What Are Tracking Technologies?
The bulletin defines tracking technology as “a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app.” Specifically, for websites, tracking technologies can include cookies, web beacons, session replay scripts, and fingerprinting scripts, among others. In practice, tracking technologies may be implemented in certain places on websites or apps; for example, pixels may be implemented in specific content on a webpage via a website’s content management system or implemented directly in the source code of a webpage or app. In the bulletin, OCR describes that these technologies can be deployed in user-authenticated webpages where individuals are required to log in with credentials for access or unauthenticated webpages where logging in is not required. For the first, OCR provides the example of an appointment webpage for a covered health clinic. For the latter, this can include the login page of a regulated entity’s patient portal or an “unauthenticated webpage that addresses specific symptoms or health conditions.” In the case of mobile apps, OCR indicates that a tracking code may be included or embedded within the app to enable the collection of information. As a practical matter, many websites often use a wide range of tracking technologies for security, bug reporting, marketing, and analytics purposes. OCR does not directly acknowledge the purposes for which tracking technologies may be used or the nuances regarding how and where different tracking technologies may be placed on specific areas, functionalities, or pages on websites or apps.
Within the bulletin, OCR notes that identifiable information collected by tracking technologies can include an individual’s medical record number, home or email address, dates of appointments, IP address or geographic location, medical device IDs, or any unique identifying code. Since tracker requests are made by an individual’s browser, they may associate an individual’s IP address with other information sent to the tracker. In addition, OCR states that data sent to tracking technology vendors may also be “identifiable by virtue of the unique identifier cookies that web trackers use to track a user across websites.” Note, however, that OCR acknowledges not all information collected by tracking technologies may constitute individually identifiable health information, as further discussed below.
How Does HIPAA Apply to the Use of Tracking Technologies?
While HIPAA has several components, three significant parts of the regulation are the Privacy Rule, the Security Rule, and the Breach Notification Rule (collectively, the “HIPAA Rules”). The Privacy Rule addresses the use and disclosure of PHI subject to HIPAA and individuals’ privacy rights relating to how their health information may be used or disclosed. The Security Rule sets forth standards for the protection of electronic PHI created, received, used, or maintained by a covered entity and its business associates, including administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of the electronic PHI. The Breach Notification Rule requires regulated entities to provide notification following a breach of unsecured protected health information.
According to the OCR bulletin, the HIPAA Rules may apply to regulated entities’ use of tracking technologies in several ways:
- Security Rule. Regulated entities can assess tracking technologies under the HIPAA Security Rule by (1) addressing the use of such technologies (both by the regulated entity and its business associates, as applicable) in risk analysis, risk management, and evaluation processes, and (2) confirming appropriate administrative, physical, and technical safeguards are in place to protect PHI collected through or disclosed to tracking technologies.
- Breach Notification Requirements. Whenever there is an impermissible disclosure of PHI to unauthorized individuals, including to tracking technology vendors (e.g., where there is no BAA in place or PHI has been disclosed for an impermissible purpose), regulated entities must analyze their notice obligations under applicable data breach notification requirements.
Is All Information Collected Using Tracking Technologies PHI?
Practically, it may be the case that not all health information collected by tracking technologies is subject to HIPAA. For example, the HIPAA Rules would not apply to tracking technologies used on websites or mobile apps developed or offered by non-regulated entities, such as consumer-focused digital health companies. In addition, the bulletin distinguishes between data collection that occurs on user-authenticated webpages versus unauthenticated webpages, indicating that tracking technologies used on user-authenticated pages are more likely to have access to and collect PHI and should therefore comply with the HIPAA Rules. OCR provides two examples of how tracking technologies used on unauthenticated webpages might collect PHI—one scenario involves tracking individuals on a “user registration webpage” and the other involves an unauthenticated user visiting a page that addresses specific health conditions or allows them to search for available appointments with healthcare providers. OCR does not make clear what other circumstances might lead tracking technologies to collect PHI from non-patients or unauthenticated users. OCR seems to suggest in the bulletin that using these technologies on certain areas or functionalities on unauthenticated webpages may still trigger compliance obligations under the HIPAA Rules. There may be instances when a regulated entity can demonstrate that information collected by a tracking technology on an unauthenticated webpage does not necessarily indicate that an individual has received, will receive, or is seeking to receive healthcare services or benefits and is, therefore, not PHI. For example, regulated entities might design and deploy websites and apps to create different pathways and content for those individuals who are seeking or receiving care or benefits and those who are not, to distinguish data collected from each group of users. In this case, individually identifiable information collected by the tracking technology may still be subject to other regulatory frameworks, such as the Federal Trade Commission (FTC) Act or state privacy laws (as further discussed below).
Although the bulletin was intended to clarify OCR’s position on tracking technologies used by regulated entities, it raises several questions. For instance, how should regulated entities assess their compliance obligations with respect to data collected from individuals who explore their websites out of curiosity or for research purposes? The bulletin does not address how a regulated entity might distinguish a potential patient from an individual seeking information about a specific condition, healthcare facility, or provider for a non-healthcare purpose. There will undoubtedly be times when a website visitor may never form or intend to enter into any relationship with a regulated entity. In such cases, information collected from such a visitor might not constitute PHI. In the case of Smith vs. Facebook, Inc., where it was alleged that several healthcare organizations disclosed web browsing activity to Facebook (now known as Meta), the U.S. District Court for the Northern District of California dismissed the lawsuit concluding, among other things, that Facebook did not collect PHI as nothing about the information collected or shared related to the plaintiffs’ health. The issue remains, however, that it is unclear how a regulated entity should document its differentiation between potential patients and myriad other website visitors. Under the bulletin, regulated entities will need to exercise caution when classifying and assessing their compliance responsibilities for data collected from website visitors who are seeking or receiving care or health benefits and those who are not.
In addition, not all uses of tracking technologies collect individually identifiable information or data that meets the definition of PHI. The bulletin does not directly address a compliance exception for tracking technologies that receive, collect, or access only deidentified data (e.g., information that does not include the identifiers listed in 45 C.F.R. § 164.514(b)(2)). Note that even if the tracking technology vendor deidentifies data it receives before further processing or disclosing such data, the vendor would still be required to fulfill responsibilities under HIPAA because, according to the bulletin, the tracking vendor would receive PHI prior to deidentification. In these circumstances, the regulated entity would need to take steps to evaluate whether the vendor is a business associate and, if so, enter into a BAA, obtain an individual’s HIPAA-compliant authorization, or, if neither a BAA nor authorization is possible, cease or modify use of the tracking technology.
Risks and Considerations beyond HIPAA
Beyond HIPAA, there are other privacy and legal considerations to take into account when deploying and using tracking technologies:
- Several states have enacted consumer privacy laws (e.g., the California Consumer Protection Act and the Virginia Consumer Data Protection Act) that give their residents privacy rights over their personal information, which can be defined to include unique identifiers such as IP addresses and geographic location. Regulated entities and tracking technology vendors are required to comply with the applicable laws of each state when collecting personal information using tracking technologies.
Recommendations for Assessing and Remedying Non-Compliance
OCR’s bulletin outlines several steps regulated entities can take to address privacy and security compliance risks associated with tracking technologies. As regulated entities develop risk mitigation plans to address HIPAA compliance gaps related to their use of tracking technologies, they might consider the following:
- Review websites, web apps, and mobile apps to create a data map of which webpages and apps collect IIHI and the categories of data being collected. Examine unauthenticated webpages in particular to understand what information is presented to users and what users are able to do on such webpages. For example, does a webpage address specific health conditions and encourage or permit individuals to seek care for such conditions (such as by identifying doctors or appointment availability)? Under the bulletin, OCR might consider information collected by tracking technologies on such webpages (including an individual’s IP address and email address) to be PHI that is protected by the HIPAA Rules.
- Inventory both (1) tracking technologies in use on websites and apps and (2) the vendors providing such technologies and determine the categories of data collected by tracking technology vendors, including from whom data is collected, when the collection occurs, and whether and how data is further disclosed. Investigate vendors that offer services and tools to review what tracking tools are present on websites and apps. Evaluate whether some data processing activities by tracking technology vendors may be outside the scope of the HIPAA Rules, whether due to the purpose and content of the webpage, the placement of the tracking technology on a particular area, page or functionality on a website or app, or the specific data collected by the tracking technology.
- Evaluate whether disclosures of PHI to tracking technology vendors are permitted by and consistent with the HIPAA Rules (i.e., disclosures occur for a permissible purpose, only the minimum necessary PHI to achieve the intended purpose is disclosed, etc.).
- Investigate whether any existing business associates are utilizing tracking technologies that implicate PHI and if they are impermissibly sharing PHI through their use of tracking technologies.
- Analyze agreements with tracking technology vendors to determine if vendors meeting the definition of a business associate have entered into a business associate agreement with the regulated entity. Business associate agreements should include the required elements outlined in the HIPAA Rules
- Where a business associate relationship does not exist with a tracking technology vendor but the tracking technology is configured to collect PHI, develop a strategy to obtain individuals’ authorizations before disclosing PHI to the vendor. If it is infeasible to obtain HIPAA-compliant authorizations from individuals, limit the data collected by the tracking technology or end the use of the tracking technology on affected areas or functionalities of the website or apps.
- Assess the use of online tracking technologies as a part of the entity’s privacy and security risk analysis and risk management processes and implement appropriate safeguards in accordance with the HIPAA Rules, where applicable. Implement a process with information technology teams and website/app managers to review new tools or vendors before they are implemented.
- Audit tracking technology vendors’ access to and use of confidential and individually identifiable data, including PHI. For any non-compliance identified, identify and implement mitigation steps and evaluate whether it is necessary to provide breach notifications to affected individuals and the OCR in accordance with the Breach Notification Rule.
While a regulated entity’s use of tracking technologies does not constitute an automatic HIPAA violation, OCR’s bulletin highlights the importance of implementing a privacy and security impact assessment process for website changes and ongoing management. Healthcare compliance, legal, and privacy professionals should closely coordinate with marketing teams with the goal of using tracking technologies in a manner that balances consumer interests and operational benefits with risks to the organization and patients.