The Department of Health and Human Services (HHS) has issued bulletin guidance addressing how the privacy, security, and breach notification requirements of the Health Insurance Portability and Accountability of 1996 (HIPAA) apply to tracking technologies. The guidance addresses various aspects of HIPAA compliance for covered entities in using tracking technologies.
HHS has issued bulletin guidance addressing how HIPAA covered entities (CEs) and business associates (BAs) can comply with HIPAA's privacy, security, and breach notification rules (collectively, HIPAA Rules)—and avoid HHS enforcement penalties—when using online tracking technologies (HHS bulletin (Dec. 1, 2022); press release). The guidance addresses:
The meaning of tracking technology.
How the HIPAA Rules apply to CEs' use of tracking technologies.
Tracking in the contexts of user-authenticated webpages, unauthenticated webpages, and within mobile apps.
The guidance generally provides that CEs:
May not impermissibly disclose protected health information (PHI) to tracking technology vendors (TTV).
Must ensure that they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule.
Except as expressly noted, references in this update to HIPAA CEs also include BAs.
As background, tracking technologies collect and analyze information about how users interact with CEs' websites or mobile apps. For example, a CE/health provider may hire a technology vendor to perform these analyses as part of the CE's health care operations. According to HHS, the HIPAA Rules apply when information that CEs collect through tracking technologies (or disclose to TTVs) includes PHI. HHS indicated that some disclosures by CEs of sensitive information to online TTVs may violate the HIPAA Rules. As a general rule, therefore, CEs may not use tracking technologies in a way that leads to impermissible disclosures of PHI to TTVs (or any other violations of the HIPAA Rules). For example, a CE may not disclose PHI to TTVs for marketing purposes without an individual's HIPAA-compliant authorization (see Standard Document, HIPAA Authorization to Use and Disclose PHI).
Besides violating the HIPAA Rules, HHS's guidance notes that unauthorized disclosures of an individual's PHI can lead to other negative consequences, including:
Identity theft or financial loss.
Stigma, mental anguish, or other damage to an individual's reputation, health, or physical safety.
Unauthorized disclosures can reveal highly sensitive information about an individual, such as:
Diagnoses.
The frequency of visits to a therapist or other health care professional.
Where an individual obtains medical treatment.
Tracking Technologies Defined and Common Uses
The guidance defines tracking technology as website/mobile app scripts or codes used to collect information about users as they interact with the website or app. After information is collected through tracking technologies from websites or apps, it is typically analyzed by the website's or app's owner (or by third parties) to create insights about users' online activities. In the health care context, this tracking information may help improve a patient's care or overall experience. If misused, however, the same information can lead to misinformation, identity theft, stalking, and harassment.
The guidance notes that some ways in which tracking technologies collect information and track users are not always apparent to the website or app user. For examples, websites often use tracking technologies (for example, cookies, web beacons, tracking pixels, session replay scripts, and fingerprinting scripts) to track and collect users' information. In addition, mobile apps often:
Embed tracking code in the app so that it can collect information provided by users.
Capture a user's mobile device-related information.
Create individual profiles about an app user (using unique identifiers such as device or advertising IDs).
Website or app owners may use tracking technologies developed internally or those developed by third parties (such as TTVs). TTV-developed tracking technologies:
Send information directly to the third parties that originally developed the technologies.
Can continue to track users and collect their information even after they navigate away from the original website to other websites.
HHS's guidance specifically addresses CEs' obligations under the HIPAA Rules in using third-party tracking technologies.
HIPAA Rules' Applicability to CEs' Use of Tracking Technologies
As HHS's guidance observes, CEs disclose various information to TTVs using tracking technologies placed on a CE's website or app. These disclosures can contain individually identifiable health information (IIHI) that an individual furnishes in using CEs' websites or mobile apps. Examples of IIHI include an individual's:
Medical record number.
Home or email address.
Dates of appointments.
IP address or geographic location.
Medical device IDs or other unique identifying code.
IIHI collected on a CE's website or app generally is PHI, even if:
The individual does not have an existing relationship with the CE.
The IIHI (for example, an IP address or geographic location) lacks detailed treatment or billing information (such as dates and types of health care services).
In HHS's view, this is the case because when a CE collects an individual's IIHI using its website or app, the information:
Connects the individual to the CE.
Reflects that the individual has received (or will receive) health services or benefits from the CE.
Therefore relates to the individual's past, present, or future health or health care or payment for care.
According to HHS, some CEs have user-authenticated webpages, which require users to log in to access the webpage (for example, health plan beneficiary portals or telehealth platforms). Tracking technologies on these CEs' user-authenticated webpages generally can access PHI in the form of (among other information) individuals':
IP addresses.
Medical record numbers.
Home or email addresses.
Dates of appointments.
Other identifying information that individuals provide in interacting with the webpage.
Some tracking technologies, HHS suggested in its guidance, can even access an individual's diagnosis, treatment, prescription, and billing information. As a result, CEs must:
Structure user-authenticated webpages with tracking technologies so that the technologies can only use and disclose PHI consistent with HIPAA's Privacy Rule.
Ensure that the electronic PHI (ePHI) obtained through its website is protected and secured consistent with HIPAA's Security Rule.
TTVs as HIPAA BAs
The guidance concludes that TTVs are BAs if they either:
Create, receive, maintain, or transmit PHI on a CE's behalf for a covered function under HIPAA (for example, health care or payment operations).
Provide services to or for a CE (or another BA) involving the disclosure of PHI.
Regarding TTV/BAs, CEs must:
Ensure that disclosures to these vendors are permitted under the Privacy Rule.
HHS also indicated in its guidance that some CEs have unauthenticated webpages (that is, webpages that users may access without logging in). One example of an unauthenticated webpage is a page containing general information concerning the CE (such as its location, services provided, or policies and procedures). Because tracking technologies on a CE's unauthenticated webpages usually do not offer access to individuals' PHI, a CE's use of such tracking technologies is not governed by the HIPAA Rules.
If, however, tracking technologies on unauthenticated webpages do have access to PHI, then the HIPAA Rules govern the CE's use of tracking technologies and disclosures to the TTVs. Examples of unauthenticated webpages where the HIPAA Rules apply include:
The login page of a CE's patient portal (which may be the website's homepage or a separate, dedicated login page).
A user registration webpage where an individual creates a login for the patient portal.
In most cases, such webpages are unauthenticated because the individual did not provide credentials to be able to navigate the webpages. However, if an individual enters credential information on the login webpage (or enters registration information—for example, a name or email address—on the registration page), such information is PHI. Therefore, if tracking technologies on a CE's patient portal login page or registration page collect an individual's login information or registration information, that information is HIPAA-protected PHI.
Tracking on Mobile Apps
HHS believes that mobile apps offered to individuals by some CEs (for example, to manage individuals' health information or pay bills) collect extensive information that is:
Provided by the app user (such as information typed or uploaded into the app).
Furnished by the app user's device (for example, fingerprints, network location, geolocation, and device or advertising IDs).
According to HHS, this information, when collected by a CE's app, is PHI. It follows that CEs must satisfy the HIPAA Rules for any PHI that the mobile app uses or discloses—including down-the-chain disclosures to app vendors, TTVs, and other third parties that receive the information. For example, the HIPAA Rules govern PHI collected by a CE/health clinic from the clinic's app used by patients to track health-related variables associated with pregnancy (such as menstrual cycle or contraceptive prescription information).
By contrast, the HIPAA Rules do not apply to information that individuals voluntarily download or enter into apps that are not developed/offered by (or on behalf) of CEs. This is the rule regardless of where the information comes from.
HIPAA Compliance Requirements for Tracking Technologies
CEs must comply with the HIPAA Rules when using tracking technologies. The following sections include examples of the HIPAA privacy, security, and breach notification requirements with which CEs must comply in using tracking technologies to access PHI.
Privacy Rule Compliance
CEs must ensure that:
Disclosures of PHI to TTVs are specifically permitted under the Privacy Rule.
Some CEs may specify the permitted uses of tracking technologies in their website or app's privacy policy, notice, or terms and conditions of use. However, HHS takes the view in its guidance that CEs are not allowed, under the Privacy Rule, to disclose an individual's PHI based solely on statements in such privacy policies, notices, or terms and conditions informing individuals that the CE intends to disclose the individuals' PHI to TTVs. Rather, the CE can only make these disclosures if the vendor has signed a compliant BAA and there is an applicable permission. If there is not a Privacy Rule permission or if the vendor is not the CE's BA, then the CE must obtain an individual's HIPAA-compliant authorization before PHI is disclosed to the vendor. The guidance notes that website banners asking users to accept or reject a website's use of tracking technologies (such as cookies) are not a valid HIPAA authorization.
According to HHS, a TTV also cannot simply agree to either:
Remove PHI from the information it receives.
De-identify the PHI before the vendor saves the information.
BAA Requirements for TTVs That Are HIPAA BAs
The guidance instructs CEs to review their relationships with TTVs to:
Ensure that disclosures to the vendor comply with the Privacy Rule.
Notably, a TTV that meets the Privacy Rule's BA definition is a BA even if a required BAA has not been executed (see Standard Document, Business Associate Agreement). Among other requirements, a compliant BAA must:
Specify the vendor's permitted and required uses and disclosures of PHI.
CEs must provide breach notification to HHS, affected individuals, and (if applicable) the media regarding impermissible disclosures of PHI to a TTV that compromises the security or privacy of PHI. (This assumes there is no Privacy Rule requirement or permission to disclose PHI and a BAA was not executed with the vendor.) In these situations, a presumption exists that there has been a breach of unsecured PHI unless the CE can show that there is a low probability that the PHI was compromised (see Practice Note, HIPAA Breach Notification Rules).
Practical Impact
HHS's guidance and related press release do not expressly reference the Supreme Court's recent Dobbs ruling reversing recognition of a right to abortion under the federal Constitution (Dobbs v. Jackson Women's Health Org., 142 S. Ct. 2228 (2022); see Abortion and Contraceptives Services for Group Health Plans Toolkit). As noted above, however, the guidance does apply to tracking technologies that are part of mobile apps—and directly cites the example of PHI collected by health clinics for tracking pregnancy-related variables. As a result, it is possible that the agency's guidance also could apply to PHI regarding abortion-related coverage and services collected through webpages and mobile apps.