Products

Data Command Center
View

Data+AI Teams

Data+AI Security Teams

Data Governance Teams

Data Privacy Teams

Build safe enterprise AI systems

Safe Enterprise AI Copilots

Implement rule-aware AI copilots across your organization’s data anywhere

Data Vectorization and Ingestion

Extract info from complex Unstructured Files, convert it into AI-ready formats, and sync to vector databases

Data Curation and Sanitization for AI

Transform raw, unstructured files into data ready for model training and tuning

Context-aware LLM Firewalls

Protect AI interactions with intelligent retrieval, response, and prompt firewalls

Unstructured Data Governance

Manage and govern unstructured data to enable its safe use with generative AI

Secure Data+AI anywhere

AI Security & Governance

Establish controls for safe adoption of AI technologies including GenAI

Data Access Intelligence & Governance

Monitor user access to data and enforce least privilege controls

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Compliance Management

Assess & improve compliance with security best practices frameworks

Breach Impact Analysis

Analyze breach impact & automate notifications to affected individuals

Data Flow Governance

Understand data lineage and secure real-time streaming data

Govern data for safe innovation

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Unstructured Data Governance

Manage unstructured data to enable safe use with generative AI

Data Access Governance

Monitor sensitive data access and prevent unauthorized use

AI Governance

Establish controls for safe adoption of AI technologies including GenAI

Data Catalog

Enable users to easily find, understand, trust and access the data they need

Data Lineage

Automatically track changes and transformations of data throughout its lifecycle

Data Quality

Conduct data quality checks and validation across various data types

Automate data privacy operations

Data Mapping Automation

Manage your entire data mapping lifecycle and automate RoPA reports

AI Governance

Comply with emerging AI regulations and ensure safe use of AI

Data Subject Request Automation

Automate entire DSR lifecycle from consumer request intake to secure report delivery

Assessment Automation

Automate your entire assessment lifecycle and demonstrate compliance

Consent Management

Manage your first-party and third-party consent lifecycle from scanning to reporting

Breach Management

Automate your incident management and optimize notifications to users & regulatory bodies

Privacy Center

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere

Compliance Management

Use automation to audit and improve compliance with global regulations and industry standards
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

GCP

View

AWS

View

Databricks

View

Snowflake

View

Azure

View

+ More

View

Learn more

Regulations & Frameworks

Automate compliance with global privacy regulations.

CDMC

View

EU AI Act

View

NIST AI RMF

View

European Union GDPR

View

California's CPRA

View

Brazil's LGPD

View

Canada's PIPEDA

View

China's PIPL

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Data+AI Builders

View

Data Security

View

Data Privacy

View

Data Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.

Webinars

Learn from industry thought leaders why you need a Data Command Center to enable safe use of data.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Are You Using Tracking Technologies That Collect Protected Health Information Under HIPAA?

Published December 29, 2022 / Updated November 12, 2024

Healthcare data privacy is a serious, growing concern. It worries users who actively use wearable technologies or individuals who seek to keep their health data private.

Health data merits additional data protection due to its sensitive nature and the wide range of potential consequences for individuals if it is disclosed impermissibly. For example, an impermissible disclosure of health data may result in identity theft, financial loss, discrimination, stigma, mental anguish, and other serious negative consequences for an individual’s health or safety.

Recognizing these potential harms to data subjects and to address their data privacy concerns, especially in the wake of the Dobbs vs. Jackson Women’s Health Organization decision on 1 December 2022, the U.S. Department of Health and Human Services (HSS), under the supervision of the Office for Civil Rights (OCR), issued guidance on the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (Guidance).

This Guidance addresses HIPAA-covered entities and business associates (regulated entities) under the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules) that use online tracking technologies on their websites or mobile applications.

HHS’s Definition of Tracking Technologies

The HHS provides a detailed explanation of tracking technologies and their uses. Generally, tracking technology is any piece of code or script that websites and mobile applications use to track users’ on-site or on-app behavior, along with other information. In the context of the healthcare industry, a website or app uses insights driven by tracking technologies to improve the patient care experience and deliver enhanced services.

The HHS further clarified that tracking technologies aren’t limited to cookies. In fact, it can be any range of technologies that collect and analyze users’ personal information, such as “web beacons or tracking pixels, session replay scripts, and fingerprinting scripts.”

When used in a mobile application, tracking technologies may track and collect users’ device IDs, geolocation, or advertising IDs. Based on the collected information, the insights may enable the app owner or any third parties, such as advertisers, to create individual user profiles and send targeted advertisements to data subjects.

Compliance Obligations under HIPAA Guidance

The Health Insurance Portability and Accountability Act (HIPAA) Guidance applies to HIPAA-covered entities and business associates (regulated entities). Online tracking technologies can collect different types of health data, including Protected Health Information (PHI) and Individually Identifiable Health Information (IIHI), that an individual provides when they use regulated entities’ websites or mobile apps.

The IIHI may include a wide range of data elements concerning health information such as patient demographics, information related to past, present, or future health, healthcare, or payment for healthcare. IIHI may also include an individual’s IP address or geographic location, medical device IDs, or any unique identifying code under certain circumstances.

On the other hand, protected health information (PHI) is IIHI transmitted by electronic media, maintained by electronic media, or transmitted or maintained in any other form or medium. It should be noted here that all IIHI is generally PHI, even if the individual does not have an existing relationship with the regulated entity because the information connects the individual to the regulated entity.

The Guidance clarifies that regulated entities must not use tracking technologies in a manner that results in an impermissible disclosure of PHI to tracking technology vendors or any other violations of the HIPAA Rules. Before disclosing PHI to tracking technology vendors, regulated entities that use tracking technologies are required to ensure the following:

Determine if the tracking technology vendor constitutes a business associate. Tracking technology vendors are business associates if they create, receive, maintain, or transmit the PHI on behalf of a regulated entity for healthcare operations or any other covered function under the HIPAA or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI.
If the tracking technology vendor meets the definition of a business associate, establish a BAA with it. The BAA must specify the vendor’s permitted and required uses and disclosures of the PHI and ensure that the vendor will safeguard the PHI and report any notifiable security breaches concerning the PHI to the regulated entity.
Ensure all disclosures of PHI to tracking technology vendors are specifically permitted by the HIPAA Privacy Rule.
Obtain individuals’ authorizations in cases where the regulated entity does not create a business associate relationship with the tracking technology vendor or in the absence of an applicable Privacy Rule permission under HIPAA. Individuals’ authorizations must be HIPAA compliant - a privacy policy/notice, terms and conditions, or a cookie consent banner on the website is insufficient as these do not constitute valid HIPAA authorizations.
All disclosures of the PHI to tracking technology vendors must be minimized to what is necessary to achieve the intended purpose.

The HHS recognizes that HIPAA-covered entities use tracking technologies on user-authenticated, unauthenticated web pages and mobile applications.

For User-Authenticated Web Pages

User-authenticated web pages on a regulated entity’s website are accessible after users log in to use the service further, such as logging into a web-based platform to check personal medical history or schedule appointments with a healthcare consultant. These webpages have tracking technologies enabled, allowing them to track and collect users' PHI, such as their medical record number, IP address, appointment schedule, and similar identifying health information.

In such cases, the regulated entity must ensure that PHI is used and disclosed in compliance with the HIPAA Privacy Rules and that the electronic PHI is protected and secured in accordance with the HIPAA Security Rule.

In such cases, HHS requires regulated entities first to ensure that HIPAA Privacy Rules permit the disclosure of PHI to the tracking technology vendors. Secondly, the regulated entity must enter into a Business Associate Agreement (BAA) with the tracking technology vendor to ensure that the patient’s PHI is protected under HIPAA rules.

For Unauthenticated Webpages

Generally, every website has more unauthenticated web pages than user-authenticated web pages. These web pages usually contain general healthcare information and do not require users to log in to access the page. Such unauthenticated webpages aren’t required to comply with the HIPAA Privacy Rules as long as there’s no disclosure of PHI.

That being said, a website may contain certain unauthenticated webpages where PHI might be used to disclose, such as the login page on a healthcare website that requires users to enter details like name, email address, patient record number, etc. In such cases, HIPAA Privacy Rules are applied; thus, regulated entities must ensure that the PHI is protected per the HIPAA Rules.

The HHS further provides another example of unauthenticated web pages where HIPAA Rules are applied, such as information pages where the patient might seek treatment for specific symptoms, available appointments, or pregnancy-related information. Since the tracking technology might track users’ IP address and other related data and tie it to the information being searched, it may fall under HIPAA Privacy Rules compliance.

Tracking Technologies on Mobile Apps

Similar to web pages, mobile applications also use online tracking technologies to track, use, or disclose a wide range of information, such as device ID, network location, geolocation, and fingerprints. This information is then disclosed to the mobile app owner, third-party tracking technology vendor, etc. All this information falls under the PHI definition and is thus regulated by HIPAA Privacy Rules.

However, if a patient voluntarily downloads and uses mobile applications that are not developed by the regulated entity, then in such circumstances, the data isn’t regulated by the HIPAA Rules, even if the data comes from the regulated entity. For example, the HIPAA Rules do not apply to health information that an individual enters into a mobile app offered by another entity that HIPAA does not regulate.

HIPAA Privacy, Security & Breach Notification Obligations

The HHS further provides additional guidelines regarding privacy, security, and breach notification obligations.

For example, in the event of a data breach, the regulated entity must provide breach notification to the affected party, the Secretary, and the media where applicable. The notification is said to be provided in case of an impermissible disclosure of PHI. An impermissible disclosure of the PHI to a tracking technology vendor that compromises the security or privacy of the PHI constitutes a breach of unsecured PHI unless the regulated entity is able to demonstrate that there is a low probability that the PHI has been compromised.

Similarly, the new HIPAA guidance requires regulated entities to implement risk analysis and risk management processes to address the use of tracking technologies. The regulated entity must further ensure that robust administrative, technical, and physical safeguards, such as encryption, authentication, and other audit controls, are in place to protect the ePHI.

HHS has made it clear in its bulletin that regulated entities may provide information relevant to the use of tracking technologies in its privacy policies, privacy notices, or terms of service. However, terms and conditions, privacy policy, or a cookie consent banner are not considered sufficient or valid ways of seeking authorization from individuals in relation to the disclosure of their PHI. Even for vendors that are not business associates to the regulated entities, valid HIPAA authorizations are required as per the requirements described under the HIPAA.

Criticism and Legal Challenges

1. HHS Guidance on Tracking Technologies (2022)

In 2022, HHS issued guidance stating that IP addresses and other information collected on public, unauthenticated websites (those not requiring logins) could be considered Protected Health Information (PHI) under HIPAA if they suggested that a visitor was receiving health services.
Third-party tracking providers, such as those using cookies and pixels, were classified as "business associates," necessitating agreements with healthcare providers and further expanding the definition of PHI.

2. Criticism and Legal Challenge

The American Hospital Association (AHA) and others criticized this guidance for broadly defining PHI, claiming it could limit access to health information. In response to AHA’s complaints, HHS initially issued warning letters but did not revise its stance.
The guidance was revised in March 2024 to require understanding the "intent" behind website visits to determine if the interaction counted as PHI, though this led to confusion since the intent is often unknowable in web interactions.
Under the original guidance, the HHS-OCR had taken the position that HIPAA can be triggered if a healthcare provider collects a person’s IP address (or other individually identifiable information) on its public-facing website, even if the individual does not have an existing relationship with the regulated entity.
The updated guidance attempts to explain the “intent” aspect of a website visit by clarifying that “the mere fact that an online tracking technology connects the IP address of a user’s device … with a visit to a webpage addressing specific health conditions or listing health care providers” is not sufficient to constitute PHI “if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care.”

3. Court Decision in AHA v. Xavier Becerra

The Northern District of Texas federal court ruled that HHS’s guidance overstepped HIPAA’s authority by defining metadata (like IP addresses) as PHI without clear identifiers or intent. The court stated that IP addresses alone cannot identify an individual's PHI and the guidance exceeded HHS’s legal bounds.
This decision did not entirely nullify the guidance but emphasized that PHI might include an IP address in specific cases, such as on authenticated (logged-in) websites.

4. Impact of Chevron Deference Overturn

The Texas federal court’s decision came before the Supreme Court ruling in Loper Bright Enterprises v. Raimondo, which eliminated "Chevron deference," a precedent allowing agencies to interpret ambiguous laws broadly. The AHA decision and Loper Bright could signal more scrutiny and limitations on agencies' regulatory interpretations.

5. Future Implications for Health Privacy Laws

Despite the AHA decision, entities dealing with health data—including those under new consumer health privacy laws like Washington's My Health My Data Act (MHMDA)—may face similar challenges in defining PHI broadly. Companies may push back if personal data is involved but doesn’t specifically relate to health details.

6. Compliance Recommendations for Health Entities

Companies handling health information should:
- Monitor the use of tracking tech as well as metadata such as IP address, especially on authenticated sites, for potential HHS guidance updates.
- Review and update health privacy compliance programs and notices as necessary.
- Assess third-party technology partners and consider agreements to address potential access to health information.
This decision and related legal actions indicate an evolving regulatory environment for health data, emphasizing the need for caution and regular compliance reviews in tracking technology use.

How Securiti Can Help

The Guidance and the evolving legal landscape provide much-anticipated instructions for regulated entities in the healthcare industry regarding their responsibilities regarding the use of tracking technologies. Now, it is up to businesses to reevaluate their data-sharing practices and use tracking technology for compliance.

Securiti Cookie Consent Solution automatically scans cookies and similar tracking technologies and categorizes those based on their purposes.

Securiti Consent Management module helps you collect consent across multiple channels and orchestrate consent revocation. You can also deploy multiple consent collection points, centralize consent records, and sync consent across all your data systems.

Schedule a demo to see the Securiti Consent Management module in action.

Are You Using Tracking Technologies That Collect Protected Health Information Under HIPAA?

HHS’s Definition of Tracking Technologies

Compliance Obligations under HIPAA Guidance

For User-Authenticated Web Pages

For Unauthenticated Webpages

Tracking Technologies on Mobile Apps

HIPAA Privacy, Security & Breach Notification Obligations

Criticism and Legal Challenges

1. HHS Guidance on Tracking Technologies (2022)

2. Criticism and Legal Challenge

3. Court Decision in AHA v. Xavier Becerra

4. Impact of Chevron Deference Overturn

5. Future Implications for Health Privacy Laws

6. Compliance Recommendations for Health Entities

How Securiti Can Help

More Stories that May Interest You

Newsletter

Company

Resources

Terms

Get in touch

Are You Using Tracking Technologies That Collect Protected Health Information Under HIPAA?

HHS’s Definition of Tracking Technologies

Compliance Obligations under HIPAA Guidance

For User-Authenticated Web Pages

For Unauthenticated Webpages

Tracking Technologies on Mobile Apps

HIPAA Privacy, Security & Breach Notification Obligations

Criticism and Legal Challenges

1. HHS Guidance on Tracking Technologies (2022)

2. Criticism and Legal Challenge

3. Court Decision in AHA v. Xavier Becerra

4. Impact of Chevron Deference Overturn

5. Future Implications for Health Privacy Laws

6. Compliance Recommendations for Health Entities

How Securiti Can Help

Join Our Newsletter

Share

More Stories that May Interest You

Assembly Bill 2013: Generative Artificial Intelligence: Training Data Transparency

AB 1008: California’s Move to Regulate AI and Personal Data

5 DSPM Mistakes That Will Put Your Data at Risk

Newsletter

Company

Resources

Terms

Get in touch

What'sNew

What's
New