New Guidance from OCR Presents Challenges for HIPAA-Regulated Entities

In the midst of significant privacy changes in many U.S. states affecting tracking technologies such as cookies, pixels, and adtech, new lawsuits are alleging entities violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) via impermissible disclosure of protected health information due to the use of these technologies.

On Dec. 1, 2022, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) joined the discussion when it issued a bulletin warning that HIPAA “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of [protected health information] to tracking technology vendors or any other violations of the HIPAA Rules.” It is important to note that the bulletin is not limited to use of tracking technologies by covered entities, but also applies to use of these tracking technologies by business associates.

Via the bulletin, OCR clarifies that personal information collected by tracking technologies on a HIPAA-regulated entity’s platform, website or mobile app (“Digital Platform”) can qualify as protected health information (PHI) subject to the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”). OCR stated that any personal information collected on a HIPAA-regulated entity’s platform, website, or mobile app could be PHI, even if: (a) the individual does not have a relationship with the HIPAA-regulated entity or (b) the personal information does not include treatment or billing information (i.e., device information, IP address, or location information could be PHI). The bulletin also cautions that “disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures” under the HIPAA Rules. While a business associate agreement (BAA) could render a disclosure to a tracking technology vendor permissible, some tracking technology vendors may refuse BAAs as incompatible with their tracking technologies, as they cannot operate the tracking technologies as intended without violating the BAA.

Analyzing whether or not personal information collected via tracking technologies on a HIPAA-regulated entity’s Digital Platform is PHI, and whether use of such tracking technologies violates the HIPAA Rules, is a complex process requiring review of each tracking technology and its specific deployment on the Digital Platform.

Considerations for HIPAA-Regulated Entities

Given OCR’s guidance, HIPAA-regulated entities should consider immediately taking the following steps to reduce the risk associated with their use of tracking technologies:

  • Establish the Scope of Tracking Technology Use on Digital Platforms. Before a proper analysis can be done of tracking technology-related HIPAA risk, it’s important to establish what platforms and technologies you are utilizing. HIPAA-regulated entities may be unaware what tracking technologies are deploying on what portions of their Digital Platforms. Tracking technologies can be deployed on websites, mobile apps, patient platforms, and more. Tracking Technologies may also appear on unintended portions of a Digital Platform, such as inside a patient portal. Additionally, HIPAA-related entities may be unclear on which tracking technologies are sharing information with third parties. 
  • Review Tracking Technology Use on Digital Platforms. HIPAA-Regulated entities should review their Digital Platforms to determine: (1) whether personal information processed by tracking technologies could be PHI, and (2) whether any such tracking technologies may constitute an impermissible disclosure that violates the HIPAA Rules. This process is fact-specific to each tracking technology used and its specific deployment on the Digital Platform.
  • Don’t Rely on Cookie Banners. HIPAA-regulated entities may be using a banner or similar mechanism for tracking technologies. However, the OCR bulletin stated that such banners are not a valid form of HIPAA authorization.
  • Update and Implement Business Associate Agreements. In certain scenarios, tracking technology risk can be reduced with a proper business associate agreement. HIPAA-regulated entities should (1) update their BAA templates to specifically contemplate tracking technologies, and (2) have the tracking vendors sign BAAs whenever possible.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Karin E. Ross Karin E. Ross

Karin E. Ross focuses her practice on data privacy, cybersecurity, and technology transactions. Karin has counseled a diverse array of companies from startups to Fortune 500 companies in both local and global markets. She works closely with clients on data privacy and security…

Karin E. Ross focuses her practice on data privacy, cybersecurity, and technology transactions. Karin has counseled a diverse array of companies from startups to Fortune 500 companies in both local and global markets. She works closely with clients on data privacy and security compliance programs and advises on existing and emerging privacy and data protection legislation, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Gramm Leach Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA). Her experience spans a range of industries including consumer goods, medical technology, financial services, e-commerce, and restaurants.

Photo of Tyler Thompson Tyler Thompson

Tyler J. Thompson advises clients on data privacy and protection, technology contracts and contract processes, websites and mobile apps, digital accessibility, social media, and direct to consumer marketing. Tyler offers clients practical and efficient legal counsel, striving to manage costs and risk with

Tyler J. Thompson advises clients on data privacy and protection, technology contracts and contract processes, websites and mobile apps, digital accessibility, social media, and direct to consumer marketing. Tyler offers clients practical and efficient legal counsel, striving to manage costs and risk with business-friendly strategies.

With deep experience in digital compliance, Tyler focuses on handling all aspects of a client’s website or mobile app to pursue compliance while maintaining the best user experience. His practice also focuses on creating enforceable digital agreements with platform users, whether that platform is a website, SaaS, mobile app, or video game.

Tyler has designed and implemented privacy programs for clients from Fortune 500s to start ups, ensuring those clients are compliant with U.S. and international privacy laws. Tyler also advises on data retention and minimization, privacy by design, data inventories, and privacy impact assessments. Tyler is certified as a Fellow of Information Privacy (FIP) by the International Association of Privacy Professionals. In addition, he is a Certified Information Privacy Professional for the United States (CIPP/US), Europe (CIPP/E), Asia, (CIPP/A) and Canada (CIPP/C) as well as a Certified Information Privacy Manager (CIPM) and Certified Information Privacy Technologist (CIPP/T). Tyler is also an ISACA Certified Data Privacy Solutions Engineer (CDPSE).

In the technology space, Tyler has provided guidance on open source software, digital marketing, software licensing, and SaaS agreements. He also works with clients to modernize commercial contracting processes and privacy practices, enabling in-house attorneys to function more efficiently and conserve resources.