On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a bulletin warning that commonly used website technologies, including cookies, pixels, and session replay, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The bulletin advises that “[r]egulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of Protected Health Information (“PHI”) to tracking technology vendors or any other violations of the HIPAA Rules.” The bulletin is issued amidst a wider national and international privacy landscape that is increasingly focused on regulating the collection and use of personal information through web-based technologies and software that may not be readily apparent to the user.
Tracking technology takes different forms but is frequently code on a website that gathers information about users from their web visit and can then transmit such information to a third party. Examples include third party cookies, web beacons or tracking pixels, and session replay software. These technologies generally operate in the background of a web session and may collect information automatically as the user visits a website. Website operators use these technologies to gather information for a variety of purposes, including to improve website operations and user experience. The proliferation of website tracking technology and targeted advertising is nothing new and several states (California, Virginia, Colorado, Connecticut, and Utah) have passed laws designed to provide privacy rights to individuals in connection with the collection and use of their online personal information, including for purposes of targeted advertising. While HIPAA covered entities and business associates are generally excluded from these state privacy laws through statutory carve-outs when they collect PHI, HHS has now affirmed that HIPAA’s privacy protections apply with equal force to websites and emerging tracking technologies where PHI is involved.
In the bulletin, HHS addresses in the first instance user-authenticated webpages run by HIPAA covered entities and business associates. These webpages require a user to log in, such as to gain access to a patient health portal or telehealth platform. According to HHS, when tracking technology is active on user-authenticated webpages, it will likely result in collection of PHI. The web user will likely be providing or accessing medical record numbers, dates of appointments, home and email addresses, and other identifying information all of which may be picked up by tracking technology on the website. HHS advises that “a regulated entity must configure any user-authenticated webpages that include tracking technologies to allow such technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the electronic protected health information (ePHI) collected through its website is protected and secured in accordance with the HIPAA Security Rule.”
Importantly, HHS further notes that while access to PHI is “generally not” provided on unauthenticated webpages (e.g., those pages containing general information about the regulated entity such as location, or services they provide), there may be instances when tracking technologies on unauthenticated webpages may still collect PHI depending on the types of information accessible on the page. According to HHS, unauthenticated webpages (i.e., those web pages accessible without a login) that may still pick up PHI include those that “address specific symptoms or health conditions, such as pregnancy or miscarriage, or that permits individuals to search for doctors or schedule appointments without entering credentials may have access to PHI in certain circumstances.” According to HHS, even if the user is not accessing their own medical records, information identifying the visitor may be pieced together through an IP or email address or other identifying data and coupled with the information searched for (e.g., available doctor appointments) and sent to the third party provider. HHS is apparently concerned that that these searches could potentially reveal the particular medical condition of the individual (among other things).
HHS notes that mobile apps offered by covered entities may also collect PHI, but points out that the HIPAA rules do not protect the privacy and security of information that “users voluntarily download or enter into mobile apps that are not developed or offered by or on behalf of regulated entities.” HHS notes, however, in reference to the wider privacy landscape, that the Federal Trade Commission (FTC) Act and the FTC’s Health Breach Notification Rule (HBNR) may apply in instances where a mobile health app impermissibly discloses a user’s health information.
To comply with HIPAA, covered entities may need to enter into business associate agreements (“BAA”) with their third party tracking website vendors where permissible under HIPAA. HHS advises that “tracking technology vendors are business associates if they create, receive, maintain, or transmit PHI on behalf of a regulated entity for a covered function (e.g., health care operations) or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI.” If there is no applicable HIPAA Privacy Rule permission, and if the third party vendor is not a business associate, then it is likely that “HIPAA-compliant authorizations are required before the PHI is disclosed to the vendor.” Predictably, HHS states that website cookie banners “do not constitute a valid HIPAA authorization.” Furthermore, HHS states that a vendor’s de-identification of PHI after it is received by the vendor will not prevent a HIPAA violation because the violation occurs in the initial disclosure.
HHS advises that regulated entities must address the use of tracking technologies in their risk analysis and must implement administrative, physical, and technical safeguards in accordance with the Security Rule. This may include encrypting ePHI that is transmitted to the tracking technology vendor; and enabling and using appropriate authentication, access, encryption, and audit controls when accessing ePHI maintained in the tracking technology vendor’s infrastructure.
In light of this bulletin, covered entities and business associates should immediately review their websites and patient facing applications, uses and purposes of any tracking technology imbedded therein, agreements and BAAs with third party vendors, and data privacy policies, practices and consents, including their web facing disclosures, to determine what additional steps might need to be taken to remain or become HIPAA complaint.