HHS OCR Issues a Bulletin on HIPAA Requirements for Tracking Health Information When Using Online Technologies

The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) recently issued a bulletin to highlight the obligations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) on regulated entities under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies. The bulletin defines tracking technologies, provides examples of potential impermissible disclosures of electronic protected health information (ePHI) by HIPAA regulated entities to online technology tracking vendors, and outlines procedures regulated entities must take to protect ePHI when using tracking technologies in order to comply with HIPAA rules.

Regulated entities use tracking technologies on websites or mobile apps to collect and analyze information about how users are interacting with a regulated entity’s website or mobile application and may engage a technology vendor to perform analyses on user activity. The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes protected health information (PHI). In the bulletin, OCR emphasizes that regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules. OCR notes that failure to comply with the HIPAA rules may result in a civil monetary penalty.

PHI and Tracking Technologies

OCR explains that when HIPAA regulated entities use tracking technologies on their websites or mobile apps that the data collected by tracking technologies is often PHI. Specifically, information such as an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, medical device IDs, or any unique identifying code may be PHI, even if the data does not include specific treatment or billing information like dates and types of health care services. OCR notes that where the information connects the individual to the regulated entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), it will relate to the individual’s past, present, or future health or health care or payment for care even without specific health care or billing information.

Applicability for Various Tracking Technologies

OCR provides insight and examples of how the HIPAA rules would apply on regulated entities’ use of tracking technologies via user-authenticated webpages, unauthenticated webpages, and mobile apps.

Tracking on user-authenticated webpages: OCR states that regulated entities must configure any user-authenticated webpages (i.e., sites that require a user to log in to access the webpage, such as a patient or health plan beneficiary portal or a telehealth platform) that include tracking technologies to allow such technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the ePHI collected through its website is protected and secured in accordance with the HIPAA Security Rule. Furthermore, regulated entities that contract with tracking technology vendors to transmit PHI or provide certain services on behalf of a regulated entity must ensure that the disclosures made to such vendors are permitted by the Privacy Rule, including entering into a business associate agreement (BAA) with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules.

• For example, if an individual makes an appointment through the website of a covered health clinic and that website uses third party tracking technologies, then the website might automatically transmit information regarding the appointment and the individual’s IP address to a tracking technology vendor. In this case, the tracking technology vendor is a business associate and a BAA is required.

Tracking on unauthenticated webpages: OCR states that since tracking technologies on regulated entities’ unauthenticated webpages, in general, do not have access to individuals’ PHI, the HIPAA rules would not apply to a regulated entity’s use of such tracking technologies. However, OCR provides examples of tracking technologies on unauthenticated webpages which may have access to PHI, in which case the HIPAA Rules apply to the regulated entities’ use of tracking technologies and disclosures to the tracking technology vendors. For example:

• The HIPAA rules apply when tracking technologies on a regulated entity’s patient portal login page or registration page collect an individual’s login or registration information.
• The HIPAA rules apply when tracking technologies collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider. OCR notes that this may apply when the website addresses specific symptoms or health conditions, such as pregnancy or miscarriage.

Tracking on mobile apps: OCR states that regulated entities must comply with the HIPAA Rules for any PHI that individuals disclose on mobile apps, including any subsequent disclosures to the mobile app vendor, tracking technology vendor, or any other third party who receives such information. OCR notes that the HIPAA Rules do not protect the privacy and security of information that users voluntarily download or enter into mobile apps that are not developed or offered by or on behalf of regulated entities. In such instances, OCR states that other laws, including the Federal Trade Commission (FTC) Act and the FTC’s Health Breach Notification Rule (HBNR), may apply when a mobile health app impermissibly discloses a user’s health information.

• For example, the HIPAA Rules apply to any PHI collected by a covered health clinic through the clinic’s mobile app used by patients to track health-related variables associated with pregnancy (e.g., menstrual cycle, body temperature, contraceptive prescription information).
  

Compliance Obligations for Regulated Entities

OCR outlines HIPAA Privacy, Security, and Breach Notification requirements that regulated entities must meet when using tracking technologies with access to PHI. OCR states that regulated entities should ensure that all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that only the minimum necessary PHI to achieve the intended purpose is disclosed. OCR also explicitly states that it is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information and that any disclosure of PHI to the vendor can only be done with an individual’s authorization or where the vendor has a signed BAA in place and the disclosure is for a permissible purpose.

OCR notes that website or mobile app privacy policies, notices, or terms and conditions are not sufficient to meet HIPAA requirements.

Takeaways

Regulated entities should evaluate their relationships with tracking technology vendors to determine whether any data disclosed is PHI, determine whether such vendor meets the definition of a business associate, and ensure that the disclosures made to such vendor are permitted by the Privacy Rule.

OCR recommends that regulated entities address the use of tracking technologies in the regulated entity’s risk analysis and management processes and implement other safeguards in accordance with the Security Rule, including encrypting ePHI that is transmitted to the tracking technology vendor. OCR also recommends that regulated entities provide breach notification to affected individuals, HHS, and the media of an impermissible disclosure of PHI to a tracking technology vendor in situations where there is no Privacy Rule requirement or permission to disclose PHI and there is no BAA with the vendor. 

Notably, a number of the examples focus on reproductive health information. As we previously discussed, the Biden Administration and OCR have been taking action to ensure compliance with privacy protections for sensitive reproductive health information, including under HIPAA. We expect additional clarification from the Administration about protecting health information, particularly as it relates to reproductive health services, and will continue to follow these developments.