Whether you realize it or not, online tracking technology is part of our daily lives. Every time your phone remembers a password for you, or your browser picks up right where you left off – a bit of your information was saved. The question is – what type of information, and how much? In response to this issue, the Office for Civil Rights (OCR) at the U.S. Department of Heath and Human Services (HHS) issued a bulletin on December 1, 2022, to highlight obligations under HIPAA pertaining to online tracking technologies and ePHI. Regulated entities under HIPAA are not allowed to use tracking technologies that would result in disclosures of PHI to the tracking technology vendors, or any other violations of the HIPAA rules.
What is 3rd-Party Tracking Technology?
Have you ever noticed how you can be shopping online for a new pair of athletic shoes, and the next time you log on you are faced with ads for that very product, down to the color and style? This happens because of third-party trackers – like cookies, tags, and pixels – which are primarily used for marketing and analytics purposes. They gather information that you input into your device, then use that data to accomplish marketing tasks or to save information like passwords that keep you logged in. Most of the time users are unaware that these processes are happening in the background.
Cookies, tags, and pixels are all trackers, with some key differences in how they work and for what purposes. What they have in common, however, is that they are all meant to capture data about users – mostly to deliver a more customized web experience (including targeted ads).
How Does This Relate to PHI or ePHI?
The problem with tracking technology occurs when these trackers are no longer just tracking your demographics and shopping habits but may also be tracking your patient data. Most people see the cookie warnings and permissions pop up on a website and automatically click “ok” without reading the details. With widespread usage of vendors like Google Analytics and Meta Pixel, PHI can be inadvertently shared with a third-party vendor.
Advocate Aurora Health, a 27-hospital system in Illinois and Wisconsin, reported in October, 2022 that up to 3 million patients may have been involved in a HIPAA breach against the health system. Through the use of internet tracking technologies on the organization’s website, certain patient information was transmitted to third-party vendors that provided the pixel technology currently in use. Out of an “abundance of caution” Advocate Aurora Health had to assume that any patients who had a MyChart account had been affected.
The organization stated: “These pixels or similar technologies were designed to gather information that we review in aggregate so that we can better understand patient needs and preferences to provide needed care to our patient population.”
Taking the Right Preventative Steps
The recent HHS Bulletin provides insight and examples of:
- Tracking on webpages
- Tracking within mobile apps
- HIPAA compliance obligations for regulated entities when using tracking technologies
OCR Director Melanie Fontes Rainer states that “Providers, health plans, and HIPAA-regulated entities, including technology platforms, must follow the law. This means considering the risks to patients’ health information when using tracking technologies.”
It is important for organizations to realize that tracking technologies can disclose a variety of individually identifiable health information (IHII) on regulated entities’ websites or mobile apps.
IIHI can include:
- Medical record number
- Home or email address
- Dates of appointments
- IP addresses or geographic locations
It is important to note that ALL such IIHI collected on a website or app is generally PHI – even if the individual does not have an existing relationship with the covered entity, and even if the information does not include specific treatment or billing information.
Responsibilities Under HIPAA
At this point you are probably wondering exactly what you need to do to make sure that websites are compliant. The bulletin gives some very specific points to be aware of (it is important to read the bulletin entirety for all details):
- Ensure that any disclosures of PHI or ePHI to tracking technology vendors are permitted by HIPAA, and that only the minimum necessary PHI is disclosed.
- Identify the use of tracking technologies in the website or app’s privacy policy, notice, and terms and conditions of use.
- IF ePHI or PHI is disclosed, and there is not an applicable Privacy Rule permission, consent must be obtained from the user. A cookie banner that a user must “accept” is not sufficient.
- Third party vendors that receive any sort of PHI should have a BAA in place.
- Include tracking technology usage in the practice’s Risk Analysis and Risk Management processes.
- Provide breach notification to affected individuals and the HHS Secretary in the case of an impermissible disclosure via tracking technology.
Armed with knowledge and awareness, your practice can put in place the necessary precautions to keep PHI exactly what it is – protected and private.
FormDr is committed to staying on top of the newest HIPAA regulations and continuing to provide best-in-class HIPAA-compliant online forms to our clients.
