Part One of a Two Part Series: OCR Guidance for Online Tracking Technologies

By: Jeanne E. Varner Powell, The Risk Team, Mutual Insurance Company of AZ (MICA)

Whether covered by HIPAA or not, entities with websites or apps that use pixels or other tracking technology to collect and share consumer health and other personally identifiable information with third parties should beware. The risk of class action lawsuits and regulatory investigations and enforcement actions is increasing. HIPAA covered entities and other businesses that handle this type of data will need to:

This two-part series highlights some of the recent developments in this area. Part One will provide an overview of online tracking technologies, and will focus on recent guidance from the Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) for HIPAA covered entities addressing privacy concerns stemming from the use of online tracking technologies. Part Two will focus on enforcement by the Federal Trade Commission (“FTC”) of the Health Breach Notification Rule related to tracking technologies

What are Tracking Technologies?

Organizations in various industries configure tracking technologies on their websites or mobile apps to monitor online visitors’ activity. As the user navigates the site, tracking technologies collect data about the user. The organization may use the data to assess website traffic, improve website functionality, or target visitors with online advertising. Website tracking technology includes cookies, web beacons, tracking pixels, and scripts. Mobile apps rely on embedded codes and may also capture a user’s mobile device-related information. Some technologies may continue to collect information and track users even after they leave the site. Although some organizations may develop their own trackers and analyze the data internally, more commonly an entity will contract with a technology vendor to supply the tracker. One example is the Meta (formerly Facebook) Pixel. Once a third-party tracker is installed, it sends data directly to the vendor for analysis.

When Trackers Improperly Share Consumers’ Data – the Risk of Class Actions

Pre-pandemic, prior to the proliferation of state privacy laws, plaintiffs’ lawyers were already filing class action lawsuits alleging improper sharing of sensitive data by health care systems using cookies, pixels, and other tracking technology on websites and apps.  For example, Mass General Bingham and Dana Farber Cancer Institute in Massachusetts agreed to pay $18.4 million to settle a 2019 class action alleging common law breach of fiduciary duty and invasion of privacy claims.[1] Plaintiffs were patients who accessed the defendants’ “informational websites.” The sites provided information about the defendants’ programs and services and were available for public access without any login or account registration requirement. Plaintiffs alleged defendants failed to obtain sufficient consent to the use of cookies and third-party web analytics tools on the sites.[2] Further, Plaintiffs alleged that the tools enabled improper disclosures to Facebook, Google, and others of personally identifiable information including patient status and details about patient communications with defendants’ sites.[3] There were no allegations that HIPAA-protected information was disclosed.[4]

In June 2022, The Markup published an article revealing that it found Meta Pixel embedded on one-third of the hospital appointment scheduling webpages it reviewed.[5] A second article published in December 2022 contained similar findings about the widespread use of web trackers by direct-to-consumer telehealth platforms.[6] The fallout from these articles is significant and continuing. The Markup article immediately prompted class action filings against Meta and a host of health care defendants, with Plaintiffs stating in their Complaints that they learned of the data collection and sharing practices through the article.[7] The article also prompted hospitals and other organizations to investigate exactly what data their website trackers were collecting and sharing.[8] Subsequently, in late 2022, multiple health care systems that investigated and then made breach reports to OCR were immediately slapped with class action lawsuits.[9] The lawsuits assert a mix of common law and federal and state statutory claims including wiretapping, negligent misrepresentation, invasion of privacy, breach of contract and/or fiduciary duty, and intrusion upon seclusion.[10]

OCR Issues Guidance to HIPAA Covered Entities Using Tracking Technologies

At the end of 2022, with class action filings on the rise, the OCR issued Guidance cautioning HIPAA covered entities and business associates about the use of tracking technologies. The HIPAA Privacy and Security Rules require providers, health plans, and health care clearinghouses (“covered entities” (CEs)) and their business associates to safeguard all protected health information (PHI)[11] they collect and maintain. In the Guidance, OCR takes the broad position that ALL individually identifiable health information (IIHI)[12] a tracker collects on a CE’s website or app “generally is PHI” and thus protected by the Security and Privacy Rules.[13] OCR considers this the case even when the individual and CE do not have an existing relationship or the IIHI does not contain specific treatment/billing information.[14]

Trackers on authenticated and unauthenticated pages of a CE’s website

The Guidance cautions that trackers on webpages requiring user login, such as patient portals or telehealth platforms, likely access PHI in the form of addresses, appointment dates, IP addresses and potentially even diagnoses or prescription, treatment, or billing information. OCR confirms that if tracking technologies do not access PHI, then HIPAA Rules do not apply.

The Guidance states that tracking technologies on unauthenticated webpages (i.e., no log in requirement) generally do not have access to PHI where the CE merely offers general information about location, policies and procedures, or services provided. OCR cautions, however, that trackers on some unauthenticated pages DO collect PHI and includes the following examples in the Guidance:

PHI collected by mobile apps

Some CEs offer mobile apps to help users manage their health information or pay bills. These apps collect information a user types in or uploads as well as information supplied by the user’s device, including fingerprints, network location, geolocation, device ID, or advertising ID. Per the Guidance, OCR considers all this data to be PHI that the CE is obligated to protect and secure.

OCR clarifies that HIPAA does not apply when individuals enter data into apps developed or offered by entities not subject to HIPAA. However, OCR suggests that the FTC Act and the Health Breach Notification Rule (as discussed in greater detail in Part Two of this Series) may apply in these situations if a mobile health app impermissibly discloses a user’s health information. As discussed in Part Two of this Series, just two months after OCR published this statement, the FTC settled a tracking technologies case against GoodRx (a business not subject to HIPAA) involving alleged improper disclosures of sensitive health information in violation of the FTC Act and the Health Breach Notification Rule.

HIPAA compliance when using trackers

CEs and business associates using tracking technologies should incorporate the following guidance from OCR[15] into their compliance programs:

Privacy Rule

  • Ensure that the Privacy Rule permits disclosure[16] of PHI to the tracking technology vendor, mobile app vendor, or other third party (collectively, a “Vendor”) AND the CE has a signed business associate agreement (“BAA”)[17] with the Vendor BEFORE disclosing any PHI to the Vendor.
  • IF the Privacy Rule permits disclosure, unless an exception applies, restrict the disclosure to include only the minimum necessary PHI to achieve the intended purpose.
  • CEs must evaluate whether the Vendor meets HIPAA’s definition of a “business associate”[18] before asking for a signed BAA. If a Vendor does not fall within the definition, a signed BAA is worthless.
  • The BAA must list the Vendor’s permitted and required uses and disclosures of PHI.
  • The BAA must require the Vendor to safeguard the PHI and report any security incidents, including breaches of unsecured PHI to the CE. According to OCR, “It is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information.”
  • Some Vendors will not sign BAAs. In this case, even if the Vendor meets the business associate definition and the Privacy Rule permits the PHI disclosure, the CE must obtain a signed HIPAA authorization from the individual prior to sharing data with the Vendor.
  • CEs may mention their use of tracking technologies in privacy policies, notices, or terms/conditions of use on a website or app. However, this does not cancel the CE’s obligation to obtain a BAA and ensure that the disclosure to the Vendor is permitted under the Privacy Rule prior to disclosing PHI to the Vendor.
  • Where there is not an applicable Privacy Rule permission (e.g., disclosure is for marketing purposes) or there is no BAA, a CE must obtain a HIPAA-compliant authorization from the individual before disclosing PHI to a Vendor. A website banner that asks users to accept/reject the use of cookies or other tracking technologies DOES NOT substitute for a signed, valid HIPAA authorization.

Security Rule

  • CEs and Business Associates must address the use of tracking technologies in the Risk Analysis and Risk Management processes required by the Security Rule.[19]
  • CEs and Business Associates must implement administrative, physical, and technical safeguards to secure information collected by Vendors, including encrypting ePHI during transmission and enabling and using appropriate authentication, access, encryption, and audit controls to protect ePHI the Vendor maintains.

Breach Notification

  • Where the disclosure of PHI to a Vendor violates the Privacy Rule, and the CE cannot demonstrate a low probability the PHI was comprised, follow the Breach Notification Rule[20] requirements to provide notice to affected individuals, the Secretary, and, if applicable, the media.

[1]Notice of Class Action Settlement, John Doe and Jane Doe, et al. v. Partners Healthcare System, Inc., et al., No. 1984CV01651-BLS1, https://bit.ly/3skNluU; Groebe, L. (2022, February). HCCA Report on Patient Privacy, 22(2). https://compliancecosmos.org/patient-privacy-court-case-february-2022

[2] Notice of Class Action Settlement, John Doe and Jane Doe, et al. v. Partners Healthcare System, Inc., et al., No. 1984CV01651-BLS1, https://bit.ly/3skNluU

[3] Id.

[4] Id.

[5] Feathers, T., Fondrie-Teitler, S., Waller, A., & Mattu, S. (2022, June), Facebook is receiving sensitive medical information from hospital websites. The Markup. https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites

[6] Feathers, T., Palmer, K., & Fondrie-Teitler, S. (2022, December), ‘Out of control’: Dozens of telehealth startups sent sensitive health information to big tech companies. Stat & The Markup. https://themarkup.org/pixel-hunt/2022/12/13/out-of-control-dozens-of-telehealth-startups-sent-sensitive-health-information-to-big-tech-companies or https://www.statnews.com/2022/12/13/telehealth-facebook-google-tracking-health-data/

[7] Muoio, D. & Burky, A. (2022, November), Advocate Aurora, WakeMed get served with class action over Meta’s alleged patient data mining. Fierce Healthcare. https://www.fiercehealthcare.com/health-tech/report-third-top-hospitals-websites-collecting-patient-data-facebook

[8] Id.; see also Fox, A. (2022, December), Community Health Network reports online tracking data breach affecting 1.5 million. Healthcare IT News. https://www.healthcareitnews.com/news/community-health-network-reports-online-tracking-data-breach-affecting-15-million

[9] Id.

[10] Cleary, J., Sternberg, P., Green, C., Marden, E., Harding, E., & Black, C. (2023, January), Litigation trends for 2023: Surge in web tracking class actions. The National Law Review. https://www.natlawreview.com/article/litigation-trends-2023-surge-web-tracking-class-actions

[11] PHI is individually identifiable health information transmitted or maintained in any form. See 45 CFR § 160.103.

[12] IIHI is generally a subset of health information collected from an individual, including demographic information, that is created or received by a covered entity (or its business associate); relates to an individual’s past, present, or future health condition, health care, or payment for health care; and identifies or can be used to identify the individual. See 45 CFR § 160.103.

[13] HHS, Use of Tracking Technologies by HIPA Covered Entities and Business Associates. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html. According to OCR, such information might include medical record numbers, home or email addresses, dates of appointments, an IP address or geographic location linked to the individual, medical device IDs, or any unique identifying code.

[14] Id. OCR’s rationale is that collection of IIHI through an entity’s website/app creates a connection between the individual and the CE because it indicates the CE will provide services to the individual and thus relates to past, present, or future health, health care or payment for care.

[15] Id.

[16] See 45 CFR § 164.502(a)(1) regarding permissible disclosures.

[17] HHS offers guidance and a model agreement at https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.

[18] 45 CFR § 160.103 (business associate definition). For more information about business associates see https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.

[19] HHS offers guidance on compliance with the Security Rule at https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html?language=es.

[20] 45 CFR §§ 164.400-414.