Updated Guidance for Web Tracker Use and HIPAA Compliance

In December 2022, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) issued a bulletin warning healthcare organizations that using web trackers on websites and apps could result in the acquisition of Protected Health Information (PHI) and HIPAA violations for covered entities. The bulletin made it clear that regulated entities cannot use tracking technologies that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules. Disclosures of PHI to tracking technology vendors for marketing purposes, without HIPAA-compliant authorizations, would constitute impermissible disclosures. Following the bulletin, some heavy hitters in the healthcare industry voiced concerns, and the American Hospital Association filed a lawsuit.

To help clarify the issue, HHS released updated guidance for web tracker use. The new guidance states the collection of IP address data of a user’s device when visiting a health-related website does not qualify as PHI if the website visit is not related to an individual’s past, present, or future health, healthcare, or payment for healthcare.

Web Tracker Obligations

The updated guidance provided the following examples of what is required to meet HIPAA requirements when using web tracking technology:

• Ensuring that all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.
  • Regulated entities may identify the use of tracking technologies in their website or mobile app’s privacy policy, notice, or terms and conditions of use. However, the Privacy Rule does not permit disclosures of PHI to a tracking technology vendor based solely on a regulated entity informing individuals in its privacy policy, notice, or terms and conditions of use that it plans to make such disclosures. Regulated entities must ensure that all tracking technology vendors have signed a BAA and that there is applicable permission before disclosure of PHI.
  • If there is not an applicable Privacy Rule permission or if the vendor is not a business associate of the regulated entity, then the individuals’ HIPAA-compliant authorizations are required before the PHI is disclosed to the vendor. Website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization.
  • It is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information. Any disclosure of PHI to the vendor without individuals’ authorization requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure.

• Establishing a BAA with a tracking technology vendor that meets the definition of a “business associate.”
  • A regulated entity should evaluate its relationship with a tracking technology vendor to determine whether such vendor meets the definition of a business associate and ensure that the disclosures made to such vendor are permitted by the Privacy Rule. A tracking technology vendor is a business associate if it meets the definition of a business associate, regardless of whether the required BAA is in place. Moreover, signing an agreement containing the elements of a BAA does not make a tracking technology vendor a business associate if the tracking technology vendor does not meet the business associate definition.
  • The BAA must specify the vendor’s permitted and required uses and disclosures of PHI and provide that the vendor will safeguard the PHI and report any security incidents, including breaches of unsecured PHI, to the regulated entity, among other requirements.
  • If the chosen tracking technology vendor will not provide written satisfactory assurances in the form of a BAA that it will appropriately safeguard PHI, then the regulated entity can choose to establish a BAA with another vendor, for example, a Customer Data Platform vendor, that will enter into a BAA with the regulated entity to de-identify online tracking information that includes PHI and then subsequently disclose only de-identified information to tracking technology vendors that are unwilling to enter into a BAA with a regulated entity.
  • If a regulated entity does not want to create a business associate relationship with a vendor that meets the definition of a business associate, it cannot disclose PHI to such a vendor without an individual’s authorization.
  • If the regulated entity’s vendor does not agree to sign a business associate agreement because they are going to de-identify the data after receipt that does not meet the requirements the covered entity would have shared PHI with the vendor without the required agreement.

• Addressing the use of tracking technologies in the regulated entity’s Risk Analysis and Risk Management processes, as well as implementing other administrative, physical, and technical safeguards in accordance with the Security Rule (e.g., encrypting ePHI that is transmitted to the tracking technology vendor; enabling and using appropriate authentication, access, encryption, and audit controls when accessing ePHI maintained in the tracking technology vendor’s infrastructure) to protect the ePHI.

• Providing breach notification to affected individuals, the Secretary, and the media (when applicable) of an impermissible disclosure of PHI to a tracking technology vendor that compromises the security or privacy of PHI when there is no Privacy Rule requirement or permission to disclose PHI and there is no BAA with the vendor. In such instances, there is a presumption that there has been a breach of unsecured PHI unless the regulated entity can demonstrate that there is a low probability that the PHI has been compromised.

Enforcement Priorities

The OCR says HIPAA Security Rule compliance is a priority in investigations into the use of online tracking technologies. It is committed to ensuring that regulated entities have identified, assessed, and mitigated the risks to electronic Protected Health Information (ePHI) when using online tracking technologies and have implemented the Security Rule requirements to ensure the confidentiality, integrity, and availability of ePHI.

CompliancePoint has a team of experienced healthcare, privacy, and cybersecurity professionals that can help any organization achieve and maintain HIPAA compliance. Contact us at connect@compliancepoint.com to learn more about our services.