Tracking technologies on websites and mobile apps may expose hospitals and other providers to HIPAA violations

September 14, 20239 min
Adult woman using smartphone with laptop computer to scanning fingerprint for verify identity to access online medical healthcare service

BY Colleen Byrom, Brown & Fortunato

 

Today most hospitals and healthcare providers utilize websites and mobile applications (“mobile apps”) to give their patients easier access to their medical information. However, behind these technologies may lie certain tools that result in the provider violating the Health Insurance Portability and Accountability Act of 1996’s (“HIPAA”).  In fact, the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) recently shifted their focus on the use of “tracking technologies” on provider websites and mobile apps.

 

HIPAA prohibits covered entities and their business associates from disclosing an individual’s personal health information (“PHI”) without that individual’s authorization. HIPAA includes the Privacy Rule, the Security Rule, and the Breach Notification Rule. On December 1, 2022, OCR published a bulletin entitled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” whereby the agency expressed its concerns with the use of tracking technologies on provider websites and mobile apps (the “Bulletin”).

 

A tracking technology is a script or code that collects and analyzes how users interact with a website or mobile app. Tracking technologies can provide providers a better picture of how users interact with the provider’s website or mobile app and can provide insight into how they can improve patient care or the patient experience.

 

Third-party vendors develop and manage tracking technologies for the providers. As such, OCR emphasizes that HIPAA applies if tracking technologies collect PHI or disclose PHI to tracking technology vendors. A HIPAA-regulated entity then may not utilize tracking technologies in a way that would result in an impermissible disclosure of PHI to a tracking technology vendor.

 

The Bulletin also clarifies that if a patient enters individually identifiable health information (“IIHI”) in the provider’s website or mobile app then such information will generally be considered a type of PHI. IIHI may include an individual’s medical record number, home or email address, dates of appointments, the individual’s IP address or geographic location, medical device IDs, or any unique identifying code. OCR states that IIHI rises to the level of PHI even if the individual does not have an existing relationship with the provider or the IIHI does not include specific treatment or billing information. This is because the provider’s website or mobile app collects an individual’s IIHI and then connects the individual to a provider for that individual to receive health care services or benefits from the provider. Accordingly, the IIHI provided relates to that individual’s past, present or further health or health care or payment for care.

 

OCR also identified within the Bulletin the following obligations a provider must comply with to maintain HIPAA compliance:

 

  • Any disclosures of PHI are in compliance with the Privacy Rule. The provider must ensure that all disclosures of PHI to a tracking technology vendor are done in accordance with the HIPAA Privacy Rule. The provider may not disclose the PHI unless a HIPAA exception applies, and the disclosed PHI should only be the minimum necessary to achieve the intended purpose.

 

  • Ensure Business Associate Agreements (“BAA”) are in place. The provider must examine whether its relationship with the tracking technology vendor falls within HIPAA’s definition of a business associate. If the tracking technology vendor is a business associate, then the provider must have a BAA in place that complies with HIPAA’s requirements.

 

  • Update Risk Analysis and Risk Management Processes. The provider should update its risk analysis and risk management process to address the use of tracking technologies.

 

  • Implement safeguards in accordance with the Security Rule. The provider must review its current operations and implement any administrative, physical, and technical safeguards in accordance with the Security Rule to ensure the protection of the provider’s ePHI.

 

  • Provide notices required under the Breach Notification Rule. The provider must make any required breach notifications if there is an impermissible disclosure of PHI to a tracking technology vendor.

 

On June 23, 2023, OCR and the Federal Trade Commissions (“FTC”) sent a joint letter to approximately 130 hospitals and telehealth providers regarding the use of online tracking technologies (the “Joint Letter”). The letter once again warns that certain tracking technologies, such as the Meta/Facebook pixel and Google Analytics, may be gathering identifiable information from the provider’s patients without their knowledge and disclosing such information in violation of HIPAA. Both agencies are also “closely watching developments in this area” and strongly encourage providers to take action to protect PHI.

 

Accordingly, OCR’s Bulletin and the Joint Letter strongly suggest that one of the OCR’s current enforcement focuses is on the use of tracking technologies. Hospitals and other healthcare providers should then take proactive steps and examine how their websites and apps utilize tracking technologies and their access to PHI. Providers should also review their current HIPAA policies and procedures to adequately address the tracking technologies’ access to PHI.

 

 

 

MJH footer logo with red letters

Medical Journal – Houston is the leading source of healthcare business news. With extremely relevant content, late-breaking news and monthly exclusives from industry experts, MJH News has created a winning combination of must-read editorial that physicians and hospital executives eagerly anticipate month after month. MJH News is the resource that provides everything they need in one place, and it is a high honor that they rely upon Medical Journal – Houston to keep their practice or hospital on the cutting edge.

Archives