Key Takeaway: Organizations must conduct a fact-based analysis to determine whether health data collection and tracking technology deployed on their websites and mobile apps complies with the federal Health Insurance Portability and Accountability Act (“HIPAA”) and other applicable laws and guidance.
Cookies, web beacons, and similar technology are used to collect and analyze data about how users, browsers and devices interact with websites and mobile apps across the Internet (“Tracking Technology”). Tracking Technology is the subject of numerous regulatory actions, including by regulators in the European Union and California, and through private lawsuits (also in the EU and U.S.). These actions and complaints typically focus on the lack of transparency about how Tracking Technology collect data about individuals as they traverse the Internet and the lack of individual choice about how that data is shared with third parties and used to build profiles for targeted advertising. On December 1, 2022, another regulator joined the fray: the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”). OCR, the primary enforcement authority for the federal Health Insurance Affordability and Accountably Acy (“HIPAA”), published a Bulletin cautioning HIPAA-regulated entities that their use of Tracking Technology may result in disclosures and uses of protected health information (“PHI”) that violate HIPAA.
Many U.S. consumers mistakenly believe that all of their heath information—including heath information collected by online tracking technology—is protected by HIPAA. HIPAA’s requirements, however, apply only to “covered entities” (i.e., health plans, most health care providers and health care clearinghouses) and “business associates” (i.e., the service providers and other third parties that support covered entities) that receive or create individually-identifiable health information (“IIHI”) and that engage in certain covered transactions (e.g., referrals and authorizations, coordination of benefits, etc.). IIHI becomes PHI in the hands of covered entities and business associates but that same information is not PHI when in the hands of any other organization or when used for purposes not related to treatment, or health-related payment or operations. OCR’s Bulletin helps to fill that gap but, in doing so, adds some new operational challenges for HIPAA-regulated entities.
The Bulletin states that the IIHI collected by Tracking Technology running on a website or mobile app operated by a covered entity or business associate “generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services.” The Bulletin states that this IIHI is PHI because it “connects the individual to the regulated entity” and is “indicative that the individual has received or will receive health care services or benefits from the covered entity”.
The Bulletin then lays out three Tracking Technology use cases that illustrate its position: (1) use on user-authenticated webpages, i.e., “webpages that users can access only after they log in to the webpage, such as by entering a unique user ID and password or other credentials”; (2) use on unauthenticated webpages, which are “webpages that are publicly accessible without first requiring a user to log in to such webpage”; and (3) use with mobile apps “offered to individuals by regulated entities to allow the individuals to, for example, find providers, access or manage their health information or health care, or pay bills”. (See Bulletin Footnotes 11, 12 and 13, respectively.)
The Bulletin’s second use case (Tracking Technology used on unauthenticated webpages) presents the most difficult operational challenge. Many of these HIPAA-regulated entities have historically operated on the basis that information collected from unknown visitors to their websites is not PHI because the regulated entity cannot necessarily link it to identified or identifiable individual or even if the individual is identifiable, to the provision health care services to that individual.
According to the Bulletin’s second use case, however, data collected during a search of a provider directory on a public webpage – such as “an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider” – is a disclosure of PHI when third-party Tracking Technology is used on the website. Because the disclosure of PHI to the Tracking Technology vendor is outside the scope of treatment, payment or health care operations, a valid HIPAA authorization is required. Obtaining a HIPAA authorization prior to allowing access to an unauthenticated webpage is, however, often impractical; for example, an individual likely would not view its provider name search as the provision of health care and accordingly may be disinclined to grant a HIPAA authorization until selecting a provider and scheduling an appointment.
Considered in the context of other concerns about protection of health information expressed by other regulators, OCR’s position is not particularly surprising. Over the summer, the Federal Trade Commission wrote about what the data collected from wearable fitness devices can reveal about personal reproductive health choices, creating “a new frontier of potential harms to consumers” particularly in the Post-Roe era. Earlier in December, the FTC updated its interactive tool intended to help businesses creating and marketing mobile health apps to determine which federal privacy and security laws apply and also updated its best practices guidance for developers of mobile health apps. The California Attorney General’s settlement agreement with health app, Glow, Inc. followed an investigation in which Glow was alleged to have violated California consumer and health privacy laws by failing to preserve the confidentiality of medical information, including by disclosing app users’ health-related information without first obtaining the user’s authorization.
Health information tracking is also the subject of class action lawsuits brought under state consumer protection laws. On June 16, 2022, nonprofit newsroom, The Markup, published the findings of its investigation of Tracking Technology usage by America’s Top 100 Hospitals, which indicated that at least 33 out of the 100 Top Hospitals embedded Tracking Technology on their website and mobile apps, primarily in their scheduling pages and patient portals. The following day, Doe v. Meta Platforms, Inc. alleged that Meta, in collaboration with covered entities, knowingly received patient data via deployment of the Facebook Pixel on various covered entities’ patient portals used by patients to communicate with healthcare providers, and that data was subsequently used for advertising purposes without appropriate consent or authorization. Subsequently, several other complaints were filed against covered entities, alleging misuse of the Facebook Pixel, including Smidga v. Meta Platforms, Inc. (August 25, 2022); Kurowski v. Rush System for Health d/b/a Rush University System for Health (September 30, 2022); Krackenberger v. Northwestern Memorial Hospital et al. (October 13, 2022); and In re Advocate Aurora Health Pixel Litigation (November 29, 2022).
Whether Tracking Technology collects and discloses PHI in violation of HIPAA or consumer protection laws requires a fact-based analysis.
Document all Tracking Technology used for websites and mobile apps handling health information. Document the vendor of the Tracking Technology, the categories of data collected, from whom the data are collected, where on the website or mobile app the collection occurs, whether and how the data are shared and whether the data collected and shared includes PHI within the scope of the Bulletin’s requirements.
Execute a business associate agreement (“BAA”) with Tracking Technology vendors. Whether a vendor is the business associate of a covered entity does not depend on the existence of a BAA between the parties or whether the covered entity perceives a vendor to be its business associate. HIPAA enumerates functions that qualifies a vendor as a business associate, including providing data analysis services. In the Bulletin, OCR explained that when a Tracking Technology vendor is a covered entity’s business associate, a valid HIPAA authorization is not required. Accordingly, a BAA helps demonstrate the Tracking Technology vendor is allowed to use and disclose PHI to the extent permitted by HIPAA.
 45 C.F.R. § 164.508
 45 C.F.R. 160.103