Give a Mouse a Cookie, Get a BAA: OCR Bulletin on Tracking Raises HIPAA Risks for HIPAA-Regulated Entities and Online Tracking Vendors

in ,

The U.S. Department of Health & Human Services Office for Civil Rights (OCR) issued a new bulletin last week that may have significant implications for online activities of Covered Entities and Business Associates. The bulletin, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” explains how HIPAA’s reach extends to information collected on websites or mobile apps, including information collected from a user who visits a HIPAA-regulated entity’s website but has no further interaction with that entity.  While HIPAA-regulated entities have long understood that their ‘internal tools’ (ex: EHR’s, practice management, and clinical support software) must comply with HIPAA, the new bulletin makes it clear that information that is routinely collected by vendors on public-facing websites, apps, and web-based assets may be PHI as well. 

What is Tracking Technology?

The bulletin provides an overview of various tracking technologies that are common to websites and apps, such as cookies, pixels, and mobile SDKs (commonly called “cookies” as a category). These may be new terms to some HIPAA practitioners.

Cookies are small text files placed on browsers by pixels and beacons that facilitate tracking over time. Pixels and beacons collect data and send that data to servers tied against the cookie ID. “First party cookies” are used for tracking when sending data by the website owner’s server; “third-party cookies” are used for tracking when sending data to third-party servers. Tracking technologies can be used for a variety of purposes, including marketing, analytics, and operations.

Tracking technologies generally collect cookie IDs, device ID, and location data that connect browsing activity to an individual user.

When Does Tracking Technology Collect PHI?

Some of the bulletin’s guidance about tracking technologies is straightforward. For example, most or many HIPAA-regulated entities would not be surprised by guidance that individually identifiable health information such as a medical record number logged by tracking technologies or most information collected from authenticated users, when users are logged into a regulated entities’ site, is protected health information (PHI). Other parts of the guidance may be surprising as it expands the general understanding of the scope of the definition of PHI to include tracking activities involving unauthenticated users (i.e., non-logged in, visitors) of publicly available websites.

While acknowledging that “tracking technologies on regulated entities’ unauthenticated webpages generally do not have access to individuals’ PHI, OCR also states that tracking technologies collecting data about unauthenticated users of websites that address specific health conditions, or that permit individuals to search for medical providers, may “in certain circumstances” be collecting PHI. Thus, a HIPAA-regulated entity may be collecting PHI via tracking technologies  when a non-logged-in visitor to its website is merely browsing or interacting with a web page that contains general information about a specific condition.

To illustrate: when a user browses a site about a specific medical condition, metadata about their visit may be generated and collected by the site owners or third parties’ tracking technologies. Say, for example, that the webpage is titled “Diabetes Care.” If a third-party tracking vendor is collecting events on that page, its tracking technology will register the user’s cookie ID, IP address, and the title and URL of the page they browsed and, thus, may have access to PHI under the OCR’s reasoning.

OCR does not make clear for this scenario and scenarios above what specific circumstances may trigger such tracking to be considered PHI. It does, however, provide two clear examples. One involving tracking of users on registration or login creation pages. The other involving an unauthenticated user visiting a page with third party tracking technologies and searching for available appointments with health care providers. OCR definitively states that both of these circumstances would involve disclosure of PHI to a third-party tracking vendor.

Implications for Web-Based PHI Collection

Websites typically involve a slew of tracking technologies, including for marketing, bug reporting, security, and analytics purposes. If these tracking technologies are collecting PHI, HIPAA-regulated entities will need to ensure that the uses are permissible under HIPAA. For uses outside of treatment, payment, and healthcare operations, authorization will be required. Obtaining a HIPAA authorization may be difficult in the context of tracking technologies as they must be in writing and make several specified disclosures. The practical reality of this is that uses for which authorization is required – including marketing – will effectively become impossible if that use depended on data that was previously considered non-PHI.

HIPAA-regulated entities will need to analyze their entire digital footprint to identify vendors that may be collecting PHI and take steps to ensure that they have a clear understanding of their own data collection and processing activities across that footprint. They will then need to extend their compliance programs to account for this expanded PHI footprint, including, potentially entering into Business Associate Agreements with online tracking vendors or seeking new ones that are HIPAA compliant.

Many such vendors may not have considered themselves Business Associates subject to HIPAA. Vendors will need to become familiar with HIPAA’s requirements for Business Associates including restrictions on use and requirements to enter into a Business Associate Agreement, and whether or not they are willing and able to abide by those requirements and take on the associated risks.

2023 State Privacy Law Implications

The expanded scope of understanding of what is PHI may complicate (or simplify, depending on an entity’s preparedness) preparations for state privacy laws currently in effect and coming into effect in 2023. Many of these state laws contain carveouts for certain HIPAA-regulated activities. For example, the CCPA does not apply to HIPAA-regulated PHI. Before this guidance, many believed that online tracking activities of unauthenticated users were not covered by HIPAA but instead were subject to CCPA requirements. HIPAA-regulated entities will now need to determine whether that personal information would be subject to HIPAA requirements instead and what that means from an operational perspective. Thus, a detailed website review and data flow analysis should be carried out to ensure that your organization understands exactly where HIPAA ends and applicable state privacy laws begin.

Steps for HIPAA-Regulated Entities to Comply with the OCR Bulletin

  1. Meet with your website management team. HIPAA practitioners need to develop strong relationships with front-end product, engineering, and marketing teams to better understand digital data flows and educate these teams on identifying and handling PHI.

  2. Create a list of all tracking technology on your website. It is critical to understand what tracking technology is on your site, and what specific data is collected. There are many vendors that offer services, and even tools practitioners can use, to review what tracking tools are present on their site.

  3. Identify other web-based data collection. Your security and IT teams likely use many other vendors to ensure that your organization’s website and mobile applications are secure and operational. The data collected by these vendors may contain PHI and should be documented as above.

  4. Categorize the data collected on your site. Based on OCR’s guidance, classify data as PHI (subject to HIPAA) or non-PHI (which may be subject to state privacy laws) and identify their uses and disclosures to ensure they are compliant. In particular, organizations will need to identify any PHI used for marketing or sold to third-parties. Such use is likely to require authorization which would not likely be practical for many organizations to obtain.

  5. Review the vendors and agreements in place with all tracking technology and web-based data collection vendors. The next step is to ensure the full PHI data flow is HIPAA compliant. Consider: Do the front-end teams collecting this information understand the use limitations that accompany PHI? Is the data transmitted in compliance with the Security Rule? Are there vendors that need to be eliminated or replaced? And for every vendor receiving PHI, have you confirmed they have entered into a Business Associate Agreement?

  6. Implement a process, with the website management and IT team, for reviewing and implementing new web tool vendors. HIPAA-regulated entities likely have a process in place to review and document the addition of new vendors who will process PHI on behalf of their organization. HIPAA Practitioners should implement the same or a similar process anytime a new vendor is proposed for the organization’s public facing websites and apps.

  7. Expand the scope of the HIPAA security risk assessment to include tracking technologies that collect PHI. The security risk assessment must account for the potential risks and vulnerabilities to PHI on all systems which process PHI.

If you are a vendor to HIPAA-regulated entities, you will need to decide whether to accept these HIPAA obligations and either contractually restrict use of your tools on these sites to prohibit use by HIPAA covered entities or be prepared to enter into Business Associate Agreements and understand and take steps to comply with the direct obligations that Business Associates have under HIPAA.

OCR’s Bulletin is Part of Increasing Health Data Tracking Attention

OCR’s bulletin follows increased attention to data flows on the websites of highly regulated entities. Earlier this year, Mass General Brigham settled a lawsuit alleging that trackers on its site captured sensitive information without collecting appropriate consent. The Markup has run a series on sites that may be collecting sensitive personal information via trackers, including tax filing websites and 33 of Newsweek’s top 100 hospitals.  Similarly, the Opioid Policy Institute released a report analyzing tracking technology on sites providing addiction-related treatment services.  The Dobbs decision from earlier this year has also brought significant attention to the implications of tracking in the healthcare data ecosystem.

Digital health privacy is likely to be an area of continuing interest for regulators and the media. Both HIPAA-regulated entities and those operating outside the scope of HIPAA should take steps to ensure that data flows involving PHI or other sensitive information are well understood and reflected in their privacy governance programs.

Mason Fitch is a Senior Associate at Hintze Law PLLC and a member of the firm’s Health and Biotech Privacy Group.

Hintze Law PLLC is a Chambers-ranked privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support global technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.