chevron-down Created with Sketch Beta.
February 27, 2023

Practical Considerations for the Use of Online Tracking Technologies in Healthcare

By Alya Sulaiman and Ty Kayam

Online tracking technologies are pervasive and used across almost all industries. These technologies, ranging from necessary cookies to pixels such as Google Analytics or Meta Pixel, help organizations operate websites and mobile applications and gather information on users accessing sites and apps for purposes such as analyzing users’ experience and interaction with content, gaining insights on users for targeted advertising, and measuring the effectiveness of marketing campaigns, among others. Recently, the use of tracking technologies within the healthcare industry has been a source of controversy as investigative journalism and several lawsuits emerged alleging that health systems were inappropriately exposing sensitive health information through their use of tracking technologies.

Subsequently, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services published a bulletin on December 1, 2022, on how the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to the use of online tracking technologies that collect and analyze information about users of a website or an app. In the bulletin, OCR stated that entities regulated by HIPAA might be violating the law if they use tracking technologies in a manner that would result in impermissible disclosures of electronic protected health information to tracking technology vendors. HIPAA generally applies to protected health information (PHI) created, transmitted, or stored by covered entities and business associates (collectively, “regulated entities”). PHI includes demographic information and individually identifiable health information (IIHI) that relates to an individual’s past, present, or future health, healthcare, or payment for care. As a general matter, the OCR bulletin appears to assume that when a regulated entity uses tracking technologies developed by third-party vendors on certain areas, pages, or functionalities on its websites and apps, their use of the technology may result in both the collection of PHI from website visitors and the disclosure of PHI to the vendor. The bulletin does, however, acknowledge that there may be certain contexts in which tracking technologies collect identifiable information that is not subject to HIPAA. While the guidance does not carry the full force and effect of law, it represents OCR’s current thinking on HIPAA’s applicability to tracking technologies and portends future regulatory scrutiny on the use of these technologies in the healthcare sector.

What Are Tracking Technologies?

The bulletin defines tracking technology as “a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app.” Specifically, for websites, tracking technologies can include cookies, web beacons, session replay scripts, and fingerprinting scripts, among others. In practice, tracking technologies may be implemented in certain places on websites or apps; for example, pixels may be implemented in specific content on a webpage via a website’s content management system or implemented directly in the source code of a webpage or app. In the bulletin, OCR describes that these technologies can be deployed in user-authenticated webpages where individuals are required to log in with credentials for access or unauthenticated webpages where logging in is not required. For the first, OCR provides the example of an appointment webpage for a covered health clinic. For the latter, this can include the login page of a regulated entity’s patient portal or an “unauthenticated webpage that addresses specific symptoms or health conditions.” In the case of mobile apps, OCR indicates that a tracking code may be included or embedded within the app to enable the collection of information. As a practical matter, many websites often use a wide range of tracking technologies for security, bug reporting, marketing, and analytics purposes. OCR does not directly acknowledge the purposes for which tracking technologies may be used or the nuances regarding how and where different tracking technologies may be placed on specific areas, functionalities, or pages on websites or apps.

Within the bulletin, OCR notes that identifiable information collected by tracking technologies can include an individual’s medical record number, home or email address, dates of appointments, IP address or geographic location, medical device IDs, or any unique identifying code. Since tracker requests are made by an individual’s browser, they may associate an individual’s IP address with other information sent to the tracker. In addition, OCR states that data sent to tracking technology vendors may also be “identifiable by virtue of the unique identifier cookies that web trackers use to track a user across websites.” Note, however, that OCR acknowledges not all information collected by tracking technologies may constitute individually identifiable health information, as further discussed below.

How Does HIPAA Apply to the Use of Tracking Technologies?

While HIPAA has several components, three significant parts of the regulation are the Privacy Rule, the Security Rule, and the Breach Notification Rule (collectively, the “HIPAA Rules”). The Privacy Rule addresses the use and disclosure of PHI subject to HIPAA and individuals’ privacy rights relating to how their health information may be used or disclosed. The Security Rule sets forth standards for the protection of electronic PHI created, received, used, or maintained by a covered entity and its business associates, including administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of the electronic PHI. The Breach Notification Rule requires regulated entities to provide notification following a breach of unsecured protected health information.

According to the OCR bulletin, the HIPAA Rules may apply to regulated entities’ use of tracking technologies in several ways:

  • Privacy Rule: The Privacy Rule requires that any disclosures of PHI to tracking technology vendors are for a permissible purpose. Where there is a permissible purpose for disclosing PHI to a tracking technology vendor, OCR states that  regulated entities should enter into a business associate agreement (BAA) with the vendor prior to using the tracking technology on its websites or mobile applications. A tracking technology vendor is a business associate if it creates, receives, maintains, or transmits PHI for or on behalf of a regulated entity when performing a covered function. Where there is no business associate relationship in place, or it is not possible to enter into a BAA, regulated entities might consider whether they can obtain individual authorization for PHI disclosures to the tracking technology vendor in compliance with HIPAA, limit the data disclosed to the vendor to avoid disclosures of PHI, or end the use of tracking technology on webpages or applications that collect or create PHI. OCR states that the Privacy Rule does not permit PHI disclosures to tracking technology vendors “based solely on a regulated entity informing individuals in its privacy policy, notice, or terms and conditions of use” of such disclosures. In addition, the bulletin stresses that “website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization.”
  • Security Rule. Regulated entities can assess tracking technologies under the HIPAA Security Rule by (1) addressing the use of such technologies (both by the regulated entity and its business associates, as applicable) in risk analysis, risk management, and evaluation processes, and (2) confirming appropriate administrative, physical, and technical safeguards are in place to protect PHI collected through or disclosed to tracking technologies.
  • Breach Notification Requirements. Whenever there is an impermissible disclosure of PHI to unauthorized individuals, including to tracking technology vendors (e.g., where there is no BAA in place or PHI has been disclosed for an impermissible purpose), regulated entities must analyze their notice obligations under applicable data breach notification requirements.

Is All Information Collected Using Tracking Technologies PHI?

OCR states in the bulletin that IIHI collected by any tracking technologies used by a regulated entity is “generally PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of healthcare services.” OCR’s assertion that an IP address alone may constitute IIHI (even if an individual website visitor does not have an existing relationship with the regulated entity) is a novel and surprising position from the regulator. OCR stresses that this IIHI is PHI because it “connects the individual to the regulated entity” and is “indicative that the individual has received or will receive healthcare services or benefits from the covered entity.” There has been criticism that this is an overbroad interpretation of the definition of PHI and that, under OCR’s reasoning, most individually identifiable information collected through a regulated entity’s use of a tracking technology—that may have otherwise been subject to a website privacy policy or other laws—could be transformed into IIHI subject to the HIPAA Rules. 

Practically, it may be the case that not all health information collected by tracking technologies is subject to HIPAA. For example, the HIPAA Rules would not apply to tracking technologies used on websites or mobile apps developed or offered by non-regulated entities, such as consumer-focused digital health companies. In addition, the bulletin distinguishes between data collection that occurs on user-authenticated webpages versus unauthenticated webpages, indicating that tracking technologies used on user-authenticated pages are more likely to have access to and collect PHI and should therefore comply with the HIPAA Rules. OCR provides two examples of how tracking technologies used on unauthenticated webpages might collect PHI—one scenario involves tracking individuals on a “user registration webpage” and the other involves an unauthenticated user visiting a page that addresses specific health conditions or allows them to search for available appointments with healthcare providers. OCR does not make clear what other circumstances might lead tracking technologies to collect PHI from non-patients or unauthenticated users. OCR seems to suggest in the bulletin that using these technologies on certain areas or functionalities on unauthenticated webpages may still trigger compliance obligations under the HIPAA Rules. There may be instances when a regulated entity can demonstrate that information collected by a tracking technology on an unauthenticated webpage does not necessarily indicate that an individual has received, will receive, or is seeking to receive healthcare services or benefits and is, therefore, not PHI. For example, regulated entities might design and deploy websites and apps to create different pathways and content for those individuals who are seeking or receiving care or benefits and those who are not, to distinguish data collected from each group of users. In this case, individually identifiable information collected by the tracking technology may still be subject to other regulatory frameworks, such as the Federal Trade Commission (FTC) Act or state privacy laws (as further discussed below).

Outstanding Questions

Although the bulletin was intended to clarify OCR’s position on tracking technologies used by regulated entities, it raises several questions. For instance, how should regulated entities assess their compliance obligations with respect to data collected from individuals who explore their websites out of curiosity or for research purposes? The bulletin does not address how a regulated entity might distinguish a potential patient from an individual seeking information about a specific condition, healthcare facility, or provider for a non-healthcare purpose. There will undoubtedly be times when a website visitor may never form or intend to enter into any relationship with a regulated entity. In such cases, information collected from such a visitor might not constitute PHI. In the case of Smith vs. Facebook, Inc., where it was alleged that several healthcare organizations disclosed web browsing activity to Facebook (now known as Meta), the U.S. District Court for the Northern District of California dismissed the lawsuit concluding, among other things, that Facebook did not collect PHI as nothing about the information collected or shared related to the plaintiffs’ health. The issue remains, however, that it is unclear how a regulated entity should document its differentiation between potential patients and myriad other website visitors. Under the bulletin, regulated entities will need to exercise caution when classifying and assessing their compliance responsibilities for data collected from website visitors who are seeking or receiving care or health benefits and those who are not.

In addition, not all uses of tracking technologies collect individually identifiable information or data that meets the definition of PHI. The bulletin does not directly address a compliance exception for tracking technologies that receive, collect, or access only deidentified data (e.g., information that does not include the identifiers listed in 45 C.F.R. § 164.514(b)(2)). Note that even if the tracking technology vendor deidentifies data it receives before further processing or disclosing such data, the vendor would still be required to fulfill responsibilities under HIPAA because, according to the bulletin, the tracking vendor would receive PHI prior to deidentification. In these circumstances, the regulated entity would need to take steps to evaluate whether the vendor is a business associate and, if so, enter into a BAA, obtain an individual’s HIPAA-compliant authorization, or, if neither a BAA nor authorization is possible, cease or modify use of the tracking technology.

Risks and Considerations beyond HIPAA

Beyond HIPAA, there are other privacy and legal considerations to take into account when deploying and using tracking technologies:

  • Several states have enacted consumer privacy laws (e.g., the California Consumer Protection Act and the Virginia Consumer Data Protection Act) that give their residents privacy rights over their personal information, which can be defined to include unique identifiers such as IP addresses and geographic location. Regulated entities and tracking technology vendors are required to comply with the applicable laws of each state when collecting personal information using tracking technologies.
  • The FTC seeks to protect consumers from “unfair or deceptive acts or practices in or affecting commerce.” Regulated entities and technology tracking vendors might evaluate whether they are adequately stating their use of tracking technologies on the website or mobile app’s privacy policy and assess if the terms of their privacy policy are consistent with the practices in their day-to-day operations. On the topic of tracking technologies, the FTC issued a staff report in 2009 titled “Self-Regulatory Principles for Online Behavioral Advertising” and published guidance for consumers on how to protect themselves from online tracking. The FTC also issued guidance in 2017 on cross-device tracking.
  • For regulated entities with a presence in or patients from the European Union, the General Data Protection Regulation (GDPR) imposes extensive protections for the personal data of European Union data subjects, including consent requirements before using cookies. In addition, the ePrivacy Directive regulates the use of cookies and trackers that process personal data.

Recommendations for Assessing and Remedying Non-Compliance

OCR’s bulletin outlines several steps regulated entities can take to address privacy and security compliance risks associated with tracking technologies. As regulated entities develop risk mitigation plans to address HIPAA compliance gaps related to their use of tracking technologies, they might consider the following:

  • Review websites, web apps, and mobile apps to create a data map of which webpages and apps collect IIHI and the categories of data being collected. Examine unauthenticated webpages in particular to understand what information is presented to users and what users are able to do on such webpages. For example, does a webpage address specific health conditions and encourage or permit individuals to seek care for such conditions (such as by identifying doctors or appointment availability)? Under the bulletin, OCR might consider information collected by tracking technologies on such webpages (including an individual’s IP address and email address) to be PHI that is protected by the HIPAA Rules.
  • Inventory both (1) tracking technologies in use on websites and apps and (2) the vendors providing such technologies and determine the categories of data collected by tracking technology vendors, including from whom data is collected, when the collection occurs, and whether and how data is further disclosed. Investigate vendors that offer services and tools to review what tracking tools are present on websites and apps. Evaluate whether some data processing activities by tracking technology vendors may be outside the scope of the HIPAA Rules, whether due to the purpose and content of the webpage, the placement of the tracking technology on a particular area, page or functionality on a website or app, or the specific data collected by the tracking technology.
  • Review website or app privacy policies and terms of use to assess whether the terms appropriately account for the use of tracking technologies by the regulated entity (including business associates, as applicable) and acknowledge that PHI may be disclosed to and used by tracking technology vendors.
  • Evaluate whether disclosures of PHI to tracking technology vendors are permitted by and consistent with the HIPAA Rules (i.e., disclosures occur for a permissible purpose, only the minimum necessary PHI to achieve the intended purpose is disclosed, etc.).
  • Investigate whether any existing business associates are utilizing tracking technologies that implicate PHI and if they are impermissibly sharing PHI through their use of tracking technologies.
  • Analyze agreements with tracking technology vendors to determine if  vendors meeting the definition of a business associate have entered into a business associate agreement with the regulated entity. Business associate agreements should include the required elements outlined in the HIPAA Rules
  • Where a business associate relationship does not exist with a tracking technology vendor but the tracking technology is configured to collect PHI, develop a strategy to obtain individuals’ authorizations before disclosing PHI to the vendor. If it is infeasible to obtain HIPAA-compliant authorizations from individuals, limit the data collected by the tracking technology or end the use of the tracking technology on affected areas or functionalities of the website or apps.
  • Assess the use of online tracking technologies as a part of the entity’s privacy and security risk analysis and risk management processes and implement appropriate safeguards in accordance with the HIPAA Rules, where applicable. Implement a process with information technology teams and website/app managers to review new tools or vendors before they are implemented.
  • Audit tracking technology vendors’ access to and use of confidential and individually identifiable data, including PHI. For any non-compliance identified, identify and implement mitigation steps and evaluate whether it is necessary to provide breach notifications to affected individuals and the OCR in accordance with the Breach Notification Rule.

While a regulated entity’s use of tracking technologies does not constitute an automatic HIPAA violation, OCR’s bulletin highlights the importance of implementing a privacy and security impact assessment process for website changes and ongoing management. Healthcare compliance, legal, and privacy professionals should closely coordinate with marketing teams with the goal of using  tracking technologies in a manner that balances consumer interests and operational benefits with risks to the organization and patients.

    Alya Sulaiman

    Partner, McDermott, Will, & Emery, Los Angeles, CA

    Alya Sulaiman (CIPP/US) is a partner at McDermott Will & Emery where she works with clients to navigate complex regulatory, privacy, and transactional matters, with a focus on digital health, data use strategy, and artificial intelligence/machine learning. She has substantial experience with product counseling and provides guidance during the conception, development, launch and support of new digital health products and services. Before joining McDermott, Ms. Sulaiman worked at the intersection of healthcare and technology as corporate counsel and the director of health policy and regulatory affairs for Epic, a global electronic health record software company. Earlier in her career, she counseled business operations for California’s statewide health information exchange, a multi-specialty healthcare provider, and a predictive analytics software company. The opinions and perspectives expressed within this article are those of the author and do not necessarily reflect the views of her employer, its clients, or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice. Alya can be reached at [email protected].

    Ty Kayam

    Principal Corporate Counsel, Microsoft, Seattle, WA

    Ty Kayam is principal corporate counsel for the Health & Life Sciences team at Microsoft, where she advises product, engineering, data science, and compliance teams on the development of artificial intelligence and other emerging technologies for the health and life sciences industries. She also advises on a range of health regulatory and policy issues at the intersection of health and technology, including matters related to HIPAA and health privacy, digital health, medical devices, and interoperability. Ms. Kayam previously worked at Surescripts, a large health information network, and began her career at a D.C.-based law firm in its healthcare practice group. She holds a master’s in public health from Tufts University and received her law degree from Northeastern University School of Law. All viewpoints and opinions shared within this article are her own and should not be associated with any organization with which she is affiliated. She can be reached at [email protected]

    The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.