NT Analyzer blog series, cookie

On March 18, 2024, the US Department of Health and Human Services (HHS) issued an updated, 17-page Bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (the Bulletin). Our readers may recall that HHS had originally issued the Bulletin in December of 2002, which we summarized here. HHS’ changes are generally clarifications and additional examples. This post will focus on the changes to the original guidance.

The original and updated guidance applies to all third-party tracking technologies, even those that are deployed to improve the overall functionality of the site or collect general metrics on user interactions with the site or app (i.e., like a standard analytics cookie). The guidance can apply to areas of apps or websites that, at first glance, are not squarely in scope for HIPAA (i.e., a covered entity’s website that lets you search for open appointments).

What changed?

Our readers may recall that HHS took a very broad view of the information that could constitute Protected Health Information (PHI) or Individually Identifiable Health Information (IIHI) whose disclosure to tracking vendors could potentially violate HIPAA. One clarification that the updated guidance provides is the statement that “the mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute IIHI if the visit to the webpage is not related.”

With respect to information collected from a visitor on a covered entity’s webpage that is accessible without logging in (unauthenticated webpage), the updated guidance states, “do not result in a disclosure of PHI to tracking technology vendor if the online tracking technologies on the webpages do not have access to information that relates to any individual’s past, present, or future health, health care, or payment for health care.” Under the new examples:

A visitor to a hospital’s public webpage for job postings or visitor hours does not disclose IIHI, so HIPAA would not apply

If tracking technologies collected an individual’s email address, or reason for seeking health care typed or selected by an individual, when the individual visits a regulated entity’s webpage and makes an appointment with a health care provider or enters symptoms in an online tool to obtain a health analysis, HIPAA would apply, so there would need to be a BAA with the tracking technology vendor or the user would need to consent.

On the other hand, HHS provided two examples that may be difficult for the covered entity to differentiate when looking at the data, involving a visitor to a hospital’s oncology page:

If a student were writing a term paper on the changes in the availability of oncology services before and after the COVID-19 public health emergency, the collection and transmission of information showing that the student visited a hospital’s webpage listing the oncology services provided by the hospital would not constitute a disclosure of PHI, even if the information could be used to identify the student …

However, if an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI to the extent that the information is both identifiable and related to the individual’s health or future health care.

HHS added a new example with respect to mobile apps:

[A] patient might use a health clinic’s diabetes management mobile app to track health information such as glucose levels and insulin doses. In this example, the transmission of information to a tracking technology vendor as a result of using such app would be disclosure of PHI because the individual’s use of the app is related to an individual’s health condition (i.e., diabetes) and that, together with any individually identifying information (e.g., name, mobile number, IP address, device ID) meets the definition of IIHI. 

HHS also added a paragraph on its enforcement priorities, including the following: 

OCR is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies. OCR’s principal interest in this area is ensuring that regulated entities have identified, assessed, and mitigated the risks to ePHI when using online tracking technologies and have implemented the Security Rule requirements to ensure the confidentiality, integrity, and availability of ePHI…

Technical steps you can take

If your organization is a covered entity or business associate using these technologies on any sites or apps, below are some technical steps you can take to help your compliance efforts.

  1. Determine which trackers are on any site/app that you develop or offer that can include PHI.
  2. Learn whether these trackers are developed/offered by you (so-called “first-party trackers”) or whether they are offered by third parties (and if by third parties, which category of third party, such as targeting/advertising, analytics, etc.). Note, a BAA will not be a viable solution for targeted advertising, which would be considered marketing under HIPAA. In those cases, additional restrictions would apply. 
  3. If there are third-party trackers, find out which third parties are involved, and whether your organization:
    a. has a BAA in place with each; and/or
    b. prefers to remove these third parties from your site/app. Note that even third parties that provide analytics information are in scope. Also be on the lookout for trackers that were inadvertently placed on your site, particularly on unauthenticated sites that historically have been less stringently controlled.
  4. Determine if the site or app can obtain a HIPAA compliant authorization from the user prior to the disclosure of PHI to the third-party tracker. Authorizations are subject to stringent requirements set out at § 164.508(b).  

Our Take

This guidance restates HIPAA’s position with regard to third party tracking technologies used for marketing or targeted advertising. But the guidance potentially introduces and broadens HIPAA’s scope in two ways. First, tracking technologies of all stripes are potentially in scope. Second, sites that do not squarely collect PHI, like a registration site or a covered entities homepage, may be in-scope for HIPAA.

Reach out for more information on how we can help your organization meet its HIPAA and privacy requirements. You may consider utilizing NT Analyzer, our firm’s in-house technical privacy compliance tool suite, to complete these steps. Indeed, the HHS Bulletin, like many other privacy trends (e.g., CCPA, mobile app store requirements, etc.), reinforces the importance for organizations to utilize technical frameworks to inform and comply with their privacy requirements.

NT Analyzer is a practical tool suite for managing privacy compliance in mobile apps, websites, and IoT. The tool detects and tracks the full range of data, including PHI and PII, that is collected and shared, and then generates actionable reports through the lens of applicable privacy requirements, such as HIPAA. Click here to request a demo.