OCR bulletin stresses importance of HIPAA compliance for online tracking technology
On December 1, 2022, the Health and Human Services Office for Civil Rights (OCR) issued a Bulletin on the requirements imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for online tracking technology regarding protecting the privacy and security of health information. This Bulletin explains how HIPAA rules apply to regulated entities' use of online tracking technologies on their webpages and mobile apps, and comes in wake of several lawsuits related to the unauthorized disclosure of PHI to online tracking technology vendors.
In the Bulletin, OCR explains that regulated entities should ensure disclosures of PHI to online tracking technology vendors are disclosed in a manner authorized by HIPAA’s Privacy Rule and that a Business Associate Agreement (BAA) has been executed with online tracking technology vendors who meet the definition of a business associate under HIPAA. Otherwise, collection of information by such vendors would not be permitted under HIPAA and any collection of such information may result in an unauthorized disclosure of protected health information and could potentially result in notification obligations under HIPAA’s Breach Notification Rule.
What is online tracking technology?
Online tracking technology uses specific code to collect individual information on websites or mobile apps in order to track user activity. Organizations commonly use online tracking technology such as cookies, web beacons and/or scripts to track and collect information from website visitors to improve user experience, marketing, or for other business purposes. Mobile apps act in the same way, and generally include embedded tracking code within the app to collect user information. Websites or mobile app owners may develop tracking technologies internally, or engage external parties to collect and track user data for them.
OCR’s Bulletin
Regulated entities risk violating the HIPAA Privacy and Security Rules if PHI is disclosed to third-party online tracking technology vendors without appropriate safeguards in place. Regulated entities may currently be intentionally or unintentionally disclosing a variety of information to online tracking technology vendors through code embedded in the entity’s website or mobile app. The information collected may include an individual’s name, IP address, geographic location, or other unique identifiers, and OCR considers this information to be individually identifiable health information (IIHI), and thus PHI under HIPAA. The information is commonly collected during appointment scheduling, where an individual schedules appointments on an entity’s website, or searches for providers in their geographic location. OCR states this information is PHI even if it does not contain medical information or the individual does not have an existing relationship with the regulated entity. OCR’s rationale for this position is that when a regulated entity collects IIHI through its website or mobile app, the information connects the individual to the regulated entity, meaning the individual likely has received or will receive healthcare services or benefits from the regulated entity at some point.
Authenticated and unauthenticated websites
In their Bulletin, OCR does clarify not all information collected by online tracking technology is PHI. A user authenticated webpage is one where the user is required to log in before they may access the webpage and its features, such as a patient or health plan beneficiary portal. IIHI collected on user authenticated web pages is generally considered PHI, as the online tracking technology vendor may collect and have access to PHI such as name, IP address, medical record number, home or email addresses, dates of appointments, and other identifying information when an individual is logged into a regulated entity’s website. OCR states that regulated entities should configure online tracking technologies to only use and disclose PHI in compliance with the Privacy Rule, and ensure the information collected is secured in accordance with the Security Rule. Additionally, if the online tracking technology vendor is a business associates, i.e. they create, receive, maintain, or transmit PHI on behalf of the regulated entity for a covered function, regulated entities must ensure the online tracking technology vendor enters into a BAA.
Regarding unauthenticated webpages, not all information collected by online tracking technology vendors is considered PHI. An unauthenticated webpage is one that does not required users to log in to access the webpage. Online tracking technologies on unauthenticated web pages generally do not have access to PHI, and in these cases the use of online tracking technology is not regulated by HIPAA. However, in some cases, unauthenticated webpages may obtain PHI, such as when a user enters credentials into the login page for a regulated entity’s patient portal or a user registration webpage, or webpages that permit individuals to search for doctors or schedule appointments. In these examples, an individual starts on an unauthenticated page, and enters credentials or identifying information to access an authenticated page.
Mobile app nuances
Lastly, the Bulletin discusses tracking technology on mobile apps. Mobile apps offered by regulated entities that collect IIHI such as fingerprints, geolocation, device ID, etc., collect PHI, and are subject to compliance with the HIPAA Privacy and Security Rules. This includes PHI the mobile app uses or discloses, including subsequent disclosures to the mobile app vendor, online tracking technology vendor, or other third parties. However, the HIPAA Rules do not protect information users voluntarily download or enter into mobile apps that are not developed or offered by or on behalf of regulated entities. For example, user information entered into apps offered by entities not regulated by HIPAA are not subject to the Privacy and Security Rules.
Litigation concerns
Data breaches affecting individuals' PHI provide an attractive target for class action litigation because they often arise out of a single event of data exposure and provide a large pool of people for a potential class, which increases the settlement value of a case. Additionally, data breaches incite anxiety and fear in potential class members.
There have been several data breaches recently regarding the use of online tracking technologies in violation of the HIPAA Privacy and Security Rules. There are numerous types of putative privacy class actions, and most privacy lawsuits fall into a handful of state and federal statutory claims, and some common law claims. Below are a list of claims that may be common in litigation involving the impermissible use of online tracking technologies under HIPAA.
- Violation of the Electronic Communications Act (“ECPA”), 18 U.S.C. § 2510 et seq
- Title I (also known as the Wiretap Act), regulates the interception, disclosure, or use of the contents of wire, oral, and electronic communications while in transit. This may include unauthorized disclosure of PHI to online tracking technology vendors.
- Violation of the Stored Communications Act, 18 U.S.C. § 2510 et seq
- Regulates electronic communications when they are at rest or in storage. The SCA authorizes claims when an entity providing an electronic communication service to the public 1) allows for unauthorized, intentional access to the contents of stored communications; or 2) intentionally discloses those communications to any person or entity other than an addressee or the intended recipient of the communication.
- California Consumer Privacy Act (“CCPA”), Cal. Civ. Code §§ 1798.100 to 1798.199.95
- HIPAA covered entities also subject to the CCPA may be liable under the CCPA for unauthorized uses of online tracking technologies. The CCPA permits a private right of action for unauthorized access, theft, or disclosure of non-encrypted and non-redacted personal information (as defined within that section) due to the business failing to implement reasonable security practices and procedures appropriate for the particular type of personal information.
- Breach of Contract
- Breach of contract claims based on breach of privacy policies and terms of use; or duty of good faith and fair dealing between the patient and covered entity.
- Invasion of Privacy – Intrusion Upon Seclusion
- The definition of the Tort Intrusion Upon Seclusion varies depending on the jurisdiction, but is generally where one intentionally intrudes upon the private affairs of a party, and the intrusion would be highly offensive to a reasonable person.
- Common Law Negligence Claims
- Potential Plaintiffs may argue the covered entity breached a duty of care owed to the Plaintiff, in that the covered entity promised to safeguard the PHI it received and maintained.
How to maintain HIPAA compliance
OCR recommends regulated entities conduct the following to maintain compliance with the HIPAA Privacy and Security Rules in relation to the use of online tracking technology vendors:
- Ensure all disclosures of PHI to online tracking technology vendors are specifically permitted by the Privacy Rule, and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed. Additionally, notice in a privacy policy or website banner regarding the collection of PHI by online tracking technology is not enough. Regulated entities must ensure disclosure of PHI is permitted by the Privacy Rule.
- If the regulated entity utilizes an online tracking technology vendor that meets the definition of a business associate, the regulated entity must enter into a BAA with the tracking technology vendor.
- Address the use of online tracking technologies in the regulated entity’s Risk Analysis and Risk Management processes, as well as implement other administrative, physical, and technical safeguards in accordance with the Security Rule to protect the ePHI.
- Provide breach notification to affected individuals, the Secretary, and the media (when applicable) of an impermissible disclosure of PHI to an online tracking technology vendor that compromises the security or privacy of PHI when there is no Privacy Rule requirement or permission to disclose PHI and there is no BAA with the vendor. In such instances, there is a presumption that there has been a breach of unsecured PHI unless the regulated entity can demonstrate that there is a low probability that the PHI has been compromised.
Covered entities and business associates should consult legal counsel experienced in analyzing the appropriate use of tracking technology to confirm that their current or contemplated use of such technology is done in accordance with the HIPAA Rules.
Please contact the attorneys above for any questions you might have.