, we note that OCR, the Federal Trade Commission, the Office of the National Coordinator for Health Information, and the Food and Drug Administration released an updated Mobile Health App Interactive Tool this month to help developers of health-related mobile apps understand what federal laws and regulations apply to them.

[3] The examples provided by OCR are not exhaustive and also include any identifier set forth under 45 C.F.R. § 164.514(b)(2)(i).

[4] Individually identifiable health information (IIHI) is a subset of health information, including demographic information collected from an individual, that is received by a covered entity (or its business associate) and relates to the past, present, or future health, healthcare, or payment for healthcare to an individual; and identifies the individual or can be used to identify the individual.