Online Tracking Technology on Unauthenticated Webpages: It Depends
A provider may maintain an unauthenticated webpage. An unauthenticated webpage does not require patient login as a precondition to access. Webpages with general information, such as provider’s location or services, may be unauthenticated. Online tracking technologies on an unauthenticated webpage generally do not have access to PHI. If an individual must enter credentials or registration information on the login page to access the portal, the information is PHI collected by the tracking technology, protected by HIPAA.
Tracking technologies on a provider’s unauthenticated webpage that allow individuals to search for doctors or schedule appointments without entering credentials may also have access to PHI. If these technologies collect individuals’ email addresses and/or IP addresses when the individual makes the search the provider is, in effect, disclosing PHI to the online tracking technology vendor. The result? HIPAA applies.
Online Tracking Technology Within Mobile Apps: Who’s the Collector?
Providers may offer mobile apps to individuals. These apps allow individuals to help manage their health information or to pay bills electronically. The apps collect information typed by the user or uploaded into the app. The apps may also collect information provided by the app user’s device, such as fingerprints, network location, or device ID – a movable feast of PHI. When such PHI is collected, the provider must ensure that whatever PHI the app uses or discloses is in accordance with HIPAA.
A different result presents when the user voluntarily downloads or enters data into a mobile device that was not developed or offered by or on behalf of the provider. Here, HIPAA does not apply. The provider is not creating, transmitting, maintaining, or receiving PHI. The provider is not out of a legal thicket, however. Other regulations, such as the FTC’s Health Breach Notification rule, may apply. This rule regulates impermissible disclosures made by mobile health apps.
Online Tracking Technology: HIPAA Compliance Obligations
Providers should be mindful of avoiding PHI pitfalls when using online tracking technologies. Providers must ensure that all disclosures of PHI to an online tracking technology are permitted by the Privacy Rule, and, unless an exception applies, must also ensure that only the minimum necessary PHI to achieve the intended disclosure purpose is disclosed.
If a provider seeks to disclose PHI to a tracking technology vendor, that vendor must sign a business associate agreement. HIPAA must specifically permit any disclosure of PHI under the agreement. If the vendor is not a business associate, the provider must obtain an individual’s written authorization before disclosure of PHI to the vendor.
Finally, providers should address the use of tracking technologies in their risk analyses and risk remediation processes. Providers should also implement appropriate administrative, physical, and technical safeguards, (such as encryption, access controls, authentication controls, and audit controls), when they access ePHI stored in the tracking technology vendor’s infrastructure. These controls ensure that ePHI is protected from unauthorized access.