HHS guidance on using online tracking technologies: How to make your analytics HIPAA-compliant
In December 2022, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued guidance on online tracking technology to HIPAA-covered entities. The bulletin details healthcare companies’ use of third-party cookies, pixels, and other tracking technologies and elaborates on the definition of protected health information (PHI) that HIPAA refers to.
HHS’s bulletin emerged after numerous class-action lawsuits alleging improper disclosure of patient information filed against major health systems and hospitals. The bulletin urges HIPAA-covered entities to evaluate how they use online tracking technologies.
This article will examine how HIPAA-covered entities can follow HHS’s guidance and their options for HIPAA-compliant and effective approaches to analytics.
The guidance on tracking technologies and its impact on your analytics
HHS’s guidance defines tracking technology as “a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app.” Examples include cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts.
The guidance explains that regulated entities disclose various pieces of information to tracking technology vendors through tracking technologies placed on their websites or mobile apps. Some of this data may include individually identifiable health information (IIHI), like someone’s:
- Medical record number
- Home or email address
- Dates of appointments
- IP address or geographic location
- Medical device IDs
- Any other unique identifying code
Healthcare information collected on a regulated entity’s website or app is considered PHI even if:
- The individual does not have an existing relationship with the regulated entity, and
- Data such as IP address or geographic location does not include specific treatment or billing information like dates and types of healthcare services.
According to HHS, the collection of such data indicates that the individual received or will receive services from the covered entity. As a result, it relates to the individual’s past, present, or future health, treatment, or payment for it.
The OCR’s bulletin also clarifies what parts of a website or app can contain PHI:
- User-authenticated pages (pages that require a user to log in) often contain PHI in the form of an individual’s IP address, medical record number, home or email address, dates of appointments, diagnosis, treatment or prescription information, etc.
- Unauthenticated pages generally do not have access to PHI and such pages are not regulated by HIPAA. However, there are some exceptions:
- The registration page where an individual creates a login will contain PHI after an individual enters credentials, such as a name or email address.
- A page addressing specific symptoms or health conditions, such as pregnancy or miscarriage, or one that permits individuals to search for doctors or schedule appointments – the tracking technology vendor could still collect an individual’s email address and/or IP address on such pages.
- Mobile apps contain PHI provided by app users and their devices, such as fingerprints, network location, geolocation, device ID, or advertising ID. Exceptions include information that users voluntarily download or enter into apps that are not developed or offered by or on behalf of covered entities.
How healthcare organisations can comply with HIPAA and HHS guidance
HIPAA-covered entities must:
- Disclose the use of tracking technologies in their website or app’s privacy policy, terms and conditions, and others. The passing of PHI to vendors cannot be based solely on such notices.
- Sign a business associate agreement (BAA) with a tracking technology vendor that meets the definition of a business associate before PHI is passed to the vendor. If a covered entity does not want to create a business associate relationship with the vendor or the vendor will not provide a satisfactory BAA, the entity must obtain an individual’s HIPAA-compliant authorisation before disclosing PHI to a vendor.
- Ensure that all disclosures of PHI to tracking technology vendors are permitted by HIPAA. Only the minimum necessary PHI should be shared for the intended purpose.
- Address the use of tracking technologies in their risk analysis and risk management processes. Implement appropriate administrative, physical, and technical safeguards (such as encryption and access, authentication, and audit controls) when they access ePHI stored in the tracking technology vendor’s infrastructure. These controls ensure that ePHI is protected from unauthorised access.
- Provide breach notifications to affected individuals, the Secretary, and the media (when applicable) when PHI is disclosed to a tracking technology vendor in a manner that breaches HIPAA requirements.
The bottom line
The HHS guidance on tracking technologies and other recent HIPAA developments give healthcare organisations little room for error in HIPAA compliance. Healthcare providers must remain alert to changes in the digital health industry as regulations and technology are continually evolving.
Above all, they should evaluate their analytics setup and understand their options for achieving HIPAA compliance. If the chosen vendor falls short of the requisite standards, they must be ready to pivot to a partner that meets their analytics needs and prioritises compliance to avoid damaging breaches.
Image by Tung Nguyen from Pixabay