Getty Images/EyeEm
OCR updates HIPAA guidance on online tracking technologies
The HIPAA guidance prohibits regulated entities from using online tracking tech to disclose PHI to vendors for marketing and other purposes without consent.
OCR recently released updated HIPAA guidance for covered entities and business associates who use online tracking technologies that exchange protected health information (PHI).
The guidance addresses the increasing use of tracking technologies to collect and analyze data on users who interact with a covered entity’s website or mobile applications. Providers and other covered entities use the technology to improve care or patient experience, enhance the utility of webpages and applications, and allocate resources. Often, they will use a tracking technology vendor to provide the service and insights as part of their operations.
However, the use of online tracking technology recently drew criticism after the discovery that major US hospitals were using Meta Pixel, a type of the technology, which allegedly sent a packet of data to Facebook whenever a visitor clicked the button to schedule an appointment.
OCR said that HIPAA Rules apply when the information gathered through tracking technologies or disclosed to tracking technology vendors includes PHI. However, regulated entities cannot use tracking technologies that would result in PHI disclosures to tracking technology vendors or any other HIPAA Rules violations, according to the updated guidance.
“For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures,” OCR clarified.
Some regulated entities may be sharing a variety of information to tracking technology vendors, including information that an individual types or selects when they use the regulated entity’s website or applications. This information could include the individual’s medical record number, home or email address, dates of appointments, and the individual’s IP address, location, device IDs, and other unique identifying codes. Some of these data points may meet the definition of individually identifiable health information (IIHI), which is a necessary pre-condition for information to meet the definition of PHI.
“IIHI collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as in some circumstances IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services,” OCR stated.
The guidance specifically addresses tracking on user-authenticated webpages, unauthenticated webpages, or within mobile applications, as well as HIPAA compliance for regulated entities when using tracking technologies.
Impermissible disclosure of PHI violates the HIPAA Privacy Rule and may also result in harms to individuals or others, such as identity theft, financial losses, discrimination, and mental anguish, OCR stated.
“While it has always been true that regulated entities may not impermissibly disclose PHI to tracking technology vendors, because of the proliferation of tracking technologies collecting sensitive information, OCR is providing this reminder that it is critical for regulated entities to ensure that they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule,” the agency wrote.
OCR said it is prioritizing compliance with the HIPAA Security Rule in investigations into online tracking technologies.
In response to the updated HIPAA guidance, the American Hospital Association’s general counsel and secretary Chad Golder said the modification “suffers from the same basic substantive and procedural defects as the original one, and the agency cannot rely on these cosmetic changes to evade judicial review.”
“The modified rule will continue to chill hospitals’ use of commonplace technologies that allow them to effectively reach patients in need,” Golder continued. “As the AHA has previously noted, these technologies are so essential that federal agencies themselves still use them on their own webpages, including HHS’s own Medicare.gov, as well as Health.mil, and various Veterans Health Administration sites.”
AHA previously sued the federal government over OCR’s stance on tracking technology use in healthcare, arguing the government’s December 2022 bulletin disrupts the balance between privacy and information sharing under HIPAA.