Cookies May be Bad for Your Health: OCR Warns Covered Entities and Business Associates of Its Broad View of HIPAA’s Applicability to Cookies, Pixels, and Other Tracking Technologies
On December 1, 2022 the Office of Civil Rights (“OCR”) at the U.S. Department of Health and Human Services issued a nonbinding guidance Bulletin on the use of online tracking technologies by covered entities and business associates (collectively, “regulated entities”) under the Health Insurance Portability and Accountability Act (“HIPAA”). The position taken by OCR in the Bulletin is further evidence of a continuing U.S. regulatory trend towards tighter regulation of online tracking technologies. Although the Bulletin does not have the full force and effect of law, it does demonstrate OCR’s perspective. And the broad view taken by OCR in this bulletin is highly likely to result in an increase in OCR complaints, OCR enforcement actions, and class action filings based on regulated entities’ use of online tracking technologies.
In this alert, we (1) briefly describe the underlying online tracking technologies that have drawn regulatory attention; (2) explain the application of HIPAA to these technologies as outlined by OCR; (3) describe the obligations that result from that application; and (4) provide recommendations on addressing these risks in light of this new guidance.
Tracking Technologies of Interest to OCR
In this Bulletin, OCR focused on information captured through commonly used tracking technologies, such as cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts and, in the mobile context, embedded tracking codes within apps that capture information provided by users and users’ mobile device-related information, such as a unique device ID or advertising ID. According to OCR, these tracking technologies are generally developed and provided by third parties (e.g., tracking technology vendors) that receive information directly from these technologies and continue to capture information about users after they leave the website that embedded the tracking technology.
Applicability of HIPAA to Tracking Technologies
OCR addressed the wide range of information collected through online tracking technologies on websites and mobile applications, including an individual’s medical record number, home or email address, date of appointments, IP address or geographic location, medical device IDs, and other unique identifying codes. OCR stated that such information collected on a regulated entity’s website or mobile app generally is protected health information (“PHI”) because it is “indicative that the individual has received or will receive health care services or benefits from the covered entity.” Significantly, OCR asserted this is true even absent an existing relationship between the individual and the covered entity and absent the collection of specific treatment or billing information, such as dates and types of health care services.
Online Tracking Technology for Websites
- User-Authenticated Webpages. In the Bulletin, OCR asserted that tracking technologies on user-authenticated webpages generally have access to PHI, such as IP address, medical record number, home or email address, appointment dates, and may also have access to individual diagnoses and treatment information, prescription information, and billing information.
- Unauthenticated Webpages. Although OCR stated that tracking technologies on unauthenticated webpages generally will not provide tracking technologies with access to PHI, OCR asserts that, in some instances, tracking technologies on unauthenticated webpages may have access to PHI. OCR asserted that, in such cases, HIPAA Rules will apply. The specific examples OCR provided of unauthenticated webpages in which HIPAA Rules may apply included:
- Login pages of patient portal;
- Registration webpages for patient portal;
- Appointment availability webpages;
- Doctor search webpages; and
- Informational webpages on specific symptoms or health conditions, such as pregnancy or miscarriage.
- Unauthenticated Webpages. Although OCR stated that tracking technologies on unauthenticated webpages generally will not provide tracking technologies with access to PHI, OCR asserts that, in some instances, tracking technologies on unauthenticated webpages may have access to PHI. OCR asserted that, in such cases, HIPAA Rules will apply. The specific examples OCR provided of unauthenticated webpages in which HIPAA Rules may apply included:
Online Tracking Technology for Mobile Applications
- Apps Developed or Offered by Regulated Entities
OCR stated that mobile app vendors, tracking technology vendors and other third parties to whom information is disclosed from mobile applications developed or offered by regulated entities will receive access to PHI (1) because of the nature of the information collected through such apps (e.g., health information, billing information, tracking of health-related variables); and (2) because the downloading and use of the mobile app is indicative that the individual has or will receive health care services or benefits. Per OCR, regulated entities that develop or offer mobile applications must comply with the HIPAA rules for the PHI the mobile app uses and discloses.
- Apps Developed or Offered by Third Parties
OCR specified that the HIPAA Rules do not protect the privacy and security of information that users voluntarily download or enter into mobile apps that are not developed or offered by or on behalf of regulated entities.
HIPAA Obligations for Regulated Entities Using Tracking Technologies
In the Bulletin, OCR stated that regulated entities are required to comply with HIPAA Rules when using tracking technologies that permit access to PHI by:
- Ensuring Disclosures of PHI to Tracking Technology Vendors are Permitted, Required, or Authorized, and Are Limited to the Minimum Necessary (Unless an Exception Applies). OCR asserted that regulated entities must ensure all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule. OCR further stated that, unless an exception applies, PHI disclosed must be limited to the “minimum necessary.” OCR stated that merely informing individuals through a privacy notice of disclosures of PHI to tracking technology vendors will not make that disclosure permissible. To make such disclosures, OCR asserts that regulated entities must:
- Enter into a Business Associate Agreement (“BAA”) with All Tracking Technology Vendors and Confirm an Applicable Permission for the Disclosure. Per OCR, prior to disclosing PHI to a tracking technology vendor, regulated entities must have a signed BAA in place and there must be an applicable Privacy Rule permission for the disclosure. See 45 C.F.R. 164.502(a). It is highly likely that some key tracking technology vendors will refuse to enter a BAA. See, e.g., Google Analytics: Best Practices to Avoid Sending PII: HIPAA Disclaimer (“you may not use Google Analytics for any purpose or in any manner involving Protected Health Information”).
- Obtain the Individual’s HIPAA-Compliant Authorization before the Disclosure if There is No Applicable Privacy Rule Permission or if the Vendor is Not a Business Associate. OCR also asserted that if there is not an applicable Privacy Rule permission or if the vendor does not meet the definition of a “business associate”, HIPAA-compliant authorizations will be required prior to the disclosure of PHI. OCR specifically advised that website banners asking users to accept or reject the use of tracking technologies will not constitute a valid HIPAA authorization.
- Entering into BAAs with Tracking Technology Vendors that Meet the Definition of Business Associate. OCR further asserted that if a tracking technology vendor meets the definition of a “business associate” under HIPAA, the regulated entity must ensure that a HIPAA-compliant BAA is in place with the vendor. OCR advised that if a regulated entity does not want to create a business associate relationship with a vendor or if the vendor refuses to enter a BAA, then individual HIPAA-compliant authorizations will be required before any disclosures of PHI.
- Addressing Tracking Technology in Risk Analysis and Risk Management Processes. OCR emphasized the obligation for regulated entities to account for the use of online and mobile app tracking technologies in their risk analysis and risk management processes. See 45 C.F.R. 164.308.
- Implementing Administrative, Physical, and Technical Safeguards. OCR also highlighted the requirement for regulated entities to implement appropriate administrative, physical, and technical safeguards to protect PHI and ePHI in the context of tracking technologies. See 45 C.F.R. 306-316.
- Providing Breach Notification. Finally, OCR asserted that regulated entities are required to provide appropriate breach notification to affected individuals, the regulator, and the media of impermissible disclosures of PHI to a tracking technology vendor that compromise the security or privacy of PHI when there is no Privacy Rule requirement or permission to disclose and there is no BAA in place with the vendor. In such circumstances, OCR asserted that there is a presumption of breach of unsecured PHI unless the regulated entity can demonstrate there is low probability that PHI has been compromised. See 45 C.F.R. 164.402(2)
Recommended Action Items
In light of the regulatory and litigation risk arising from this Bulletin, we recommend that companies consider taking the following actions to reduce their risk of being the subject of complaints to OCR, OCR investigations, and/or class action litigation:
- Identify and evaluate current use of online tracking technologies in websites and mobile apps.
- Determine whether information disclosed through such online tracking technologies is likely to be deemed PHI based on the context of the collection.
- Analyze current practices against OCR guidance in the Bulletin, and conduct a risk analysis (taking into account both regulatory and litigation risks) in furtherance of determining whether to discontinue, in whole or in part, use of online tracking technologies, particularly for authorized webpages and mobile apps.
- If decision is made to continue, in whole or in part, the use of online tracking technologies involving the disclosure of PHI, we recommend considering the following actions:
- Analyze opportunities to reconfigure such technologies to limit PHI disclosures through tracking technologies on unauthenticated webpages.
- Enter into compliant BAAs with online tracking technology companies and mobile app companies, including but not limited to BAAs with entities meeting the “business associate” definition.
- Obtain HIPAA-compliant authorizations before individuals are set up to use authenticated webpages or mobile apps.
- Implement required administrative, physical, and technical safeguards required by the Security Rule, in accordance with OCR guidance in the Bulletin.
- Confirm that ongoing HIPAA security risk assessments and management accounts for online tracking technology disclosures.
- Inform employees involved in selecting, entering into agreements with, and obtaining services from online tracking technology providers and/or mobile app providers, as well as employees with privacy and security-focused vendor oversight responsibilities, of HIPAA compliance risks and obligations arising from online tracking technologies.
- Evaluate obligations to provide breach notifications to individuals, regulators, and media in accordance with OCR guidance in the Bulletin.
Regulated entities should prioritize evaluating and updating their online tracking technology practices, as necessary, to address regulatory expectations for the use of such technologies set forth in OCR’s Bulletin. Taking prompt action will reduce the risk of entities becoming the target of complaints to OCR, an enforcement action, and/or class action litigation.
Authors
Eleazar Rundus contributed to this post.