The U.S. Department of Health and Human Services Office for
Civil Rights (OCR) issued guidance regarding covered entities’
and business associates’ use of tracking technologies (the Guidance). As discussed in greater detail
below, the Guidance reveals OCR’s position that an IP address
is not just an identifier but is itself
individually identifiable health information (IIHI) when collected
by tracking technology on a healthcare entity’s website. In
light of the significant regulatory and class-action activity
against covered entities and business associates regarding their
use of this technology, this post provides our analysis of how the
Guidance impacts how these entities use and assess their usage of
tracking technologies. We also provide general recommendations for
healthcare entities in light of the Guidance.
Background – Tracking Technologies
Organizations use various tools to make their websites
functional, improve visitor experience and analyze website traffic.
These tools are often grouped together and referred to as
“tracking technologies” and include things like cookies,
web beacons or pixel tags, heatmaps, session replay, and recording
scripts, all of which can be used to collect information from
website visitors as they navigate a website.
The following list includes a general overview of each of these
common technologies and their functions.
- Cookies – Cookies are small text files sent to
website visitors’ browsers from the websites they visit. They
help that website learn or remember information about the visit -
such as the user’s preferences (e.g., language choice, page
configuration, shopping cart contents) – to improve the web
browsing experience. Cookies can also be used for analytics,
advertising and personalization. Depending on the user and browser
settings, the browser will store cookies locally on the user’s
device. - Pixels – Also known as web beacons, trackers
or advertising technology (AdTech), a pixel is a piece of code
embedded on a website that can be used to track visitor activity on
that website. By default, pixels will collect information about
URLs visited, buttons clicked and other actions taken by a website
visitor on a webpage where the pixel is present. Many pixels
interact with cookies to track users’ activity and
preferences. - Heatmaps – Heatmaps collect user behavior data
– such as button clicks and scrolling – to provide the website
owner with a color-coded representation of the website elements
that are the most (hot) and least (cold) interacted with. - Session recording – Also known as session
replays, user recordings and user/visitor replay tools, session
recordings are renderings of real actions taken by visitors as they
browse a website. The recordings capture mouse movement,
clicks/taps, keyboard strokes and scrolling during the
visitor’s website session to help website owners improve site
functionality by understanding how users navigate their site, how
they interact with elements, where they hesitate and where they get
stuck. By default, the session recording tools we have seen
(including HotJar and Crazy Egg) automatically anonymize keyboard
strokes (i.e., the data a user inputs in a form) and can be
configured to suppress specific elements.
Separately, all websites also collect a set of
data from website visitors in order for the website to function,
known as HTTP headers or “header information.” Without
getting too technical, header information is how a website
communicates with a device and is a component necessary for the
Internet to work. Header information includes data about a
visitor’s computer, mobile device and Internet connection, such
as the IP address, operating system, browser type and app version.
This information tells a website how to present information to the
visitor (for example, the website might be presented differently
when the visitor is on a computer versus on a mobile device) and
how to get it there (i.e., the IP address).
Background – Regulatory Action and Litigation Related to
Tracking Technology
Regulatory scrutiny of and class-action litigation based on
healthcare providers’ use of tracking technology increased
significantly after the June 2022 online publication of an article
about healthcare providers’ use of Meta Pixel. Since 2016,
there has been ongoing class-action litigation against a small
group of entities and tracking technology providers. After June
2022, however, the litigation net was cast much wider, with new
cases filed against many of the hospitals named in the article.
Additionally, many of our clients (not all of whom were named in
the article) began receiving regulatory inquiries from OCR, state
attorneys general and departments of justice, and federal
congressional committees. While the inquiries were triggered by
interest in the use of tracking technology, the OCR inquiries have
taken deep dives into general compliance with the Health Insurance
Portability and Accountability Act (HIPAA) Privacy, Security and
Breach Notification Rules. Several investigations have also
revealed an interest in the intersection of tracking technology and
its use on webpages related to women’s reproductive health
following the Dobbs decision.
The Guidance – OCR’s Position on What Constitutes PHI when
Collected from a Covered Entity’s Website
Below we highlight the significant points OCR makes in the
Guidance in support of its position that an IP address is itself
IIHI when collected by tracking technology on a HIPAA covered
entity’s (CE) website. Those points are followed by OCR’s
recommendations for using tracking technology in a HIPAA-compliant
manner.
First, OCR’s rationale:
- OCR asserts that an IP address alone, collected by a
CE’s website, is IIHI. In explaining how the
HIPAA rules apply to CEs’ use of tracking technologies, OCR
begins by asserting that (1) a website user’s IP address or
geographic location, or any unique identifying code, is
individually identifiable health information (IIHI); and (2) all
IIHI, including IP addresses and geographic locations, that a
website visitor provides when using a CE’s website
“generally is PHI [protected health information],”
even if the individual does not have an existing
relationship with the CE and even if the IIHI, such as an IP
address or geographic location, does not include specific treatment
or billing information like dates and types of healthcare
services. - According to OCR, “[t]his is because, when a regulated
entity collects the individual’s IIHI through its website or
mobile app, the information connects the individual to the
regulated entity (i.e., it is indicative that the individual has
received or will receive health care services or benefits from the
covered entity), and thus relates to the individual’s past,
present, or future health or health care or payment for
care.” - A business associate agreement (BAA) is required for
use of tracking technologies on a CE’s user-authenticated
websites. Regarding tracking technologies on a CE’s
user-authenticated websites (e.g., a patient portal), OCR states
such technologies generally have access to PHI, and therefore a BAA
with the technology vendor is required. - A BAA is required for use of tracking technologies on
certain unauthenticated webpages. Regarding tracking
technologies on a CE’s unauthenticated websites (e.g., any
publicly available pages not requiring a login), OCR states such
technologies generally do not have access to PHI and the HIPAA
Rules do not apply. However, OCR outlines certain
cases where it says tracking technologies on unauthenticated
webpages may have access to PHI and the HIPAA Rules do apply,
including (1) the login page of the CE’s patient portal or a
user registration webpage where the user creates a login for the
patient portal and (2) webpages that address specific symptoms or
health conditions, such as pregnancy or miscarriage, or that allow
a visitor to search for doctors or schedule appointments. - OCR provides the following as an example of when tracking
technologies on unauthenticated pages have access to PHI:
“[T]racking technologies could collect an individual’s
email address and/or IP address when the individual visits a
regulated entity’s webpage to search for available appointments
with a health care provider. In this example, the regulated entity
is disclosing PHI to the tracking technology vendor, and thus the
HIPAA Rules apply.” - Information collected from the user or the user’s
device by a CE’s mobile app is PHI. Regarding CEs’
mobile apps, OCR notes that such apps collect information provided
by the user (i.e., information typed or uploaded into the app) and
by the user’s device (i.e., fingerprints, network location,
geolocation, device ID or advertising ID) and states that such
information is PHI. Thus, CEs must comply with the HIPAA Rules for
any PHI that the mobile app uses or discloses, including any
subsequent disclosures to mobile app vendors, tracking technology
vendors or any other third party that receives such
information.
OCR also offers examples of the HIPAA Privacy, Security and
Breach Notification Rules’ requirements that CEs must meet when
using tracking technologies with access to PHI.
The OCR’s requirements are as follows:
Privacy Rule:
- CEs must ensure that if PHI is provided to a tracking
technology vendor, the disclosure is permissible under HIPAA or
subject to an exemption, and that only the minimum necessary PHI to
achieve the intended purpose is disclosed. - OCR clarifies that a website or mobile app’s privacy
policy, terms and conditions, and/or privacy notice are not
sufficient to permit disclosures of PHI to tracking technology
vendors if the disclosure is not otherwise a permissible disclosure
under HIPAA or pursuant to a valid BAA. - OCR states that tracking technology vendors that receive PHI
must sign a BAA, which must include a description of the
vendor’s permissible uses and a guarantee of safeguarding PHI.
OCR warns CEs that the vendor must meet the definition of a
business associate in order for a BAA to permit the disclosure.
“Signing an agreement containing the elements of a BAA does
not make a tracking technology vendor a business associate if the
tracking technology vendor does not meet the business associate
definition.” - If there is not a HIPAA-permitted disclosure or BAA, then CEs
must obtain a HIPAA-compliant authorization prior to the disclosure
of PHI to a tracking technology vendor. Website banners that ask
users to accept or reject a website’s use of tracking
technologies – such as cookies – do not constitute
a valid HIPAA authorization.
Security Rule:
- CEs must address the use of tracking technologies in their risk
analysis and risk management processes and implement other
administrative, physical and technical safeguards (e.g., encrypting
PHI transmitted to a technology vendor) to protect the PHI.
Breach Notification Rule:
- CEs must notify affected individuals, OCR and the media, as
applicable, of an impermissible disclosure of PHI to a tracking
technology vendor that compromises the security or privacy of PHI
where there is no Privacy Rule permission to disclose PHI and there
is no BAA with the vendor, unless the CE can demonstrate that there
is a low probability that the PHI has been compromised.
BakerHostetler’s Assessment – Impact of the Guidance
The Guidance appears to conflate the statutory definition of
IIHI with the identifiers listed in 45 CFR § 164.514(b)(2),
which relates to de-identification of established PHI/IIHI. Under
HIPAA:
- IIHI is defined as “information that is a
subset of health information, including demographic information
collected from an individual, and: (1) Is created or received by a
[CE];and(2) relates to the past, present, or
future [(PPF)] physical or mental health or condition of an
individual; the provision of health care to an individual; or the
[PPF] payment for the provision of health care to an
individual;and(i) That identifies the individual;
or (ii) With respect to which there is a reasonable basis to
believe the information can be used to identify the
individual.” 45 CFR § 160.103 (our emphasis). - Health information (Health Information) is
defined as “any information, including genetic information,
whether oral or recorded in any form or medium, that: (1) Is
created orreceived bya [CE]; and (2) Relates to
the [PPF] physical or mental health or condition of an individual;
the provision of health care to an individual; or the [PPF] payment
for the provision of health care to an individual.” Id.(our
emphasis). - PHI is IIHI that is: “i) Transmitted by
electronic media; (ii) Maintained in electronic media; or (iii)
Transmitted or maintained in any other form or
medium.”Id.
In other words, IIHI creates the threshold for when personal
information is considered PHI subject to the Privacy Rule. As such,
it must include some Health Information about an individual
accompanied by sufficient identifiers such that the individual
is/could reasonably be identified.
45 CFR 164.514(b)(2), on the other hand, only applies once a
determination has been made that the data at issue is PHI, as it
instructs entities on which data elements to
remove from PHI in order to render it
de-identified. It is not a list of data elements that are, standing
alone, individually identifiable.
The Guidance does not acknowledge any of the myriad situations
in which the information that can be collected by tracking
technologies never even meets the threshold definition of Health
Information. Additionally, the Guidance states that something is
IIHI if it “connects” a person with a CE, even if the
person never becomes a patient. This is not consistent with the
statutory definitions of IIHI and PHI. As a result of these two
definitional issues, the Guidance could be ripe for challenge by
both targets of OCR investigation and industry groups, including
with respect to the scope of the OCR’s regulatory authority
under HIPAA.
In practice, even if the definitional issues above were not
present, the OCR may have a problem sufficiently proving a
violation. Namely, the Guidance fails to acknowledge that, while
some visitors on a CE’s website are also the CE’s patients,
the pervasive use of “Dr. Google” to diagnose oneself or
one’s friends/family members means that it is very likely that
a significant amount of the data collected is not about the
visitors themselves. With that reality, parsing out when such
circumstances arise is impossible. For instance, a person may go to
a hospital’s website after googling “face rash”
because someone else – a friend, relative, co-worker – was
experiencing that symptom. That user’s IP address bears no
relationship to the person with the condition being searched and
thus this is not IIHI. An attorney at a law firm may visit a
hospital’s website from his or her office, using the firm’s
IP address, to determine whether the notice of privacy practices
(NPP) is up to date. The IP address is the firm’s, not the
attorney’s, and the perusal of the NPP is not related to a
health condition. OCR opts for a sledgehammer over a scalpel here,
and in doing so creates guidance so flawed that we believe OCR will
find it difficult to sufficiently prove a wholesale violation.
The Guidance does acknowledge the ability of CEs and their
business associates to conduct a risk assessment to determine
whether the use of a tracking technology resulted in a compromise
of PHI. In undertaking that analysis, the basic question of
“Was PHI involved?” is crucial, and CEs can defensively
continue to use HIPAA’s definition of PHI, rather than the
Guidance, to make that determination.
Recommendations
This Guidance should not be retroactively effective, meaning it
should only apply on a going-forward basis. However, the
going-forward application of this Guidance warrants analysis on
whether the benefits of CEs continuing the use of tracking
technologies are worth the risk. Specifically, it is possible that
OCR could use the Guidance as a basis to find willful noncompliance
for entities that continue to use tracking technologies after its
publication date – resulting in higher penalty amounts levied.
While we do not believe that the use of tracking technologies is
a per se violation and do believe that the Guidance can be
successfully defended against, because of the increased potential
for high fines after the Guidance came out, in an abundance of
caution, we recommend the following:
- If, as a CE, you’ve not already done so, determine whether
any tracking technology is utilized on your websites, appointment
forms and/or patient portal. It is important to understand which
specific technology is being utilized and what information may be
transmitted with this technology. Common technology products we
have examined in our investigations include Meta Pixel, Google
Analytics, Google Maps, Yelp, HotJar, Microsoft Clarity and Crazy
Egg, to name a few. - To the extent that discussions about
continuation/discontinuation of tracking technologies have been
tabled, in an abundance of caution, we recommend reprioritizing the
assessment and, if discontinuation is planned, implementing it
quickly. - Implement a website governance plan so that
legal/compliance/privacy professionals are part of any website
technology change management process. This plan should be a
documented policy and procedure, and training the marketing
department and all advertising and marketing vendors on the process
is highly recommended. - To the extent you will not discontinue all tracking technology
use, ensure that each tracking product will be considered in your
regular HIPAA risk analyses. - To the extent you will not discontinue all tracking technology
use, the decision as to whether a BAA is appropriate should be
documented as to each vendor. Although many vendors refuse to sign
BAAs, in light of the Guidance, they may be more willing to do
so.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
