The Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) recently issued a bulletin highlighting the application of Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to covered entities and business associates (“Regulated Entities”) under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies that collect and analyze information about how internet users interact with websites or mobile applications (“Tracking Technologies”). While the Bulletin emphasizes that Regulated Entities have always been prohibited from impermissible uses and disclosures of protected health information (“PHI”) collected through Tracking Technologies, including disclosing PHI to Tracking Technology vendors without entering into business associate agreements (“BAAs”), OCR has been relatively silent on this issue to date.

To highlight the application of HIPAA to Regulated Entities leveraging Tracking Technologies, the Bulletin provides several examples of how Tracking Technologies may collect and share PHI, including on authenticated and unauthenticated webpages, as well as mobile apps. In particular, the Bulletin describes how websites and mobile apps commonly use Tracking Technologies to collect information from users, including identifiers that are unique to users’ mobile devices. This information can then be used by the owner of a website or app, a related vendor, or a third party to gain insights about users’ online activities and to create a unique profile for each user. These insights and information can be used in beneficial ways to help improve care or the patient experience, but they can also be misused to promote misinformation and for other detrimental purposes.

In a nutshell, OCR’s Bulletin stresses that when an individual uses Regulated Entities’ websites or mobile apps, information such as the individual’s medical record number, home or email address, dates of appointments, IP address, geographic location, or medical device ID may constitute PHI subject to HIPAA and should be held by Regulated Entities accordingly. According to OCR, such information generally is PHI, even if the individual does not have an existing relationship with the Regulated Entity and even if the information does not include specific treatment or billing information like dates and types of health care services. Per OCR, this is because the information connects the individual to the Regulated Entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or health care or payment for care

Tracking on user-authenticated webpages

Tracking Technologies on Regulated Entities’ user-authenticated webpages (i.e., pages that require the user to log in for access), such as a patient or health plan beneficiary portal or a telehealth platform, generally have access to PHI. According to OCR, Regulated Entities must:

  • Configure any user-authenticated webpages that include Tracking Technologies to allow such technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule;
  • Ensure that the electronic PHI collected through these pages is protected and secured in accordance with the HIPAA Security Rule; and
  • Enter into BAAs with applicable Tracking Technology Vendors.

For example, if an individual makes an appointment through the website of a covered entity health clinic for health services and that website uses third party Tracking Technologies, then the website might automatically transmit information regarding the appointment and the individual’s IP address to a Tracking Technology vendor. In this case, the Tracking Technology vendor is a business associate to the clinic and a BAA is required.

Tracking on unauthenticated webpages

Tracking Technologies on Regulated Entities’ unauthenticated webpages generally do not have access to individuals’ PHI; in this case, a Regulated Entity’s use of such Tracking Technologies is not regulated by the HIPAA Rules. The Bulletin does not provide specific examples, but this might occur, for instance, on unauthenticated webpages where individuals can view general information and news about a Regulated Entity, subscribe to certain newsletters, or make donations to nonprofit health care providers.

In some cases, however, Tracking Technologies on unauthenticated webpages may have access to PHI, in which case the HIPAA Rules apply to the Regulated Entities’ use of Tracking Technologies and disclosures to the Tracking Technology vendors. The Bulletin offers the following two examples of unauthenticated webpages where the HIPAA Rules apply:

  • A Regulated Entity’s patient portal login page or registration page, where Tracking Technologies collect an individual’s login information or registration information.
  • A webpage that addresses specific symptoms or health conditions or that permits individuals to search for doctors or schedule appointments without entering credentials, where Tracking Technologies collect an individual’s email address and/or IP address.

Tracking within mobile apps

If a Regulated Entity offers a mobile app that collects information provided by the app user or their device (e.g., fingerprints, network location, geolocation, device ID, or advertising ID), such information is PHI and is subject to the HIPAA Rules. For example, the HIPAA Rules apply to any PHI collected by a covered health clinic through the clinic’s mobile app used by patients to track health-related variables associated with pregnancy (e.g., menstrual cycle, body temperature, contraceptive prescription information). The Bulletin affirms that the HIPAA Rules do not apply to mobile apps that are not developed or offered by or on behalf of Regulated Entities. Such mobile apps may be subject to other federal and state laws, including the Federal Trade Commission (“FTC”) Act, the FTC’s Health Breach Notification Rule, and state data privacy laws.

HIPAA compliance when using Tracking Technologies

The Bulletin offers some examples of the HIPAA Privacy, Security, and Breach Notification requirements that Regulated Entities must meet when using Tracking Technologies with access to PHI, including:

  • Ensuring that all disclosures of PHI to Tracking Technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.
    • The Bulletin specifically notes that the Privacy Rule does not permit disclosures of PHI to a Tracking Technology vendor based solely on a Regulated Entity informing individuals in its privacy policy, notice, or terms and conditions of use that it plans to make such disclosures.   
  • Establishing a BAA with a Tracking Technology vendor that meets the definition of a “business associate.”
  • Addressing the use of Tracking Technologies in the Regulated Entity’s Risk Analysis and Risk Management processes, as well as implementing other administrative, physical, and technical safeguards in accordance with the Security Rule to protect ePHI. Examples include:
    • Encrypting ePHI that is transmitted to the Tracking Technology vendor; and
    • Enabling and using appropriate authentication, access, encryption, and audit controls when accessing ePHI maintained in the Tracking Technology vendor’s infrastructure.
  • Providing breach notification to affected individuals, the Secretary of HHS, and the media (when applicable) of an impermissible disclosure of PHI to a Tracking Technology vendor that compromises the security or privacy of PHI when there is no Privacy Rule requirement or permission to disclose PHI and there is no BAA with the vendor. In such instances, there is a presumption that there has been a breach of unsecured PHI unless the Regulated Entity can demonstrate that there is a low probability that the PHI has been compromised.

Key takeaway

OCR’s interpretation of the HIPAA Rules as outlined in the Bulletin arguably is broader than Regulated Entities may have expected, given that the use of Tracking Technologies has not thus far been a focus of enforcement for the agency. The Bulletin demonstrates a need for Regulated Entities to evaluate (or re-evaluated) their use of Tracking Technologies. Such evaluation should, at a minimum, address the following two questions:

  • Whether the information collected and/or shared by Tracking Technologies is identifiable; and
  • Whether the information relates to the physical or mental health or condition of an individual, or the provision of or payment for past, present or future health care.

Reed Smith will continue to monitor related developments. Please contact the authors of this post or your Reed Smith health care attorney to help you assess the applicability of this guidance to your business practices and help with your compliance efforts.