OCR Warns of HIPAA Pitfalls in Using Online Tracking Technologies - Bim Group

OCR Warns of HIPAA Pitfalls in Using Online Tracking Technologies


The Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services (HHS) has released a bulletin emphasizing the duties covered entities and business associates must meet when using online tracking technologies to collect and analyze information about how users interact with regulated entities’ websites or mobile apps. Such use often will contain protected health information (PHI) and present unique HIPAA compliance challenges.

OCR cautions that some regulated entities may be sharing sensitive information with online tracking technology vendors in ways that lead to unauthorized disclosures of PHI. For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures that also may create wide-ranging additional harms to the individual. An impermissible disclosure of PHI may result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s PHI.

It has always been true that regulated entities may not impermissibly disclose PHI to tracking technology vendors. However, because of the rapid expansion and increased use of tracking technologies it is becoming increasingly important for regulated entities to be sure to disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule.

What is a tracking technology?

Generally, a tracking technology is a script or code on a website or mobile app used to gather information about users. After collecting information through a tracking technologies website or mobile app, owners, or even third parties, analyze the information to create insights about users’ online activities. Such insights could be used in beneficial ways to help improve care or patient experiences, but could also be misused to promote misinformation, identity theft, stalking, and harassment.

Websites commonly use tracking technologies such as cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts to track and collect information from users. Mobile apps generally include or embed tracking code to enable the app to collect information directly provided by the user, and apps may also capture the user’s mobile device-related information. Finally, tracking technologies developed by third party tracking technology vendors send information directly to the third parties who developed such technologies and may continue to track users and gather information about them even after they navigate away from the original website to other websites.

How do the HIPAA Rules apply to a health plan’s use of tracking technologies?

A health plan can disclose a variety of information to tracking technology vendors through tracking technologies placed on its website, portal, or mobile app. This information might include an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, medical device IDs, or any unique identifying code. This information generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the information does not include specific treatment or billing information like dates and types of health care services. This is because the information connects the individual to the plan and thus relates to the individual’s past, present, or future health or health care or payment for care.

Tracking on user-authenticated webpages

A group health plan might require a user to log in before they are able to access a patient or health plan beneficiary portal or a telehealth platform. Tracking technologies on a plan’s portal will likely have PHI including an individual’s IP address, medical record number, home or email addresses, dates of appointments, or other identifying information that the individual may provide when interacting with the webpage. Tracking technologies within user-authenticated webpages may even have access to an individual’s diagnosis and treatment information, prescription information, billing information, or other information within the portal. Therefore, the plan must configure any user-authenticated webpage to allow a tracking technology to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the electronic protected health information (ePHI) collected through its website is protected and secured in accordance with the HIPAA Security Rule.

OCR also reminds health plans that tracking technology vendors are business associates if they create, receive, maintain, or transmit PHI on behalf of a plan for a covered function (e.g., health care operations) or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI. In these circumstances, plans must ensure that disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement (BAA) with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules.

Tracking within mobile apps

Mobile apps that regulated entities offer to individuals (e.g., to help manage their health information, pay bills) collect a variety of information provided by the app user, including information typed or uploaded into the app, as well as information provided by the app user’s device, such as fingerprints, network location, geolocation, device ID, or advertising ID. Such information collected by a regulated entity’s mobile app is PHI, and thus the regulated entity must comply with the HIPAA Rules for any PHI that the mobile app uses or discloses, including any subsequent disclosures to the mobile app vendor, tracking technology vendor, or any other third party who receives such information. For example, the HIPAA Rules apply to any PHI collected by a covered health clinic through the clinic’s mobile app used by patients to track health-related variables associated with pregnancy (e.g., menstrual cycle, body temperature, contraceptive prescription information).

HIPAA compliance obligations for group health plans when using tracking technologies

Regulated entities are required to comply with the HIPAA Rules when using tracking technologies as follows:

  • Ensure all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.

Regulated entities may identify the use of tracking technologies in their website or mobile app’s privacy policy, notice, or terms and conditions of use. However, the Privacy Rule does not permit disclosures of PHI to a tracking technology vendor based solely on a regulated entity informing individuals in its privacy policy, notice, or terms and conditions of use that it plans to make such disclosures. Regulated entities must ensure that all tracking technology vendors have signed a BAA and that there is an applicable permission prior to a disclosure of PHI. Further, website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization.

Further, it is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information. Any disclosure of PHI to the vendor without individuals’ authorizations requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure.

  • Execute a BAA with any tracking technology vendor that is a Business Associate. A plan should evaluate its relationship with any tracking technology vendor to determine whether the vendor meets the definition of a business associate and ensure that the disclosures made to the vendor are permitted by the Privacy Rule. The BAA must specify the vendor’s permitted and required uses and disclosures of PHI and provide that the vendor will safeguard the PHI and report any security incidents, including breaches of unsecured PHI, to the plan.

If a plan does not want to create a business associate relationship with these vendors, or the chosen tracking technology vendor will not provide written satisfactory assurances in the form of a BAA that it will appropriately safeguard PHI, then the plan cannot disclose PHI to the vendors without individuals’ authorizations.

  • Address the use of tracking technologies in the regulated entity’s Risk Analysis and Risk Management processes, as well as implement other administrative, physical, and technical safeguards in accordance with the Security Rule (e.g., encrypting ePHI that is transmitted to the tracking technology vendor; enabling and using appropriate authentication, access, encryption, and audit controls when accessing ePHI maintained in the tracking technology vendor’s infrastructure) to protect the ePHI.
  • Provide breach notification to affected individuals, the HHS Secretary, and the media (when applicable) of an impermissible disclosure of PHI to a tracking technology vendor that compromises the security or privacy of PHI when there is no Privacy Rule requirement or permission to disclose PHI and there is no BAA with the vendor. In such instances, there is a presumption that there has been a breach of unsecured PHI unless the regulated entity can demonstrate that there is a low probability that the PHI has been compromised.




This information has been prepared for UBA by Fisher & Phillips LLP. It is general information and provided for educational purposes only. It is not intended to provide legal advice. You should not act on this information without consulting legal counsel or other knowledgeable advisors.

Recent Insights

May 20, 2024

Webinar: Mastering COBRA Every Day and in M&A

Tuesday, June 11, 2024 1 – 2PM CST Register Now Registration Code:UBA410EW   Attend this month’s webinar to learn how to administer COBRA effectively. Gain insights into: The determining factors for employer and employee COBRA eligibility The interaction between COBRA and leaves of absence Health plans and tax-favored accounts that can be used with COBRA […]
Read more
May 20, 2024

HHS Finalizes Section 1557 Nondiscrimination Regulations under the Affordable Care Act

READ TIME: 7 MINUTES The Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) together with the Centers for Medicare and Medicaid Services (CMS) released regulations under Section 1557 of the Affordable Care Act (the “Final Rule”) on April 26, 2024. These final regulations follow almost two years after […]
Read more
May 20, 2024

IRS Releases 2025 Limits for HDHPs and HSAs

READ TIME: 4 MINUTES The IRS recently issued Revenue Procedure 2024-25 to announce the 2025 inflation-adjusted amounts that apply to health savings accounts (HSAs), excepted benefit health reimbursement arrangements (EBHRAs), and high-deductible health plans (HDHPs). The newly announced figures result in increases in the applicable limits for 2025, including the maximum contribution limit for an […]
Read more
May 20, 2024

FAQs about the Patient Centered Outcomes Research Institute (PCORI) Fee

READ TIME: 10 MINUTES The Patient-Centered Outcomes Research Institute (PCORI) fee initially applied from 2012 to 2019. However, in December 2019, the Further Consolidated Appropriations Act, 2020 extended the fee to 2029. The PCORI fee applies to all plans that provide medical coverage to employees. Medical coverage includes preferred provider (PPO) plans, health maintenance organization […]
Read more