Healthcare data privacy is a serious growing concern. It worries users that actively use wearable technologies or individuals that seek to keep their health data private.
Health data merits additional data protection due to its sensitive nature and a wide range of potential consequences on individuals in the case of an impermissible disclosure. For example, an impermissible disclosure of health data may result in identity theft, financial loss, discrimination, stigma, mental anguish, and other serious negative consequences to an individual’s health or safety.
Recognizing these potential harms to data subjects and in order to address their data privacy concerns, especially in the wake of the Dobbs vs. Jackson Women’s Health Organization decision, on 1 December 2022, the U.S Department of Health and Human Services (HSS), under the supervision of the Office for Civil Rights (OCR), has issued guidance on the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (Guidance).
This Guidance addresses HIPAA-covered entities and business associates (regulated entities) under the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules) that use online tracking technologies on their websites or mobile applications.
HHS’s Definition of Tracking Technologies
The HHS provides a detailed explanation of tracking technologies and their uses. Generally, tracking technology is any piece of code or script that websites and mobile applications use to track users’ on-site or on-app behavior, along with other information. In the context of the healthcare industry, a website or app uses insights driven by tracking technologies to improve the patient care experience and deliver enhanced services.
The HHS further clarified that tracking technologies aren’t limited to cookies. In fact, it can be any range of technologies that collect and analyze users’ personal information, such as “web beacons or tracking pixels, session replay scripts, and fingerprinting scripts.”
Tracking technologies may track and collect users’ device IDs, geo-location, or advertising IDs when used in a mobile application. Based on the collected information, the insights may enable the app owner or any third parties, such as advertisers, to create individual user profiles and send targeted advertisements to data subjects.
Compliance Obligations under HIPAA Guidance
The Health Insurance Portability and Accountability Act (HIPAA) Guidance applies to HIPAA-covered entities and business associates (regulated entities). Online tracking technologies can collect different health data types, including Protected Health Information (PHI) and Individually Identifiable Health Information (IIHI) that an individual provides when they use regulated entities’ websites or mobile apps.
The IIHI may include a wide range of data elements concerning health information such as patient demographics, information that relates to past, present, or future health, healthcare, or payment for healthcare. IIHI may also include an individual’s IP address or geographic location, medical device IDs, or any unique identifying code under certain circumstances.
Protected health information (PHI), on the other hand, is the IIHI that is transmitted by electronic media, maintained by electronic media, or transmitted or maintained in any other form or medium. It should be noted here that all IIHI is generally PHI, even if the individual does not have an existing relationship with the regulated entity because of the reason that the information connects the individual to the regulated entity.
The Guidance clarifies that regulated entities must not use tracking technologies in a manner that results in an impermissible disclosure of PHI to tracking technology vendors or any other violations of the HIPAA Rules. Before disclosing PHI to tracking technology vendors, regulated entities that use tracking technologies are required to ensure the following:
- Determine if the tracking technology vendor constitutes a business associate. Tracking technology vendors are business associates if they create, receive, maintain, or transmit the PHI on behalf of a regulated entity for healthcare operations or any other covered function under the HIPAA or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI.
- Establish a BAA with the tracking technology vendor if it meets the definition of a business associate. The BAA must specify the vendor’s permitted and required uses and disclosures of the PHI as well as ensure that the vendor will safeguard the PHI and report any notifiable security breaches concerning the PHI to the regulated entity.
- Ensure all disclosures of PHI to tracking technology vendors are specifically permitted by HIPAA Privacy Rule.
- Obtain individuals’ authorizations in cases where the regulated entity does not create a business associate relationship with the tracking technology vendor or in the absence of an applicable Privacy Rule permission under HIPAA. Individuals’ authorizations must be HIPAA compliant - a privacy policy/notice, terms and conditions, or a cookie consent banner on the website is not sufficient as these do not constitute valid HIPAA authorizations.
- All disclosures of the PHI to tracking technology vendors must be minimized to what is necessary to achieve the intended purpose.
The HHS recognizes that HIPAA-covered entities use tracking technologies on user-authenticated as well as on unauthenticated web pages as well as on mobile applications.
For User-Authenticated Web Pages
User-authenticated web pages on a regulated entity’s website are accessible after users log in to use the service further, such as logging into a web-based platform to check personal medical history or schedule appointments with a healthcare consultant. These webpages have tracking technologies enabled, allowing them to track and collect the PHI of users, such as their medical record number, IP address, appointment schedule, and similar identifying health information.
In such cases, the regulated entity must ensure that PHI is used and disclosed in compliance with the HIPAA Privacy Rules and that the electronic PHI is protected and secured in accordance with the HIPAA Security Rule.
In such cases, HHS requires regulated entities first to ensure that HIPAA Privacy Rules permit the disclosure of PHI to the tracking technology vendors. Secondly, the regulated entity must enter into a Business Associate Agreement (BAA) with the tracking technology vendor to ensure that the patient’s PHI is protected under HIPAA rules.
For Unauthenticated Webpages
Generally, every website has more unauthenticated web pages than user-authenticated web pages. These web pages usually contain general healthcare information and do not require users to log in to access the page. Such unauthenticated webpages aren’t required to comply with the HIPAA Privacy Rules as long as there’s no disclosure of PHI.
That being said, a website may contain certain unauthenticated webpages where PHI might be used to disclose, such as the login page on a healthcare website that requires users to enter details like name, email address, patient record number, etc. In such cases, HIPAA Privacy Rules are applied, and thus regulated entities must ensure that the PHI is protected as per the HIPAA Rules.
The HHS further provides another example of unauthenticated web pages where HIPAA Rules are applied, such as information pages where the patient might seek treatment for specific symptoms, available appointments, or pregnancy-related information. Since the tracking technology might track users’ IP address and other related data and tie it to the information being searched, it may fall under HIPAA Privacy Rules compliance.
Tracking Technologies on Mobile Apps
Similar to web pages, mobile applications also use online tracking technologies to track, use or disclose a wide range of information, such as device ID, network location, geolocation, and fingerprints that are then disclosed to the mobile app owner, third-party tracking technology vendor, etc. All this information comes under the PHI definition and is thus regulated by HIPAA Privacy Rules.
However, if a patient voluntarily downloads and uses mobile applications that are not developed by the regulated entity, then in such circumstances, the data isn’t regulated by the HIPAA Rules, even if the data comes from the regulated entity. For example, the HIPAA Rules do not apply to health information that an individual enters into a mobile app offered by another entity that HIPAA does not regulate.
HIPAA Privacy, Security & Breach Notification Obligations
The HHS further provides additional guidelines regarding privacy, security, and breach notification obligations.
For example, in the event of a data breach, the regulated entity must provide breach notification to the affected party, the Secretary, and the media where applicable. The notification is said to be provided in case of an impermissible disclosure of PHI. An impermissible disclosure of the PHI to a tracking technology vendor that compromises the security or privacy of the PHI constitutes a breach of unsecured PHI unless the regulated entity is able to demonstrate that there is a low probability that the PHI has been compromised.
Similarly, the new HIPAA guidance requires regulated entities to implement risk analysis and risk management processes to address the use of tracking technologies. The regulated entity must further ensure that robust administrative, technical, and physical safeguards are in place to protect the ePHI, such as encryption, authentication, and other audit controls.
HHS has made it clear in its bulletin that regulated entities may provide information relevant to the use of tracking technologies in its privacy policies, privacy notices, or terms of service. However, terms and conditions, privacy policy, or a cookie consent banner are not considered sufficient or valid ways of seeking authorization from individuals in relation to the disclosure of their PHI. Even for vendors that are not business associates to the regulated entities, valid HIPAA authorizations are required as per the requirements described under the HIPAA.
How Securiti Can Help
The Guidance provides the much-anticipated instructions for regulated entities regarding their responsibilities in relation to the use of tracking technologies. Now, it is up to businesses to re-evaluate their data-sharing practices with tracking technology vendors or the use of tracking technology itself for compliance.
Securiti Cookie Consent Solution automatically scans cookies and similar tracking technologies and categorizes those based on their purposes.
Securiti Consent Management module helps you collect consent across multiple channels and orchestrate revocation of consent. You can further deploy multiple consent collection points, centralize consent records, and sync consent across all your data systems.
Schedule a demo to see the Securiti Consent Management module in action.
