The Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) recently issued a bulletin highlighting the application of Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to covered entities and business associates (“Regulated Entities”) under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies that collect and analyze information about how internet users interact with websites or mobile applications (“Tracking Technologies”). While the Bulletin emphasizes that Regulated Entities have always been prohibited from impermissible uses and disclosures of protected health information (“PHI”) collected through Tracking Technologies, including disclosing PHI to Tracking Technology vendors without entering into business associate agreements (“BAAs”), OCR has been relatively silent on this issue to date.
To highlight the application of HIPAA to Regulated Entities leveraging Tracking Technologies, the Bulletin provides several examples of how Tracking Technologies may collect and share PHI, including on authenticated and unauthenticated webpages, as well as mobile apps. In particular, the Bulletin describes how websites and mobile apps commonly use Tracking Technologies to collect information from users, including identifiers that are unique to users’ mobile devices. This information can then be used by the owner of a website or app, a related vendor, or a third party to gain insights about users’ online activities and to create a unique profile for each user. These insights and information can be used in beneficial ways to help improve care or the patient experience, but they can also be misused to promote misinformation and for other detrimental purposes.
In a nutshell, OCR’s Bulletin stresses that when an individual uses Regulated Entities’ websites or mobile apps, information such as the individual’s medical record number, home or email address, dates of appointments, IP address, geographic location, or medical device ID may constitute PHI subject to HIPAA and should be held by Regulated Entities accordingly. According to OCR, such information generally is PHI, even if the individual does not have an existing relationship with the Regulated Entity and even if the information does not include specific treatment or billing information like dates and types of health care services. Per OCR, this is because the information connects the individual to the Regulated Entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or health care or payment for care