The U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued guidance regarding covered entities’ and business associates’ use of tracking technologies (the Guidance). As discussed in greater detail below, the Guidance reveals OCR’s position that an IP address is not just an identifier but is itself individually identifiable health information (IIHI) when collected by tracking technology on a healthcare entity’s website. In light of the significant regulatory and class-action activity against covered entities and business associates regarding their use of this technology, this post provides our analysis of how the Guidance impacts how these entities use and assess their usage of tracking technologies. We also provide general recommendations for healthcare entities in light of the Guidance.
Background – Tracking Technologies
Organizations use various tools to make their websites functional, improve visitor experience and analyze website traffic. These tools are often grouped together and referred to as “tracking technologies” and include things like cookies, web beacons or pixel tags, heatmaps, session replay, and recording scripts, all of which can be used to collect information from website visitors as they navigate a website.
The following list includes a general overview of each of these common technologies and their functions.
- Cookies – Cookies are small text files sent to website visitors’ browsers from the websites they visit. They help that website learn or remember information about the visit – such as the user’s preferences (e.g., language choice, page configuration, shopping cart contents) – to improve the web browsing experience. Cookies can also be used for analytics, advertising and personalization. Depending on the user and browser settings, the browser will store cookies locally on the user’s device.
- Pixels – Also known as web beacons, trackers or advertising technology (AdTech), a pixel is a piece of code embedded on a website that can be used to track visitor activity on that website. By default, pixels will collect information about URLs visited, buttons clicked and other actions taken by a website visitor on a webpage where the pixel is present. Many pixels interact with cookies to track users’ activity and preferences.
- Heatmaps – Heatmaps collect user behavior data – such as button clicks and scrolling – to provide the website owner with a color-coded representation of the website elements that are the most (hot) and least (cold) interacted with.
- Session recording – Also known as session replays, user recordings and user/visitor replay tools, session recordings are renderings of real actions taken by visitors as they browse a website. The recordings capture mouse movement, clicks/taps, keyboard strokes and scrolling during the visitor’s website session to help website owners improve site functionality by understanding how users navigate their site, how they interact with elements, where they hesitate and where they get stuck. By default, the session recording tools we have seen (including HotJar and Crazy Egg) automatically anonymize keyboard strokes (i.e., the data a user inputs in a form) and can be configured to suppress specific elements.
Separately, all websites also collect a set of data from website visitors in order for the website to function, known as HTTP headers or “header information.” Without getting too technical, header information is how a website communicates with a device and is a component necessary for the Internet to work. Header information includes data about a visitor’s computer, mobile device and Internet connection, such as the IP address, operating system, browser type and app version. This information tells a website how to present information to the visitor (for example, the website might be presented differently when the visitor is on a computer versus on a mobile device) and how to get it there (i.e., the IP address).
Background – Regulatory Action and Litigation Related to Tracking Technology
Regulatory scrutiny of and class-action litigation based on healthcare providers’ use of tracking technology increased significantly after the June 2022 online publication of an article about healthcare providers’ use of Meta Pixel. Since 2016, there has been ongoing class-action litigation against a small group of entities and tracking technology providers. After June 2022, however, the litigation net was cast much wider, with new cases filed against many of the hospitals named in the article. Additionally, many of our clients (not all of whom were named in the article) began receiving regulatory inquiries from OCR, state attorneys general and departments of justice, and federal congressional committees. While the inquiries were triggered by interest in the use of tracking technology, the OCR inquiries have taken deep dives into general compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules. Several investigations have also revealed an interest in the intersection of tracking technology and its use on webpages related to women’s reproductive health following the Dobbs decision.
The Guidance – OCR’s Position on What Constitutes PHI when Collected from a Covered Entity’s Website
Below we highlight the significant points OCR makes in the Guidance in support of its position that an IP address is itself IIHI when collected by tracking technology on a HIPAA covered entity’s (CE) website. Those points are followed by OCR’s recommendations for using tracking technology in a HIPAA-compliant manner.
First, OCR’s rationale:
- OCR asserts that an IP address alone, collected by a CE’s website, is IIHI. In explaining how the HIPAA rules apply to CEs’ use of tracking technologies, OCR begins by asserting that (1) a website user’s IP address or geographic location, or any unique identifying code, is individually identifiable health information (IIHI); and (2) all IIHI, including IP addresses and geographic locations, that a website visitor provides when using a CE’s website “generally is PHI [protected health information],” even if the individual does not have an existing relationship with the CE and even if the IIHI, such as an IP address or geographic location, does not include specific treatment or billing information like dates and types of healthcare services.
- According to OCR, “[t]his is because, when a regulated entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the regulated entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or health care or payment for care.”
- A business associate agreement (BAA) is required for use of tracking technologies on a CE’s user-authenticated websites. Regarding tracking technologies on a CE’s user-authenticated websites (e.g., a patient portal), OCR states such technologies generally have access to PHI, and therefore a BAA with the technology vendor is required.
- A BAA is required for use of tracking technologies on certain unauthenticated webpages. Regarding tracking technologies on a CE’s unauthenticated websites (e.g., any publicly available pages not requiring a login), OCR states such technologies generally do not have access to PHI and the HIPAA Rules do not apply. However, OCR outlines certain cases where it says tracking technologies on unauthenticated webpages may have access to PHI and the HIPAA Rules do apply, including (1) the login page of the CE’s patient portal or a user registration webpage where the user creates a login for the patient portal and (2) webpages that address specific symptoms or health conditions, such as pregnancy or miscarriage, or that allow a visitor to search for doctors or schedule appointments.
- OCR provides the following as an example of when tracking technologies on unauthenticated pages have access to PHI: “[T]racking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider. In this example, the regulated entity is disclosing PHI to the tracking technology vendor, and thus the HIPAA Rules apply.”
- Information collected from the user or the user’s device by a CE’s mobile app is PHI. Regarding CEs’ mobile apps, OCR notes that such apps collect information provided by the user (i.e., information typed or uploaded into the app) and by the user’s device (i.e., fingerprints, network location, geolocation, device ID or advertising ID) and states that such information is PHI. Thus, CEs must comply with the HIPAA Rules for any PHI that the mobile app uses or discloses, including any subsequent disclosures to mobile app vendors, tracking technology vendors or any other third party that receives such information.
OCR also offers examples of the HIPAA Privacy, Security and Breach Notification Rules’ requirements that CEs must meet when using tracking technologies with access to PHI. The OCR’s requirements are as follows:
Privacy Rule:
- CEs must ensure that if PHI is provided to a tracking technology vendor, the disclosure is permissible under HIPAA or subject to an exemption, and that only the minimum necessary PHI to achieve the intended purpose is disclosed.
- OCR clarifies that a website or mobile app’s privacy policy, terms and conditions, and/or privacy notice are not sufficient to permit disclosures of PHI to tracking technology vendors if the disclosure is not otherwise a permissible disclosure under HIPAA or pursuant to a valid BAA.
- OCR states that tracking technology vendors that receive PHI must sign a BAA, which must include a description of the vendor’s permissible uses and a guarantee of safeguarding PHI. OCR warns CEs that the vendor must meet the definition of a business associate in order for a BAA to permit the disclosure. “Signing an agreement containing the elements of a BAA does not make a tracking technology vendor a business associate if the tracking technology vendor does not meet the business associate definition.”
- If there is not a HIPAA-permitted disclosure or BAA, then CEs must obtain a HIPAA-compliant authorization prior to the disclosure of PHI to a tracking technology vendor. Website banners that ask users to accept or reject a website’s use of tracking technologies – such as cookies – do not constitute a valid HIPAA authorization.
Security Rule:
- CEs must address the use of tracking technologies in their risk analysis and risk management processes and implement other administrative, physical and technical safeguards (e.g., encrypting PHI transmitted to a technology vendor) to protect the PHI.
Breach Notification Rule:
- CEs must notify affected individuals, OCR and the media, as applicable, of an impermissible disclosure of PHI to a tracking technology vendor that compromises the security or privacy of PHI where there is no Privacy Rule permission to disclose PHI and there is no BAA with the vendor, unless the CE can demonstrate that there is a low probability that the PHI has been compromised.
BakerHostetler’s Assessment – Impact of the Guidance
The Guidance appears to conflate the statutory definition of IIHI with the identifiers listed in 45 CFR § 164.514(b)(2), which relates to de-identification of established PHI/IIHI. Under HIPAA:
- IIHI is defined as “information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a [CE]; and (2) relates to the past, present, or future [(PPF)] physical or mental health or condition of an individual; the provision of health care to an individual; or the [PPF] payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.” 45 CFR § 160.103 (our emphasis).
- Health information (Health Information) is defined as “any information, including genetic information, whether oral or recorded in any form or medium, that: (1) Is created or received by a [CE]; and (2) Relates to the [PPF] physical or mental health or condition of an individual; the provision of health care to an individual; or the [PPF] payment for the provision of health care to an individual.” Id. (our emphasis).
- PHI is IIHI that is: “i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium.” Id.
In other words, IIHI creates the threshold for when personal information is considered PHI subject to the Privacy Rule. As such, it must include some Health Information about an individual accompanied by sufficient identifiers such that the individual is/could reasonably be identified.
45 CFR 164.514(b)(2), on the other hand, only applies once a determination has been made that the data at issue is PHI, as it instructs entities on which data elements to remove from PHI in order to render it de-identified. It is not a list of data elements that are, standing alone, individually identifiable.
The Guidance does not acknowledge any of the myriad situations in which the information that can be collected by tracking technologies never even meets the threshold definition of Health Information. Additionally, the Guidance states that something is IIHI if it “connects” a person with a CE, even if the person never becomes a patient. This is not consistent with the statutory definitions of IIHI and PHI. As a result of these two definitional issues, the Guidance could be ripe for challenge by both targets of OCR investigation and industry groups, including with respect to the scope of the OCR’s regulatory authority under HIPAA.
In practice, even if the definitional issues above were not present, the OCR may have a problem sufficiently proving a violation. Namely, the Guidance fails to acknowledge that, while some visitors on a CE’s website are also the CE’s patients, the pervasive use of “Dr. Google” to diagnose oneself or one’s friends/family members means that it is very likely that a significant amount of the data collected is not about the visitors themselves. With that reality, parsing out when such circumstances arise is impossible. For instance, a person may go to a hospital’s website after googling “face rash” because someone else – a friend, relative, co-worker – was experiencing that symptom. That user’s IP address bears no relationship to the person with the condition being searched and thus this is not IIHI. An attorney at a law firm may visit a hospital’s website from his or her office, using the firm’s IP address, to determine whether the notice of privacy practices (NPP) is up to date. The IP address is the firm’s, not the attorney’s, and the perusal of the NPP is not related to a health condition. OCR opts for a sledgehammer over a scalpel here, and in doing so creates guidance so flawed that we believe OCR will find it difficult to sufficiently prove a wholesale violation.
The Guidance does acknowledge the ability of CEs and their business associates to conduct a risk assessment to determine whether the use of a tracking technology resulted in a compromise of PHI. In undertaking that analysis, the basic question of “Was PHI involved?” is crucial, and CEs can defensively continue to use HIPAA’s definition of PHI, rather than the Guidance, to make that determination.
Recommendations
This Guidance should not be retroactively effective, meaning it should only apply on a going-forward basis. However, the going-forward application of this Guidance warrants analysis on whether the benefits of CEs continuing the use of tracking technologies are worth the risk. Specifically, it is possible that OCR could use the Guidance as a basis to find willful noncompliance for entities that continue to use tracking technologies after its publication date – resulting in higher penalty amounts levied.
While we do not believe that the use of tracking technologies is a per se violation and do believe that the Guidance can be successfully defended against, because of the increased potential for high fines after the Guidance came out, in an abundance of caution, we recommend the following:
- If, as a CE, you’ve not already done so, determine whether any tracking technology is utilized on your websites, appointment forms and/or patient portal. It is important to understand which specific technology is being utilized and what information may be transmitted with this technology. Common technology products we have examined in our investigations include Meta Pixel, Google Analytics, Google Maps, Yelp, HotJar, Microsoft Clarity and Crazy Egg, to name a few.
- To the extent that discussions about continuation/discontinuation of tracking technologies have been tabled, in an abundance of caution, we recommend reprioritizing the assessment and, if discontinuation is planned, implementing it quickly.
- Implement a website governance plan so that legal/compliance/privacy professionals are part of any website technology change management process. This plan should be a documented policy and procedure, and training the marketing department and all advertising and marketing vendors on the process is highly recommended.
- To the extent you will not discontinue all tracking technology use, ensure that each tracking product will be considered in your regular HIPAA risk analyses.
- To the extent you will not discontinue all tracking technology use, the decision as to whether a BAA is appropriate should be documented as to each vendor. Although many vendors refuse to sign BAAs, in light of the Guidance, they may be more willing to do so.
[View source.]