The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) has issued clarification on obligations for HIPAA-covered entities and business associates (regulated entities) under the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules) when using online tracking technologies. By definition, tracking technologies are apps used to collect and analyze information about how users interact with regulated entities’ websites or mobile apps when the information collected through tracking technologies or disclosed to tracking technology vendors includes protected health information (PHI). “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosure of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”
Regulated entities are not permitted to use tracking technologies where impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules would occur. “Regulated entities cannot use or disclose PHI, without an individual’s written authorization, only as expressly permitted or required by the HIPAA Privacy Rule. See 45 CFR 164.502(a).”
There are several challenges, starting with the fact that many regulated entities did not contemplate how services and tools, including tracking technologies, they use for measuring web statistics, web and app usage, and other well-intended purposes may improve the user experience.
But first, let’s explore if the tracking technology creates a connection between users and their PHI. Like personally identifiable information (PII) regulations, it’s important to consider data classified as individually identifiable health information (IIHI) including an “individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, medical device IDs, or any unique identifying code.” The brief clarifies this, in concept, as two general use cases that are authenticated users (including apps on PCs, mobile devices, and smartphones) and unauthenticated users.
User-authenticated webpages, mobile apps that store and pass the user identification, or any scenario that requires users to log in or provide their identities before they are able to access the webpage or app, typically create a scenario where all data is associated with a user and is regulated by HIPAA.
Unauthenticated access to data is typically “webpage(s) that do not require users to log in before they are able to access the webpage, such as a webpage with general information about the regulated entity like their location, services they provide, or their policies and procedures. Tracking technologies on regulated entities’ unauthenticated webpages generally do not have access to individuals’ PHI; in this case, a regulated entity’s use of such tracking technologies is not regulated by the HIPAA Rules.” Two primary exceptions where tracking technologies are used on website or apps include:
- Registration or submittals, even without login, that may include PHI and create a connection to the user.
- Collection of an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for specific healthcare information (e.g., disease, health issue) or available appointments. Thus, the regulated entity is disclosing PHI to the tracking technology vendor. You can see in this example how, over time, HIPAA may be expanded to cover non regulated information providers using tracking technologies that may create a connection between a medical condition and user, although PII state laws may already cover this situation.
Assuming the technology is embedded or necessary for business purposes, and authenticated or meets the unauthenticated exception definition, a critical step is to establish a business associate agreement (BAA) with any tracking technology vendors that meet the definition of a business associate. “The BAA must specify the vendor’s permitted and required uses and disclosures of PHI and provide that the vendor will safeguard the PHI and report any security incidents, including breaches of unsecured PHI, to the regulated entity, among other requirements.”
Consistent with standing HIPAA BAA guidance, if a regulated entity does not want to create a business associate relationship with these vendors or the chosen tracking technology vendor will not provide written satisfactory assurances in the form of a BAA that it will appropriately safeguard PHI, then the regulated entity cannot disclose PHI to the vendors without the individuals’ authorizations.
This article is for informational purposes only and is not a legal interpretation or guidance.