Key Takeaway: Organizations must conduct a fact-based analysis to determine whether health data collection and tracking technology deployed on their websites and mobile apps complies with the federal Health Insurance Portability and Accountability Act (“HIPAA”) and other applicable laws and guidance.

Cookies, web beacons, and similar technology are used to collect and analyze data about how users,  browsers and devices interact with websites and mobile apps across the Internet (“Tracking Technology”).   Tracking Technology is the subject of numerous regulatory actions, including by regulators in the European Union and California, and through private lawsuits (also in the EU and U.S.).  These actions and complaints typically focus on the lack of transparency about how Tracking Technology collect data about individuals as they traverse the Internet and the lack of individual choice about how that data is shared with third parties and used to build profiles for targeted advertising.  On December 1, 2022, another regulator joined the fray: the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”).  OCR, the primary enforcement authority for the federal Health Insurance Affordability and Accountably Acy (“HIPAA”), published a Bulletin cautioning HIPAA-regulated entities that their use of Tracking Technology may result in disclosures and uses of protected health information (“PHI”) that violate HIPAA.[1] 

Many U.S. consumers mistakenly believe that all of their health information—including health information collected by online tracking technology—is protected by HIPAA.  HIPAA’s requirements, however, apply only to “covered entities” (i.e., health plans, most health care providers and health care clearinghouses) and “business associates” (i.e., the service providers and other third parties that support covered entities) that receive or create indi­vidually-identifiable health information (“IIHI”) and that engage in certain covered transactions (e.g., referrals and authorizations, coordination of benefits, etc.).  IIHI becomes PHI in the hands of covered entities and business associates but that same information is not PHI when in the hands of any other organization or when used for purposes not related to treatment, or health-related payment or operations.    OCR’s Bulletin helps to fill that gap but, in doing so, adds some new operational challenges for HIPAA-regulated entities.  

The Bulletin states that the IIHI collected by Tracking Technology running on a website or mobile app operated by a covered entity or business associate “generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services.”  The Bulletin states that this IIHI is PHI because it “connects the individual to the regulated entity” and is “indicative that the individual has received or will receive health care services or benefits from the covered entity”.    

The Bulletin then lays out three Tracking Technology use cases that illustrate its position:  (1)  use on user-authenticated webpages, i.e., “webpages that users can access only after they log in to the webpage, such as by entering a unique user ID and password or other credentials”; (2) use on unauthenticated webpages, which are “webpages that are publicly accessible without first requiring a user to log in to such webpage”; and (3) use with mobile apps “offered to individuals by regulated entities to allow the individuals to, for example, find providers, access or manage their health information or health care, or pay bills”.  (See Bulletin Footnotes 11, 12 and 13, respectively.)   

The Bulletin’s second use case (Tracking Technology used on unauthenticated webpages) presents the most difficult operational challenge. Many of these HIPAA-regulated entities have historically operated on the basis that information collected from unknown visitors to their websites is not PHI because the regulated entity cannot necessarily link it to identified or identifiable individual or even if the individual is identifiable, to the provision health care services to that individual. 

According to the Bulletin’s second use case, however, data collected during a search of a provider directory on a public webpage – such as “an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider” – is a disclosure of PHI when third-party Tracking Technology is used on the website.  Because the disclosure of PHI to the Tracking Technology vendor is outside the scope of treatment, payment or health care operations, a valid HIPAA authorization is required.[2]   Obtaining a HIPAA authorization prior to allowing access to an unauthenticated webpage is, however, often impractical; for example, an individual likely would not view its provider name search as the provision of health care and accordingly may be disinclined to grant a HIPAA authorization until selecting a provider and scheduling an appointment. 

Considered in the context of other concerns about protection of health information expressed by other regulators, OCR’s position is not particularly surprising.  Over the summer, the Federal Trade Commission wrote about what the data collected from wearable fitness devices can reveal about personal reproductive health choices, creating “a new frontier of potential harms to consumers”.  Earlier in December,  the FTC updated its interactive tool intended to help businesses creating and marketing mobile health apps to determine which federal privacy and security laws apply and also updated its best practices guidance for developers of mobile health apps.  The California Attorney General’s settlement agreement with health app, Glow, Inc. followed  an investigation in which Glow was alleged to have violated California consumer and health privacy laws by failing to preserve the confidentiality of medical information, including by disclosing app users’ health-related information without first obtaining the user’s authorization.   

Next Steps

Whether Tracking Technology collects and discloses PHI in violation of HIPAA or consumer protection laws requires a fact-based analysis.     

Document all Tracking Technology used for websites and mobile apps handling health information.  Document the vendor of the Tracking Technology, the categories of data collected, from whom the data are collected, where on the website or mobile app the collection occurs, whether and how the data are shared and whether the data collected and shared includes PHI within the scope of the Bulletin’s requirements.

Execute a business associate agreement (“BAA”) with Tracking Technology vendors.  Whether a vendor is the business associate of a covered entity does not depend on the existence of a BAA between the parties or whether the covered entity perceives a vendor to be its business associate.  HIPAA enumerates functions that qualifies a vendor as a business associate, including providing data analysis services.[3]  In the Bulletin, OCR explained that when a Tracking Technology vendor is a covered entity’s business associate, a valid HIPAA authorization is not required.  Accordingly, a BAA helps demonstrate the Tracking Technology vendor is allowed to use and disclose PHI to the extent permitted by HIPAA. 

Evaluate obligations under consumer protection and state privacy laws.  Even when the data disclosed by a covered entity or business associate to a Tracking Technology is not PHI, a covered entity may have obligations under consumer protection laws and state privacy laws to (inter alia) make certain public disclosures about privacy practices (e.g., in a privacy policy) and implement mechanisms that allow covered individuals to exercise their privacy rights in addition to those available under HIPAA. Non-compliance with the state privacy and consumer protection laws may result in civil, and in some instances, criminal, penalties, that are separate from HIPAA civil money penalties.

[1]  Public Law 104-191

[2] 45 C.F.R. § 164.508

[3] 45 C.F.R. 160.103