OCR Issues Online Tracking Technology Guidance for HIPAA Covered Entities and Business Associates

The US Department of Health and Human Services Office for Civil Rights (OCR) published guidance on the use of online tracking technologies by entities operating as covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The guidance is relevant to all HIPAA-regulated entities that maintain websites and mobile apps.

Tracking technologies are used to collect and analyze information about how users interact with websites or mobile applications. The guidance broadly defines tracking technology as “a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app” that is then “analyzed by owners of the website or mobile app … or third parties, to create insights about users’ online activities.” [1]

Examples of tracking technologies include cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts. The guidance notes that the use of tracking technologies may not be readily apparent to the user.

The guidance generally states that all “individually identifiable health information” collected on a covered entity’s or business associate’s website or mobile app is protected health information (PHI) because when the user’s information is collected, the information connects the user to the covered entity or business associate and relates to the user’s treatment or payment for care. The guidance specifies that this is true even when the user does not have an existing relationship with the entity and even if the information does not include treatment or billing information.

The guidance states that, “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” The OCR distinguishes between personal information collected through tracking technologies in connection with user-authenticated webpages and unauthenticated webpages. A user-authenticated webpage requires a user to log in before they can access the page, such as a health plan beneficiary portal or telehealth platform. Personal information collected through a cookie or pixel on a user-authenticated webpage is considered PHI because it is directly associated with a covered entity.

Therefore, any disclosure of PHI collected through such a tracking technology, including disclosures to the tracking technology vendor, must comply with HIPAA. A tracking technology vendor thatreceives PHI collected from a user-authenticated webpage must generally enter into a business associate agreement with the covered entity.

Unauthenticated webpages are webpages that do not require users to log in before they are able to access the webpage, such as a webpage with general information about the regulated entity (e.g., the homepage of a hospital or health plan website). Unauthenticated webpages generally do not have access to PHI and are not subject to the HIPAA rules. However, if an unauthenticated webpage enables users to enter registration information or other PHI, then HIPAA rules apply.

The guidance stresses, “because of the proliferation of tracking technologies collecting sensitive information, now more than ever, it is critical for regulated entities to ensure that they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule.”

If a HIPAA-regulated entity uses tracking technology, the guidance indicates that it should take the following into consideration:

• Ensure that all disclosures of PHI to tracking technology vendors are specifically permitted by the HIPAA Privacy Rule and that, unless an exception applies, only the minimum necessary PHI is disclosed.
• Enter into a HIPAA business associate agreement with a technology tracking vendor that acts as a business associate.
• If disclosure is not permitted under a HIPAA Privacy Rule exception or if the vendor is not a business associate, then obtain the user’s HIPAA authorization before disclosing PHI to the technology tracking vendor.
• Factor the use of tracking technologies into the entity’s security risk analysis and risk management plan and processes.
• Implement administrative, physical, and technical safeguard to protect PHI as required by the HIPAA Security Rule.
• Enable and use appropriate authentication, access, encryption, and audit controls when accessing PHI maintained in the tracking technology vendor's infrastructure.
• Provide breach notification to affected users, the OCR, and the media, as applicable, of an impermissible disclosure of PHI to a tracking technology vendor.

The guidance also notes that no matter the type of tracking technology used, in most cases, privacy policies, notices, terms and conditions, and website banners that simply describe or ask users to accept or reject the use of tracking technologies do not constitute a valid HIPAA authorization.

The US Federal Trade Commission’s (FTC’s) March 2, 2023 proposed order with BetterHelp Inc., a provider of online counseling services, also focused on the disclosure of personal health information with social media platforms through online tracking technologies, although that enforcement action did not arise under HIPAA. In response to a series of recent court cases, regulatory actions and guidance with respect to the use of online tracking technologies, some cyberliability insurance carriers have begun to submit questionnaires to HIPAA covered entity insureds regarding their use cookies and pixels.

HIPAA covered entities and business associates alike should review the new guidance, and, if they have not yet already, initiate a dialogue between their website and app developers and their privacy compliance team to evaluate the entities’ current use of online tracking technologies.