Healthcare providers frequently use online tracking technologies – scripts or codes on a website or mobile app used to gather information about users as the users interact with the site or app. These technologies frequently have access to PHI. The Department of Health and Human Services (HHS) recently issued a guidance bulletin to raise awareness of the inappropriate use of online tracking technologies.
The bulletin discusses how the HIPAA rules apply to different types of online tracking technology, including tracking on user-authenticated webpages, unauthenticated webpages, and within mobile apps. The topic of appropriate use of online tracking technology and HIPAA is discussed in greater detail below.
Online Tracking Technology on User-Authenticated Webpages: Permitted?
A user must first log in to access a user-authenticated webpage, such as a patient or health plan beneficiary portal. The provider’s user-authenticated webpage generally has access to PHI. To protect user privacy, HIPAA covered entities must configure user-authenticated webpages that include tracking technologies to allow those technologies to only use and disclose PHI as permitted by the Privacy Rule. HIPAA covered entities must ensure that any ePHI collected by such technologies is protected and secured in compliance with the Security Rule.
Also, a tracking technology vendor may be a business associate, if that vendor creates, maintains, receives, or transmits PHI on behalf of a HIPAA regulated entity for covered functions (e,g., healthcare operations). When an online tracking technology performs business associate functions for a HIPAA regulated entity, the regulated entity must ensure that any disclosures made to the technology vendor are permitted by the Privacy Rule.
The regulated entity and the business associate must (surprise!) also enter into a business associate agreement (BAA). The BAA provides contractual assurances that the online tracking technology vendor will protect patient PHI. For example, if a patient uses a provider’s website to make an appointment, and that site uses third-party tracking technologies, the website might automatically transmit appointment information (and other protected information, such as the user’s IP address) to an online tracking technology vendor. Such a vendor would be a business associate, and would need to enter into a business associate agreement with the provider.
Online Tracking Technology on Unauthenticated Webpages: It Depends
A provider may maintain an unauthenticated webpage. An unauthenticated webpage does not require patient login as a precondition to access. Webpages with general information, such as provider’s location or services, may be unauthenticated. Online tracking technologies on an unauthenticated webpage generally do not have access to PHI. If an individual must enter credentials or registration information on the login page to access the portal, the information is PHI collected by the tracking technology, protected by HIPAA.
Tracking technologies on a provider’s unauthenticated webpage that allow individuals to search for doctors or schedule appointments without entering credentials may also have access to PHI. If these technologies collect individuals’ email addresses and/or IP addresses when the individual makes the search the provider is, in effect, disclosing PHI to the online tracking technology vendor. The result? HIPAA applies.
Online Tracking Technology Within Mobile Apps: Who’s the Collector?
Providers may offer mobile apps to individuals. These apps allow individuals to help manage their health information or to pay bills electronically. The apps collect information typed by the user or uploaded into the app. The apps may also collect information provided by the app user’s device, such as fingerprints, network location, or device ID – a movable feast of PHI. When such PHI is collected, the provider must ensure that whatever PHI the app uses or discloses is in accordance with HIPAA.
A different result presents when the user voluntarily downloads or enters data into a mobile device that was not developed or offered by or on behalf of the provider. Here, HIPAA does not apply. The provider is not creating, transmitting, maintaining, or receiving PHI. The provider is not out of a legal thicket, however. Other regulations, such as the FTC’s Health Breach Notification rule, may apply. This rule regulates impermissible disclosures made by mobile health apps.
Online Tracking Technology: HIPAA Compliance Obligations
Providers should be mindful of avoiding PHI pitfalls when using online tracking technologies. Providers must ensure that all disclosures of PHI to an online tracking technology are permitted by the Privacy Rule, and, unless an exception applies, must also ensure that only the minimum necessary PHI to achieve the intended disclosure purpose is disclosed.
If a provider seeks to disclose PHI to a tracking technology vendor, that vendor must sign a business associate agreement. HIPAA must specifically permit any disclosure of PHI under the agreement. If the vendor is not a business associate, the provider must obtain an individual’s written authorization before disclosure of PHI to the vendor.
Finally, providers should address the use of tracking technologies in their risk analyses and risk remediation processes. Providers should also implement appropriate administrative, physical, and technical safeguards, (such as encryption, access controls, authentication controls, and audit controls), when they access ePHI stored in the tracking technology vendor’s infrastructure. These controls ensure that ePHI is protected from unauthorized access.