A patient surfs a hospital system’s website and reads an article about depression and anxiety. The patient then searches the hospital’s website for mental health providers in the area. A few hours later, the patient logs into her social media account and is being targeted with ads for telehealth counseling services.
With the rise of tracking technologies, scenarios like these are becoming more common. In the healthcare space, regulators have taken notice, prompting a renewed focus on patient privacy and the legal implications of tracking technologies.
Healthcare entities that use online tracking technologies may run afoul of HIPAA, according to recent guidance issued by the U.S. Department of Health and Human Services, Office of Civil Rights (HHS-OCR). The guidance explains how the use of tracking technologies by healthcare entities can implicate HIPAA and lead to violations that may result in enforcement actions, including potential civil money penalties. In light of this new guidance, HIPAA-regulated entities should review their use of tracking technologies on all their online platforms, including websites, patient portals, and apps.
This article summarizes the key points from the HHS-OCR guidance and tips for mitigating risk. You can read the full guidance here.
What are tracking technologies?
Tracking technologies are used to collect and analyze information about how users interact with an organization’s websites or mobile apps. When a person visits a website or uses an app, script or code imbedded on the website or app may be used to gather information about the person, such as their IP address, browser information, email address, and language used. Tracking technologies can be used for many purposes, such as improving website functionality, optimizing user experience, and analyzing website traffic.
Here is summary of the most common tracking technologies:
- Cookies – Small text files that store data used to identify a user when they visit different pages on a website or, in some cases, track users across different websites
- Pixel/Web Beacon – A small (1×1 pixel) graphic activated and displayed when a user visits a website, clicks on a banner advertisement, or opens an email. The graphic itself is not important; it is usually transparent or hidden from the user’s view. The act of activating the pixel, though, triggers a server to record the user’s IP address and other information, and possibly to track that user as they visit other sites and activate other pixels. Web beacons are a category of tracking technologies that are activated by user activities on a web site. Pixels are a subcategory of web beacons.
- Heatmaps – A data visualization tool that helps website owners understand how their webpages are actually used. It can record users clicking links and images and note users scrolling through a page. Sophisticated heatmaps can record exact mouse positions and movements, and even user eye movements, in certain circumstances.
- Session records – Reproduction of an individual user’s activities on a website. Session recording transforms logged events, such as mouse movements, clicks, page visits, scrolling, tapping, etc., into a reproduction of what the user actually did on the site or app.
- Fingerprinting Scripts – Computer programs can make profiles of users based on their computer hardware, software, add-ons, preferences, the fonts installed on their computer, and their choice of a web browser. The more unique add-ons, fonts, and settings the user has, the easier they will be to find and track. Tracking technologies do not need to be absolutely accurate in order to be useful. Some vendors claim over 99% accuracy with fingerprinting.
The HHS-OCR guidance focuses on tracking technologies developed by third party technology vendors, such as Google Analytics, Meta Pixel, and Microsoft Clarity, to name just a few. Generally, when a healthcare organization uses a tracking technology developed by an outside vendor, the data collected by the tracking technology is sent from the healthcare organization’s server to the vendor. The vendor, in turn, crunches the data and generates reports that can be used by the healthcare organization for business, marketing, operational, or other purposes. In some cases, the technology vendor may use the data it receives from the healthcare organization for its own commercial purposes.
When does HIPAA apply to the use of tracking technologies?
HIPAA applies when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes protected health information (PHI). The legal definition of PHI is broad and can include many types of patient data that fall outside of the medical record.
In its guidance, HHS-OCR identifies the following types of information as examples of PHI that could be collected by tracking technologies: a patient’s medical record number, home address, email address, dates of appointments, IP address, geographic location, medical device ID, or other unique identifying information. According to HHS-OCR, all such personally identifiable information collected on a regulated entity’s website or mobile app is PHI protected by HIPAA, “even if the individual does not have an existing relationship with the regulated entity”. In addition, the guidance indicates that information like IP addresses or geographic location can still be considered PHI even if it does not include specific treatment or billing information like dates and types of health care services. HHS-OCR’s rationale is that the information collected by tracking technologies through a healthcare organization’s website connects the individual to the healthcare organization and is therefore “indicative that the individual has received or will receive health care services or benefits” from the healthcare organization.
This broad interpretation of the definition of PHI has raised some concern and uncertainty in the industry and may be subject to challenge by regulated providers. In the meantime, regulated entities must be wary of how they use tracking technologies, and what kind of information is collected, especially in light of this broad interpretation.
How does HIPAA apply to tracking technologies on user-authenticated webpages (e.g., patient portals and telehealth platforms)?
User-authenticated webpages require people to log in before they can access the webpage. Patient portals and telehealth platforms are common examples of user-authenticated webpages in the healthcare space. User-authenticated webpages that use tracking technologies are generally going to have access to PHI, according to HHS-OCR. Therefore, healthcare organizations must ensure that any uses or disclosures of PHI that involve the use of tracking technologies fully comply with HIPAA. To the extent PHI that is tracked on a user-authenticated webpage is sent to the tracking technology vendor, then a Business Associate Agreement must be in place. For example, if a patient makes an appointment through a clinic’s patient portal that uses tracking technology, the clinic’s patient portal may automatically send information about the patient’s appointment and IP address to a tracking technology vendor. In this case, the clinic would be required to have a Business Associate Agreement with the tracking technology vendor.
Unauthenticated webpages are public-facing and do not require a log-in to access them. Healthcare organizations may have unauthenticated webpages with general information like their location, services they provide, lists of providers, and similar content. According to the HHS-OCR guidance, tracking technologies used on unauthenticated webpages “generally do not have access to the individuals’ PHI”. However, the guidance then describes several broad exceptions in which HIPAA would apply:
- Tracking technologies used on an unauthenticated webpage that addresses specific symptoms or health conditions, such as pregnancy or miscarriage.
- Tracking technologies used on an unauthenticated webpage that permits individuals to search for doctors or schedule appointments without entering log-in credentials. (For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointment with a healthcare provider.)
Tips & Takeaways
Healthcare organizations must take note of the potentially wide-ranging application of HIPAA on webpages that use tracking technologies. We recommend that healthcare organization review where and how tracking technologies are used on their websites and apps. Here are some compliance tips for healthcare organizations in light of the HHS-OCR guidance:
- Identify web tracking technologies used on all of your organization’s websites and apps. This includes tracking technologies employed directly by your organization or via a third party. Establishing this inventory is essential and may require multiple sources of information. Relevant individuals in the marketing, business operations, and IT teams are excellent sources, but may not be aware of all web tracking technologies used. Automated website scans can identify tracking technologies in use by methodically activating each one, but are unlikely to know the reasons for deploying them and the consequences if they are blocked or removed.
- Discontinue use of web tracking technologies that are not consistent with HIPAA. Depending on the technology, non-compliance may be corrected with changes to technical configuration or operating procedures. In other cases, eliminating the technology altogether may be necessary.
- Put in place Business Associate Agreements, as needed. Third-party tracking vendors identified through the inventory process may be classified as Business Associates.
- Be alert for changes in web tracking technologies. New technologies and techniques are periodically being developed, and may implicate your organization’s HIPAA compliance.
Ensure that HIPAA compliance and privacy considerations are taken into account when developing online marketing efforts. The use of tracking technologies must be evaluated in light of HIPAA and this recent HHS-OCR guidance. Make sure key stakeholders are educated on this issue so that potential issues are spotted early.