BY Colleen Byrom, Brown & Fortunato
Today most hospitals and healthcare providers utilize websites and mobile applications (“mobile apps”) to give their patients easier access to their medical information. However, behind these technologies may lie certain tools that result in the provider violating the Health Insurance Portability and Accountability Act of 1996’s (“HIPAA”). In fact, the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) recently shifted their focus on the use of “tracking technologies” on provider websites and mobile apps.
HIPAA prohibits covered entities and their business associates from disclosing an individual’s personal health information (“PHI”) without that individual’s authorization. HIPAA includes the Privacy Rule, the Security Rule, and the Breach Notification Rule. On December 1, 2022, OCR published a bulletin entitled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” whereby the agency expressed its concerns with the use of tracking technologies on provider websites and mobile apps (the “Bulletin”).
Warning: Undefined variable $posClass in /home1/mjhnewsc/public_html/wp-content/plugins/ap-plugin-scripteo/lib/functions.php on line 1078
A tracking technology is a script or code that collects and analyzes how users interact with a website or mobile app. Tracking technologies can provide providers a better picture of how users interact with the provider’s website or mobile app and can provide insight into how they can improve patient care or the patient experience.
Warning: Undefined variable $posClass in /home1/mjhnewsc/public_html/wp-content/plugins/ap-plugin-scripteo/lib/functions.php on line 1078
Third-party vendors develop and manage tracking technologies for the providers. As such, OCR emphasizes that HIPAA applies if tracking technologies collect PHI or disclose PHI to tracking technology vendors. A HIPAA-regulated entity then may not utilize tracking technologies in a way that would result in an impermissible disclosure of PHI to a tracking technology vendor.
Warning: Undefined variable $posClass in /home1/mjhnewsc/public_html/wp-content/plugins/ap-plugin-scripteo/lib/functions.php on line 1078
The Bulletin also clarifies that if a patient enters individually identifiable health information (“IIHI”) in the provider’s website or mobile app then such information will generally be considered a type of PHI. IIHI may include an individual’s medical record number, home or email address, dates of appointments, the individual’s IP address or geographic location, medical device IDs, or any unique identifying code. OCR states that IIHI rises to the level of PHI even if the individual does not have an existing relationship with the provider or the IIHI does not include specific treatment or billing information. This is because the provider’s website or mobile app collects an individual’s IIHI and then connects the individual to a provider for that individual to receive health care services or benefits from the provider. Accordingly, the IIHI provided relates to that individual’s past, present or further health or health care or payment for care.
OCR also identified within the Bulletin the following obligations a provider must comply with to maintain HIPAA compliance:
- Any disclosures of PHI are in compliance with the Privacy Rule. The provider must ensure that all disclosures of PHI to a tracking technology vendor are done in accordance with the HIPAA Privacy Rule. The provider may not disclose the PHI unless a HIPAA exception applies, and the disclosed PHI should only be the minimum necessary to achieve the intended purpose.
- Ensure Business Associate Agreements (“BAA”) are in place. The provider must examine whether its relationship with the tracking technology vendor falls within HIPAA’s definition of a business associate. If the tracking technology vendor is a business associate, then the provider must have a BAA in place that complies with HIPAA’s requirements.
- Update Risk Analysis and Risk Management Processes. The provider should update its risk analysis and risk management process to address the use of tracking technologies.
- Implement safeguards in accordance with the Security Rule. The provider must review its current operations and implement any administrative, physical, and technical safeguards in accordance with the Security Rule to ensure the protection of the provider’s ePHI.
- Provide notices required under the Breach Notification Rule. The provider must make any required breach notifications if there is an impermissible disclosure of PHI to a tracking technology vendor.
On June 23, 2023, OCR and the Federal Trade Commissions (“FTC”) sent a joint letter to approximately 130 hospitals and telehealth providers regarding the use of online tracking technologies (the “Joint Letter”). The letter once again warns that certain tracking technologies, such as the Meta/Facebook pixel and Google Analytics, may be gathering identifiable information from the provider’s patients without their knowledge and disclosing such information in violation of HIPAA. Both agencies are also “closely watching developments in this area” and strongly encourage providers to take action to protect PHI.
Accordingly, OCR’s Bulletin and the Joint Letter strongly suggest that one of the OCR’s current enforcement focuses is on the use of tracking technologies. Hospitals and other healthcare providers should then take proactive steps and examine how their websites and apps utilize tracking technologies and their access to PHI. Providers should also review their current HIPAA policies and procedures to adequately address the tracking technologies’ access to PHI.