New Guidance from OCR Presents Challenges for HIPAA-Regulated Entities

In the midst of significant privacy changes in many U.S. states affecting tracking technologies such as cookies, pixels, and adtech, new lawsuits are alleging entities violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) via impermissible disclosure of protected health information due to the use of these technologies.

On Dec. 1, 2022, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) joined the discussion when it issued a bulletin warning that HIPAA “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of [protected health information] to tracking technology vendors or any other violations of the HIPAA Rules.” It is important to note that the bulletin is not limited to use of tracking technologies by covered entities, but also applies to use of these tracking technologies by business associates.

Via the bulletin, OCR clarifies that personal information collected by tracking technologies on a HIPAA-regulated entity’s platform, website or mobile app (“Digital Platform”) can qualify as protected health information (PHI) subject to the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”). OCR stated that any personal information collected on a HIPAA-regulated entity’s platform, website, or mobile app could be PHI, even if: (a) the individual does not have a relationship with the HIPAA-regulated entity or (b) the personal information does not include treatment or billing information (i.e., device information, IP address, or location information could be PHI). The bulletin also cautions that “disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures” under the HIPAA Rules. While a business associate agreement (BAA) could render a disclosure to a tracking technology vendor permissible, some tracking technology vendors may refuse BAAs as incompatible with their tracking technologies, as they cannot operate the tracking technologies as intended without violating the BAA.

Analyzing whether or not personal information collected via tracking technologies on a HIPAA-regulated entity’s Digital Platform is PHI, and whether use of such tracking technologies violates the HIPAA Rules, is a complex process requiring review of each tracking technology and its specific deployment on the Digital Platform.

Considerations for HIPAA-Regulated Entities

Given OCR’s guidance, HIPAA-regulated entities should consider immediately taking the following steps to reduce the risk associated with their use of tracking technologies:

  • Establish the Scope of Tracking Technology Use on Digital Platforms. Before a proper analysis can be done of tracking technology-related HIPAA risk, it’s important to establish what platforms and technologies you are utilizing. HIPAA-regulated entities may be unaware what tracking technologies are deploying on what portions of their Digital Platforms. Tracking technologies can be deployed on websites, mobile apps, patient platforms, and more. Tracking Technologies may also appear on unintended portions of a Digital Platform, such as inside a patient portal. Additionally, HIPAA-related entities may be unclear on which tracking technologies are sharing information with third parties. 
  • Review Tracking Technology Use on Digital Platforms. HIPAA-Regulated entities should review their Digital Platforms to determine: (1) whether personal information processed by tracking technologies could be PHI, and (2) whether any such tracking technologies may constitute an impermissible disclosure that violates the HIPAA Rules. This process is fact-specific to each tracking technology used and its specific deployment on the Digital Platform.
  • Don’t Rely on Cookie Banners. HIPAA-regulated entities may be using a banner or similar mechanism for tracking technologies. However, the OCR bulletin stated that such banners are not a valid form of HIPAA authorization.
  • Update and Implement Business Associate Agreements. In certain scenarios, tracking technology risk can be reduced with a proper business associate agreement. HIPAA-regulated entities should (1) update their BAA templates to specifically contemplate tracking technologies, and (2) have the tracking vendors sign BAAs whenever possible.