- December 15, 2022
- Alerts
Online Tracking Technologies Can Lead to HIPAA Violations
The Department of Health and Human Services, Office of Civil Rights (“OCR”) has published a Bulletin which officially states that incorporating certain tracking technologies into websites and mobile applications may cause HIPAA violations that could result in breach notification obligations as well as penalties. This includes platforms and services provided by companies like Meta (formerly Facebook) and Google.
What Is a Tracking Technology?
The main technologies of concern are those that enable third party tracking capabilities, which are typically third party cookies, pixels or web beacons. These technologies use software code or scripts that allow a website or mobile app to collect and analyze information about how specific users interact with a platform. These technologies are typically associated with advertising, online behavioral tracking, and analytics. The problem arises when the information that is gathered is PHI.
Where Are Tracking Technologies Used?
Authenticated pages that require patients to enter login credentials are most likely to provide tracking technologies with access to PHI, and therefore, create the most significant risk for HIPAA violations unless appropriate safeguards are put into place. However, use of tracking technology on unauthenticated pages, such as those describing symptoms or listing providers, may also implicate HIPAA under certain circumstances. Mobile applications enabled with tracking technologies may also have access to identifiable user data from the patient’s mobile device.
Can a Covered Entity Use a Tracking Technology Vendor?
Covered Entities may use these tracking technologies but only if (a) any technology vendor which has access to PHI is a Business Associate and has signed a Business Associate Agreement; or (b) each individual accessing the website has signed a HIPAA-compliant authorization allowing such disclosure. Although it may be good practice to disclose the use of tracking technologies in online terms or Notice of Privacy Practice, this by itself is not sufficient to permit the disclosure of PHI to a tracking technology vendor. Similarly, website banners that ask users to accept or reject tracking cookies are insufficient for HIPAA compliance.
What Do I Do Next?
Covered Entities need to take immediate steps to identify their uses of tracking technologies and whether there are appropriate safeguards in place to prevent inappropriate use or disclosure of PHI.
What Is a Tracking Technology?
The main technologies of concern are those that enable third party tracking capabilities, which are typically third party cookies, pixels or web beacons. These technologies use software code or scripts that allow a website or mobile app to collect and analyze information about how specific users interact with a platform. These technologies are typically associated with advertising, online behavioral tracking, and analytics. The problem arises when the information that is gathered is PHI.
Where Are Tracking Technologies Used?
Authenticated pages that require patients to enter login credentials are most likely to provide tracking technologies with access to PHI, and therefore, create the most significant risk for HIPAA violations unless appropriate safeguards are put into place. However, use of tracking technology on unauthenticated pages, such as those describing symptoms or listing providers, may also implicate HIPAA under certain circumstances. Mobile applications enabled with tracking technologies may also have access to identifiable user data from the patient’s mobile device.
Can a Covered Entity Use a Tracking Technology Vendor?
Covered Entities may use these tracking technologies but only if (a) any technology vendor which has access to PHI is a Business Associate and has signed a Business Associate Agreement; or (b) each individual accessing the website has signed a HIPAA-compliant authorization allowing such disclosure. Although it may be good practice to disclose the use of tracking technologies in online terms or Notice of Privacy Practice, this by itself is not sufficient to permit the disclosure of PHI to a tracking technology vendor. Similarly, website banners that ask users to accept or reject tracking cookies are insufficient for HIPAA compliance.
What Do I Do Next?
Covered Entities need to take immediate steps to identify their uses of tracking technologies and whether there are appropriate safeguards in place to prevent inappropriate use or disclosure of PHI.
For more information, please contact the authors or your regular Garfunkel Wild contact.