Covered entities are used to ensuring that many different facets of their operations comply with Health Insurance Portability and Accountability Act (HIPAA) rules. Among other things, covered entities must ensure that they provide individuals with access to protected health information (PHI) in accordance with HIPAA, that they obtain authorization for the use and disclosure of PHI when necessary, that they maintain PHI securely, and that they timely and appropriately report breaches of PHI.
But recently, a new area of HIPAA compliance has come into prominence: ensuring that the use of tracking technologies on covered entity websites does not result in the improper disclosure of PHI to technology vendors. As summarized below, it is critical for HIPAA covered entities to evaluate their website’s tracking features, determine what data is collected and with whom it is shared (if anyone), consult with legal counsel to determine if HIPAA obligations are triggered, and develop countermeasures or containment strategies where necessary.
Tracking Technologies 101
Tracking technologies are used to gather information about how a user of a website or a mobile app interacts with such website or app. Common third-party tracking technologies are offered by various Internet, social media and ad tech companies. In the case of such technologies, code from a third party may be incorporated into a site, and such code may allow data about the website visitor’s usage to be transmitted to the third party. In some cases, depending on what technology is deployed and how, the data collected can be detailed, including information such as mouse movements (often referred to as session replay technology). Certain data that may be available can be used to generate important insights as to who is using the site and what the site is being used for.
A website operator has to agree to permit the use of tracking technologies on a particular site. But website operators may nevertheless be unaware of all the trackers being used on their sites, as in some cases, “piggybacking” trackers can be incorporated into the code deployed by a particular vendor.
HIPAA and Tracking Technologies
HIPAA does not prohibit outright covered entities from using tracking technologies, and such technologies are frequently used by hospitals and other covered entities to operate their websites, to guide visitors around their websites and to gain insights on the use of their websites to make improvements. However, HIPAA may limit how data may be disclosed from the covered entity website to social media companies or ad tech companies providing services to covered entities.
Critically, information disclosed by tracking technologies can be PHI in some cases. In December guidance, the Department of Health and Human Services Office of Civil Rights (OCR) offered its interpretation as to when such data constitutes PHI. Generally speaking, PHI subject to HIPAA is (1) individually identifiable data (2) collected by or on behalf of a HIPAA covered entity (3) that relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual. In the guidance, OCR asserts that data disclosed by tracking technologies from a covered entity website can meet all three of these tests. Even in cases where the disclosure to the third-party technology vendor does not include direct identifiers like names or email addresses, OCR notes that data can be identifiable even if it includes information such as an IP address or the geographic location of the user. And some data on covered entity websites—particularly patient portal pages or authenticated pages—may contain information related to an individual’s health condition and past health care.
Notably, OCR asserts that PHI is not limited to information maintained on user-authenticated pages of a covered entity’s website, such as a patient portal. Instead, the agency maintains that unauthenticated pages that do not require a login nevertheless may sometimes generate PHI. For instance, OCR says a covered entity discloses PHI to a technology vendor if “tracking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider.” The guidance also indicates that a search for information related to particular conditions, such as pregnancy, can constitute PHI in certain circumstances.
Risks for Covered Entities
As detailed in a recent Manatt article, providers around the country have been hit with lawsuits under which patients have sought damages for the disclosure of their data via tracking technologies. These lawsuits often rest on the novel legal theory that disclosures via tracking technologies violate wiretapping laws, and plaintiffs often rely on HIPAA violations as a basis for their claims.
Beyond patient lawsuits, there are risks to HIPAA covered entities through their use of tracking technologies. In March, Cerebral, a virtual behavioral health platform, disclosed that it had provided a breach notice to OCR involving the disclosure of data from 3.1 million users via tracking technologies. Such breach reporting can result in administrative penalties imposed by OCR. Further, given OCR’s recent restructuring to create a dedicated enforcement division and the widespread attention to this issue, the agency could begin to take more proactive enforcement steps in this area.
OCR is not the only agency taking notice. The Federal Trade Commission (FTC) fined GoodRx $1.5 million for sharing its users’ health data with social media companies. States also can take action. Disclosures via tracking technologies can implicate state breach reporting laws and, in certain states, comprehensive privacy laws like the California Consumer Privacy Act.
Steps to Promote Compliance
Given this environment, it is critical that covered entities understand exactly what data is being collected via tracking technologies operating on their websites and with whom that data is shared. Legal counsel should determine whether any such data could constitute PHI and, if PHI has been disclosed, determine appropriate steps to respond to such disclosure and mitigate any future risks, including entering into business associate agreements with vendors when feasible and appropriate. Policies and procedures should also be in place to ensure that any disclosures of data via tracking technologies occur in compliance with not only HIPAA, but all applicable privacy and security laws.