HIPAA Implications of Using Web and App Data Tracking Tech

The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) updated its guidance in mid-March on the “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” to highlight and better clarify the responsibilities of entities subject to the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”) — namely Covered Entities and Business Associates — which use tracking technologies. These technologies, such as Google Analytics or Meta Pixel, may implicate certain prohibitions, restrictions and obligations under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”). The guidance is also aimed at better informing the public about protections afforded under HIPAA when their data is collected and analyzed by these services to determine how users interact with a regulated entity’s website or app.

Regulated entities may use these tracking technologies subject to the HIPAA Rules, which are implicated when the collected information includes electronic protected health information (“ePHI”). A regulated entity would be prohibited from using tracking tech in such a way that results in ePHI being impermissibly disclosed. This much is obvious, but in light of the ubiquity of such tracking technology, OCR wanted to make sure this updated guidance was front-of-mind for HIPAA-regulated entities.

The guidance provides a description of tracking technology, an explanation of how the HIPAA Rules apply to such tech, and tips for maintaining HIPAA compliance while tracking on apps, authenticated websites and unauthenticated websites. As updated, the guidance also provides:

• More examples of when unauthenticated webpage visits may involve the disclosure of ePHI;
• Additional tips for complying with the HIPAA Rules when using online tracking technologies; and
• A section describing OCR’s enforcement priorities in investigations involving this topic.

OCR makes clear that the HIPAA Rules are not compliance ends in themselves, but that a violation of the Privacy Rule through impermissible disclosure may lead to knock-on effects including “identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s PHI.” The guidance provides links to helpful materials regarding various topics such as health apps, cybersecurity and Business Associate Agreements.