HIPAA Compliance and Online Tracking Technologies
The U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) published an updated memo on online tracking technology. This memo provides clarification and guidance on how covered entities and business associates (known collectively as “Regulated Entities”) should handle online tracking technologies on user-authenticated and unauthenticated web pages and mobile applications under the Health Insurance Portability and Accountability Act (HIPAA).
What are User-Authenticated Web Pages?
User-authenticated web pages require users to log in with credentials before accessing content. These pages often contain or link to personal health information (PHI), making the security and privacy stakes exceptionally high. When tracking occurs on user-authenticated web pages, such as patient portals or provider dashboards, the HIPAA Privacy Rule requires that Regulated Entities obtain the individual’s written authorization before using or disclosing PHI for marketing or other non-treatment-related purposes [source].
What are Unauthenticated Web Pages?
Unauthenticated web pages, such as marketing or general health information websites, do not require user log-ins. The HIPAA Privacy Rule does not explicitly demand written authorization for tracking. However, entities subject to the Privacy Rule must follow restrictions when tracking users on unauthenticated web pages. Regulated Entities must ensure that monitoring does not lead to unauthorized disclosures of PHI. Tracking technologies could inadvertently capture PHI, posing a risk of potential HIPAA violations [source].
What is a Tracking Technology?
Tracking technologies are scripts or codes embedded in websites or mobile apps that gather information about users’ interactions with the platform. This information can include browsing history, device information, and even sensitive health information. Developers need these tools to understand user behavior in an application, but the data passed to third parties can be problematic because they could breach privacy and security [source].
What about Analytics Tracking (such as Google Analytics, Facebook Pixel, LinkedIn Pixel, and Bing Pixel)?
Analytic tracking enables website and mobile app owners to understand how visitors interact with their content. By employing various tracking mechanisms, such as cookies, it collects data on user behavior. While these technologies offer valuable insights, owners must use them cautiously to avoid violating HIPAA regulations.
- Cookies: Analytics typically use cookies to track user interactions on websites. These cookies collect data on visitor activity, such as session duration, pages per session, the browser used, and the user’s IP address. This information helps build detailed analytics reports. However, cookies can also capture sensitive information that, if not properly managed, can lead to unauthorized disclosures of PHI [source].
- Client-side JavaScript: Websites using analytics tools typically embed a JavaScript code snippet that runs in the visitor’s browser. This script actively collects data, including page views, content interactions, and events triggered during the session, which it sends back to third parties’ analytics servers. To prevent unauthorized access or breaches, ensure secure transmission of this data [source].
Most of these analytics technologies are NOT HIPAA Compliant. For example, Google Analytics has stated that their product is not compliant and warns, “No personally identifiable information (PII) should be passed to Google.” This highlights the importance of ensuring that any third-party tools used for analytics do not inadvertently compromise PHI [source].
It’s crucial to note that website banners asking users to accept or reject the use of tracking technologies do not provide valid HIPAA authorization and won’t protect the organization. Regulated Entities must clearly define and state privacy releases that individuals sign to share their information with a third party [source].
Tracking within Mobile Apps
Mobile apps can collect vast amounts of information directly from users, ranging from health information to location data. The HIPAA Security Rule applies to mobile apps that collect PHI. Regulated Entities must implement appropriate safeguards to protect PHI from unauthorized access, use, and disclosure [source]. Mobile apps pose unique challenges because they can gather and transmit data in real time, often without the user’s explicit knowledge or consent. Therefore, it’s vital to ensure that any mobile app used by a regulated entity is fully compliant with HIPAA regulations.
HIPAA Compliance Obligations for Regulated Entities
Regulated Entities must take several steps to ensure HIPAA compliance when using tracking technologies:
- Privacy Rule: Ensure that any use of tracking technologies does not cause unauthorized disclosures of PHI. This involves regular audits and assessments of the tracking technologies in use to ensure they do not capture or transmit PHI without proper authorization [source].
- Security Rule: Implement adequate safeguards to protect the confidentiality, integrity, and availability of PHI in tracking, including securing ePHI collected through technologies and ensuring alignment with security measures aligned with the HIPAA Security Rule.
- This includes encryption of data at rest and in transit, as well as ensuring that only authorized personnel have access to sensitive information [source].
- Breach Notification Rule: Follow the appropriate procedures for notifying affected individuals, HHS, and possibly the media, depending on the scale of the breach. Timely notification is crucial to mitigate the potential damage of a breach and to comply with regulatory requirements [source].
- Business Associate Agreements (BAAs): Mandatory when third-party tracking technology vendors are used and have access to or handle PHI. This Agreement should clearly define PHI’s permissible uses and disclosures and include information safeguards. It’s essential to conduct due diligence on any third-party vendors to ensure they are capable of complying with HIPAA requirements [source].
Regulated Entities must also continuously educate their staff about HIPAA compliance and the specific risks associated with tracking technologies. This education should include regular training sessions and updates on the latest regulatory changes and best practices for maintaining compliance [source].
What does it mean for navigating HIPAA compliance in tracking technologies moving forward?
Regulated Entities must actively review and manage the technologies used on their websites and applications. They need to identify all technologies in use and ensure proper agreements are in place to limit or de-identify data passed to third parties. Ask your organization’s business associates about the technologies they use and whether they have any third-party tracking technologies that are not properly identified and managed [source].
If you believe a third party received PHI without a BAA and proper controls, you should file a deletion request with the provider and may need to report a breach notification to OCR. (45 CFR 164.400 et seq.) [source].
Understanding how HIPAA Rules apply to tracking technologies is crucial for Regulated Entities. By adhering to these regulations, Regulated entities can protect the privacy and security of PHI while leveraging tracking technologies to improve the user experience [source].
Additionally, entities should establish a robust compliance program that includes regular risk assessments, continuous monitoring of tracking technologies, and prompt response to potential breaches. This proactive approach will help mitigate risks and ensure ongoing compliance with HIPAA requirements [source].
As technology evolves, so must the strategies for ensuring compliance. Regulated Entities need to stay informed about new tracking technologies and their implications for HIPAA compliance. This involves not only understanding the technology itself but also the legal and regulatory landscape that governs its use [source].
Finally, legal, IT, and compliance departments within Regulated Entities must collaborate actively. By working together, they can ensure that tracking technologies enhance the user experience without compromising the privacy and security of PHI [source].