OCR Warns of HIPAA Pitfalls in Using Online Tracking Technologies - Bim Group

OCR Warns of HIPAA Pitfalls in Using Online Tracking Technologies

READ TIME: 6 MINUTES

The Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services (HHS) has released a bulletin emphasizing the duties covered entities and business associates must meet when using online tracking technologies to collect and analyze information about how users interact with regulated entities’ websites or mobile apps. Such use often will contain protected health information (PHI) and present unique HIPAA compliance challenges.

OCR cautions that some regulated entities may be sharing sensitive information with online tracking technology vendors in ways that lead to unauthorized disclosures of PHI. For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures that also may create wide-ranging additional harms to the individual. An impermissible disclosure of PHI may result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s PHI.

It has always been true that regulated entities may not impermissibly disclose PHI to tracking technology vendors. However, because of the rapid expansion and increased use of tracking technologies it is becoming increasingly important for regulated entities to be sure to disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule.

What is a tracking technology?

Generally, a tracking technology is a script or code on a website or mobile app used to gather information about users. After collecting information through a tracking technologies website or mobile app, owners, or even third parties, analyze the information to create insights about users’ online activities. Such insights could be used in beneficial ways to help improve care or patient experiences, but could also be misused to promote misinformation, identity theft, stalking, and harassment.

Websites commonly use tracking technologies such as cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts to track and collect information from users. Mobile apps generally include or embed tracking code to enable the app to collect information directly provided by the user, and apps may also capture the user’s mobile device-related information. Finally, tracking technologies developed by third party tracking technology vendors send information directly to the third parties who developed such technologies and may continue to track users and gather information about them even after they navigate away from the original website to other websites.

How do the HIPAA Rules apply to a health plan’s use of tracking technologies?

A health plan can disclose a variety of information to tracking technology vendors through tracking technologies placed on its website, portal, or mobile app. This information might include an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, medical device IDs, or any unique identifying code. This information generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the information does not include specific treatment or billing information like dates and types of health care services. This is because the information connects the individual to the plan and thus relates to the individual’s past, present, or future health or health care or payment for care.

Tracking on user-authenticated webpages

A group health plan might require a user to log in before they are able to access a patient or health plan beneficiary portal or a telehealth platform. Tracking technologies on a plan’s portal will likely have PHI including an individual’s IP address, medical record number, home or email addresses, dates of appointments, or other identifying information that the individual may provide when interacting with the webpage. Tracking technologies within user-authenticated webpages may even have access to an individual’s diagnosis and treatment information, prescription information, billing information, or other information within the portal. Therefore, the plan must configure any user-authenticated webpage to allow a tracking technology to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the electronic protected health information (ePHI) collected through its website is protected and secured in accordance with the HIPAA Security Rule.

OCR also reminds health plans that tracking technology vendors are business associates if they create, receive, maintain, or transmit PHI on behalf of a plan for a covered function (e.g., health care operations) or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI. In these circumstances, plans must ensure that disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement (BAA) with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules.

Tracking within mobile apps

Mobile apps that regulated entities offer to individuals (e.g., to help manage their health information, pay bills) collect a variety of information provided by the app user, including information typed or uploaded into the app, as well as information provided by the app user’s device, such as fingerprints, network location, geolocation, device ID, or advertising ID. Such information collected by a regulated entity’s mobile app is PHI, and thus the regulated entity must comply with the HIPAA Rules for any PHI that the mobile app uses or discloses, including any subsequent disclosures to the mobile app vendor, tracking technology vendor, or any other third party who receives such information. For example, the HIPAA Rules apply to any PHI collected by a covered health clinic through the clinic’s mobile app used by patients to track health-related variables associated with pregnancy (e.g., menstrual cycle, body temperature, contraceptive prescription information).

HIPAA compliance obligations for group health plans when using tracking technologies

Regulated entities are required to comply with the HIPAA Rules when using tracking technologies as follows:

  • Ensure all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.

Regulated entities may identify the use of tracking technologies in their website or mobile app’s privacy policy, notice, or terms and conditions of use. However, the Privacy Rule does not permit disclosures of PHI to a tracking technology vendor based solely on a regulated entity informing individuals in its privacy policy, notice, or terms and conditions of use that it plans to make such disclosures. Regulated entities must ensure that all tracking technology vendors have signed a BAA and that there is an applicable permission prior to a disclosure of PHI. Further, website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization.

Further, it is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information. Any disclosure of PHI to the vendor without individuals’ authorizations requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure.

  • Execute a BAA with any tracking technology vendor that is a Business Associate. A plan should evaluate its relationship with any tracking technology vendor to determine whether the vendor meets the definition of a business associate and ensure that the disclosures made to the vendor are permitted by the Privacy Rule. The BAA must specify the vendor’s permitted and required uses and disclosures of PHI and provide that the vendor will safeguard the PHI and report any security incidents, including breaches of unsecured PHI, to the plan.

If a plan does not want to create a business associate relationship with these vendors, or the chosen tracking technology vendor will not provide written satisfactory assurances in the form of a BAA that it will appropriately safeguard PHI, then the plan cannot disclose PHI to the vendors without individuals’ authorizations.

  • Address the use of tracking technologies in the regulated entity’s Risk Analysis and Risk Management processes, as well as implement other administrative, physical, and technical safeguards in accordance with the Security Rule (e.g., encrypting ePHI that is transmitted to the tracking technology vendor; enabling and using appropriate authentication, access, encryption, and audit controls when accessing ePHI maintained in the tracking technology vendor’s infrastructure) to protect the ePHI.
  • Provide breach notification to affected individuals, the HHS Secretary, and the media (when applicable) of an impermissible disclosure of PHI to a tracking technology vendor that compromises the security or privacy of PHI when there is no Privacy Rule requirement or permission to disclose PHI and there is no BAA with the vendor. In such instances, there is a presumption that there has been a breach of unsecured PHI unless the regulated entity can demonstrate that there is a low probability that the PHI has been compromised.

 

 

 

This information has been prepared for UBA by Fisher & Phillips LLP. It is general information and provided for educational purposes only. It is not intended to provide legal advice. You should not act on this information without consulting legal counsel or other knowledgeable advisors.

Recent Insights

November 20, 2024
Medicare

Changes to Medicare Part D Call for a Reexamination of Creditable Coverage

READ TIME: 5 MINUTES Every year, group health plans are required to notify their Medicare-eligible policyholders whether their prescription drug coverage is “creditable coverage.” Drug coverage is creditable if it is as good or better than the Medicare drug benefit. If a Medicare-eligible individual is not enrolled in creditable coverage, they may incur late enrollment […]
Read more
November 20, 2024
CMS, Compliance Alert

New CMS Rules on Medicare Reporting Penalties

READ TIME: 6 MINUTES The Centers for Medicare & Medicaid Services (CMS) recently issued final rules outlining the penalties for responsible reporting entities (RREs) that fail to meet Medicare Secondary Payer (MSP) reporting obligations. The regulations were applicable as of October 11, 2024, and enforcement will begin in October 2025. The penalties for non-compliance are […]
Read more
October 30, 2024
News

Dear HR Manager

Dear HR Manager, I’ve recently been promoted to a leadership role and want to ensure I’m the best boss I can be. What steps can I take to lead effectively and create a positive environment for my team? – New to Leadership   Dear New to Leadership, Congratulations on your new role! Becoming an outstanding leader […]
Read more
October 15, 2024
HR Elements

Simplifying HR Processes with AI

READ TIME: 4 MINUTES AI is becoming crucial as HR looks to enhance efficiency, streamline processes, and offer personalized solutions. From creating HR materials to improving the recruitment process, AI’s integration is driving a shift in the way organizations support and engage their workforce. According to a recent survey, 44% of employers said they use […]
Read more