NT Analyzer blog series, cookie

HHS: Online trackers without prior authorization and BAAs can violate HIPAA

By Steve Roosa, Sue Ross, Dan Rosenzweig

On the evening of December 1, 2022, the U.S. Department of Health and Human Services (HHS) issued a 12-page Bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (the “Bulletin”).  In the Bulletin, HHS stated that covered entities that use third-party trackers on websites or mobile applications with functions that collect or obtain protected health information (PHI) may be treated as impermissible disclosures (See 45 CFR 164.502(a).  In order to avoid being treated as such, covered entities would need, among other things, to have a business associate agreement (BAA) with that third party or a valid HIPAA authorization.    

Importantly, the guidance applies to all third-party tracking technologies, even those that are deployed to improve the overall functionality of the site or collect general metrics on user interactions with the site or app (i.e., like a standard analytics cookie).  The guidance can apply to areas of apps or websites that, at first glance, are not squarely in scope for HIPAA (i.e., a covered entity’s website that lets you search for open appointments).

These rules come on the back of additional guidance issued by the FTC regarding the Health Breach Notification Rule, which tightened information sharing rules for apps that collect health information that are not subject to HIPAA.

Below we provide: (1) an Overview of the Bulletin and (2) Technical Steps You Can Take.

(1)        Overview of the Bulletin

The Bulletin’s key section appears after a description of these tracking technologies and how they work on both websites and mobile apps.  In short :

  • “Regulated entities may identify the use of tracking technologies in their website or mobile app’s privacy policy, notice or terms and conditions of use” – but this is not enough. .  Because the receiving entity will be processing PHI on behalf of a covered entity, a BAA is required. 
  • Tracking technologies may require a BAA even when the site is collecting information where there is no patient relationship, before the individual has a relationship with the covered entity or when the user is using an “unauthenticated page” of the website or app.  The tracking technologies may collect information that could be “indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or health care or payment for care.”  The example provided in the guidance is that even information collected on a  patient portal registration page, where only name and email are collected to create an account, may be considered PHI. 
  • Without a permissible use or if the vendor is not a business associate, a covered entity needs a HIPAA compliant authorization. As HHS plainly puts it, “   Website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization.”
  • Deidentification is not a compliance mechanism.  Even if the tracking technology vendor deidentifies the information, the initial capture of that information requires a BAA and permissible purpose or an authorization.

Therefore many commonly-used website disclosures and tools do not meet HHS’ requirements:

  • A covered entity/business associate’s website includes a disclosure that it uses trackers its website privacy policy or terms.  On its own this is insufficient under HIPAA, according to HHS – potentially for both authenticated and unauthenticated areas of the website and app.
  • A covered entity/business associate uses a cookie banner that asks a user to accept or reject cookies, including trackers.  Insufficient because this authorization does not meet HIPAA requirements.
  • The tracking vendor says it will de-identify all data before saving the information.  Insufficient because the data collected is still PHI.

BAA or Else

With respect to third-party trackers, HHS gave covered entities/business associates a choice: execute a BAA and manage the relationship in compliance with HIPAA or do not disclose PHI.  In other words, sign a BAA or disable third party tracking.

If the covered entity determines that the vendor is a business associate and obtains a signed BAA, HHS pointed out that the covered entity must also address the use of tracking technologies in its Risk Analysis and Risk Management processes, as well as comply with the Security Rule (potentially, including encryption of the PHI transmitted to the tracking vendor).  

(2)        Technical Steps You Can Take

If your organization is a covered entity or business associate using these technologies on any sites or apps, below are some technical steps you can take to help your compliance efforts.

  1. Determine which trackers are on any site/app that you develop or offer that can include PHI.
  2. Learn whether these trackers are developed/offered by you (so-called “first-party trackers”) or whether they are offered by third parties (and if by third parties, which category of third party, such as targeting/advertising, analytics, etc.).  Note, a BAA will not be a viable solution for targeted advertising, which would be considered marketing under HIPAA.  In those cases, additional restrictions would apply. 
  3. If there are third-party trackers, find out which third parties are involved, and whether your organization:
    a. has a BAA in place with each; and/or
    b. prefers to remove these third parties from your site/app.  Note that even third parties that provide analytics information in scope.  Also be on the lookout for trackers that were inadvertently placed on your site, particularly on unauthenticated sites that historically have been less stringently controlled.
  4. Determine if the site or app can obtain a HIPAA compliant authorization from the user prior to the disclosure of PHI to the third-party tracker.  Authorizations are subject to stringent requirements set out at § 164.508(b).  

Our Take:

This guidance restates HIPAA’s position with regard to third party tracking technologies used for marketing or targeted advertising.  But the guidance potentially introduces and broadens HIPAA’s scope in two ways.  First, tracking technologies of all stripes are potentially in scope.  Second, sites that do not squarely collect PHI, like a registration site or a covered entities homepage, may be in-scope for HIPAA.

Reach out for more information on how we can help your organization meet its HIPAA and privacy requirements.  You may consider utilizing NT Analyzer, our firm’s in-house technical privacy compliance tool suite, to complete these steps. Indeed, the HHS Bulletin, like many other privacy trends (e.g., CCPA, mobile app store requirements, etc.), reinforces the importance for organizations to utilize technical frameworks to inform and comply with their privacy requirements.

NT Analyzer is a practical tool suite for managing privacy compliance in mobile apps, websites, and IoT. The tool detects and tracks the full range of data, including PHI and PII, that is collected and shared, and then generates actionable reports through the lens of applicable privacy requirements, such as HIPAA. Click here to request a demo.