Online Tracking Technologies: What You Don’t Know Can Hurt Your Practice

Author’s Note: This article abbreviates the March 18, 2024, Office for Civil Rights (OCR) guidance bulletin; it features extensive direct excerpts from that bulletin’s original text. (Click here for complete guidance bulletin.)

How can you be sure that Google Analytics is not HIPAA compliant? Because Google clearly states it: “Google makes no representations that Google Analytics satisfies HIPAA requirements and does not offer Business Associate Agreements in connection with this service.”¹

“The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Bulletin to highlight the obligations of health care providers² and business associates³ (“regulated entities”) under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies.⁴ OCR administers and enforces the HIPAA Rules by investigating complaints about regulated entities’ noncompliance with the HIPAA Rules. A regulated entity’s failure to comply with the HIPAA Rules may result in a civil money penalty.⁵“

“Tracking technologies are used to collect and analyze information about how users interact with regulated entities’ websites or mobile applications. Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures⁶ of PHI to tracking technology vendors or any other violations of the HIPAA Rules. For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures.⁷“

“An impermissible disclosure of an individual’s PHI not only violates the Privacy Rule,⁸ but also may result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s PHI. Such disclosures can reveal incredibly sensitive information about an individual, including diagnoses, frequency of visits to a therapist or other health care professionals, and where an individual seeks medical treatment.”

What Is a Tracking Technology?

“Generally, a tracking technology is a script or code on a website or mobile app used to gather information about users or their actions as they interact with a website or mobile app. After information is collected through tracking technologies from websites or mobile apps, it is then analyzed by owners of the website or mobile app, or third parties, to create insights about users’ online activities.”

How Do the HIPAA Rules Apply to Use of Tracking Technologies?

“Health care providers may be disclosing a variety of information to tracking technology vendors through tracking technologies placed on their website, such as information that the individual types or selects when they use the provider’s website. the information disclosed might include an individual’s home, email address, or dates of appointments, as well as an individual’s IP address or geographic location, device IDs, or any unique identifying code.⁹“

“Information collected on a website is generally considered PHI, even if the individual does not have an existing relationship with the regulated entity and even if the information does not include specific treatment or billing information like dates and types of health care services.¹⁰ If the individual is looking for specific information related to a personal health concern, then tracking details about this individual likely meet the definition of PHI.¹¹“

“The information below highlights how the HIPAA Rules apply in the context of tracking on user-authenticated webpages and unauthenticated webpages, and within mobile apps.”

HIPAA Compliance for Regulated Entities When Using Tracking Technologies

“Regulated entities are required to comply with the HIPAA Rules when using tracking technologies. Some examples of the HIPAA Privacy, Security, and Breach Notification requirements that regulated entities must meet when using tracking technologies with access to PHI include:

• Ensuring that all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.¹²
  • The Privacy Rule does not permit disclosures of PHI to a tracking technology vendor based solely on a regulated entity informing individuals in its privacy policy, notice, or terms and conditions of use that it plans to make such disclosures.
  • Regulated entities must ensure that all tracking technology vendors have signed a BAA.¹³
  • HIPAA-compliant authorizations are required before the PHI is disclosed to the vendor. Website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization.
  • It is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information. Any disclosure of PHI to the vendor without individuals’ authorizations requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure.
• Establishing a BAA with a tracking technology vendor that meets the definition of a “business associate.”
  • A regulated entity should evaluate its relationship with a tracking technology vendor to determine whether such vendor meets the definition of a business associate and ensure that the disclosures made to such vendor are permitted by the Privacy Rule. The BAA must specify the vendor’s permitted and required uses and disclosures of PHI and provide that the vendor will safeguard the PHI and report any security incidents, including breaches of unsecured PHI, to the regulated entity, among other requirements.¹⁴
  • If the chosen tracking technology vendor will not provide a BAA that it will appropriately safeguard PHI, then the regulated entity can choose to establish a BAA with a Customer Data Platform¹⁵ vendor, that will de-identify online tracking information that includes PHI and then disclose only de-identified information to tracking technology vendors that are unwilling to enter into a BAA with a regulated entity.
  • If a regulated entity does not want to create a business associate relationship with a vendor that meets the definition of business associate, it cannot disclose PHI to such a vendor without individuals’ authorizations.
• Addressing the use of tracking technologies needs to be included in the regulated entity’s Security Risk Analysis (SRA).¹⁶ Encrypting ePHI that is transmitted to the tracking technology vendor;¹⁷ enabling and using appropriate authentication, access, encryption, and audit controls when accessing ePHI maintained in the tracking technology vendor's infrastructure to protect the ePHI is required.”¹⁸

References / Notes

1. https://support.google.com/analytics/answer/13297105?hl=en.
2. See 45 CFR 160.103 (definition of “Covered entity”).
3. See 45 CFR 160.103 (definition of “Business associate”).
4. See 45 CFR parts 160 and 164. See also OCR’s Fact Sheet on Direct Liability of Business Associates (accessible here).
5. See 42 USC 1320d-5; see also 45 CFR part 160, subpart D; and 2019 Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties, 84 FR 18151 (April 30, 2019). For more information on breach reporting, see also OCR’s Guidance on the Breach Notification Rule here.
6. Review two examples here and here.
7. Regulated entities can use or disclose PHI, without an individual’s written authorization, only as expressly permitted or required by the HIPAA Privacy Rule. See 45 CFR 164.502(a).
8. 45 CFR part 160 and subparts A and E of part 164.
9. For more information on identifiers under the Privacy Rule, see 45 CFR 164.514(b).
10. There are limited situations in which an IP address or geographic location by itself may not be PHI, such as where the individual uses a computer at a public library instead of using their personal electronic device. This is because the IP address or geographic location will not be related to the individual when using a public device. However, even in such cases, the IP address or geographic location from such devices, combined with any information provided by users through a webpage or mobile app, could be used to identify the individual and therefore may be PHI.
11. See “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule,” 78 FR 5566, 5598 (Jan. 25, 2013).
12. See 45 CFR 164.502(a), 45 CFR 164.502(b), and 45 CFR 164.514(d).
13. See 45 CFR 164.502(a) and 164.502(e).
14. For example, see 45 CFR 164.504(e); and 45 CFR 164.314(a). See also OCR’s Sample Business Associate Contract (click here).
15. A Customer Data Platform (CDP) is software that can combine data from multiple sources regarding customer interactions with a company's online presence to support a company's analytic and customer experience analysis. Some CDP vendors may be willing to work with regulated entities as their business associates and enter into appropriate business associate agreements. Such CDP vendors may include services providing for de-identification of online tracking data that contains PHI.
16. See 45 CFR 164.308.
17. A regulated entity must implement encryption for ePHI in transit and at rest if it is a reasonable and appropriate safeguard. If it is not reasonable and appropriate, the regulated entity must document why not and implement an equivalent alternative measure if reasonable and appropriate. See 45 CFR 164.312(a)(2)(iv); 45 CFR 164.312(e)(2)(ii); and 45 CFR 164.306(d). See also OCR’s HIPAA FAQ #2020 (click here).
18. See 45 CFR 164.308(a)(4); 45 CFR 164.312(a); 45 CFR 164.312(b); and 45 CFR 164.312(d).