HIPAA & Online Tracking has become a very important topic today.  On March 18, 2024, The Office for Civil Rights (OCR) revised its guidance on “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.”   The intent is to remind regulated entities and the public that the use of online tracking technologies is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (“HIPAA Rules”). These online tracking technologies, like Google Analytics or Meta Pixel, collect and analyze information about how users are interacting with a regulated entity’s website or mobile application.

The OCR recently reminded regulated entities that they can use online tracking technologies provided that the entities comply with their obligations under the HIPAA Rules. The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes electronic protected health information (ePHI). Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.

A recent OCR Bulletin provided a general overview of how the HIPAA Rules apply to covered entities’ and business associates’ use of tracking technologies.

What is Tracking Technology?

It is a script or code on a website or mobile app that permits the collection of information from users.  Although this information may be used to improve the care of users there is also the danger it could be misused to promote misinformation, identity theft, stalking, and harassment.

Websites commonly use technology such as cookies, web beacons or tracking pixels, session replay scripts and fingerprint scripts to track and collect information from users.  Mobile apps will use embedded tracking code with the app to enable the app to collect information directly provided by the user, and apps may also capture the user’s mobile device-related information.

Tracking Technology

HIPAA Rules Application to Tracking

The information disclosed can include an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, device IDs, or any unique identifying code. In many cases, the information disclosed could be considered individually identifiable health information (IIHI), which is a step towards meeting the definition of PHI when it is transmitted or maintained by a regulated entity.  If this information is somehow connected to the individual’s past, present, or future health, health care, or payment for health care it must now follow HIPAA Privacy guidelines.

Tracking on User-Authenticated Webpages

A regulated entity must configure any user-authenticated webpage that includes tracking technologies to allow such technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule.  It must also ensure that any electronic protected health information (ePHI) collected through its website is protected and secured in accordance with the HIPAA Security Rule.

An critical point to remember is that tracking technology vendors are business associates.  A regulated entity must enter into a business associate agreement (BAA) with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules.

Authenticated Webpages

Tracking on Unauthenticated Webpages

Regulated entities may also have unauthenticated webpages.  These are webpages that do not require users to log in before they are able to access the webpage.  These pages contain general information about the regulated entity such as location, visiting hours and employment opportunities.  On some occasions tracking technologies may have access to PHI due to sign in requirements, consequently the HIPAA Rules must be applied.  Regulated entities who use tracking technologies must consider whether any PHI will be used by the vendor and take appropriate steps to ensure the HIPAA Rules are diligently applied.

Tracking Within Mobile Apps 

Mobile apps offer individuals the opportunity to manage health information and pay bills.  They collect a variety of information which is provided by the app user in addition to information provided by the app user’s device, such as fingerprints, network location, geolocation, device ID, or advertising ID.  This information is generally considered PHI and must be protected using the guidelines of the HIPAA Rules.

On the other hand, the HIPAA Rules do not protect the privacy and security of information that users voluntarily download or enter into mobile apps that are not developed or offered by or on behalf of regulated entities, regardless of where the information came from. These are not covered by the HIPAA Privacy Rules.

One must also consider that the Federal Trade Commission (FTC) Act and the FTC’s Health Breach Notification Rule (HBNR) may apply in instances where a mobile health app impermissibly discloses a user’s health information.

Tracking and Mobile Apps

OCR’s Enforcement Priorities

The OCR is now focusing on the compliance with the HIPAA Security Rule as it pertains to HIPAA & online tracking technologies. OCR’s principal interest in this area is ensuring that regulated entities have identified, assessed, and mitigated the risks to ePHI when using online tracking technologies and have implemented the Security Rule requirements to ensure the confidentiality, integrity, and availability of ePHI.

HIPAA Associates covers this material and more in their HIPAA Training programs.

To view OCR’s updated guidance, click here.