Department of Health and Human Services Offers Hipaa Guidance on Online Tracking Technologies

• Jurisdiction: United States,Federal
• Citation: Vol. 1 No. 2
• Publication year: 2023
• topic: Advertising Law,Contracts,Health Law,Technology

[Page 117]

Paul Bond, Shannon Britton Hartsfield, Ilenna J. Stein, and Mark S. Melodia ^*

In this article, the authors discuss the steps that healthcare companies can take both to comply with new guidance issued by the U.S. Department of Health and Human Services' Office of Civil Rights and to mitigate litigation and regulatory risk.

For years, patients and healthcare companies have been wrestling with privacy issues relating to cookies, pixels, and other tracking technologies. The U.S. Department of Health and Human Services' (HHS) Office of Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA), has not substantially involved itself in this prolonged and public debate until now. As described below, the OCR has now spoken loudly. Without public comment, the OCR has issued a bulletin (the Bulletin) that may profoundly impact this debate.

More specifically, since at least the turn of the millennium, plaintiffs and their class action lawyers have alleged that tracking tools on websites and apps infringe on consumer privacy by allowing third parties to snoop without ordinary people understanding what information about them is being shared with others. Over at least the past several years, the focus has shifted to claims that healthcare companies specifically are improperly disclosing patient confidences by integrating into the code on their public websites digital advertising, analytics, and even security tools provided by Meta (formerly Facebook), Google, and lesser-known third parties not operating under Business Associate Agreements (BAAs). Healthcare companies have pushed back, stating that these tools are ubiquitous on the internet and serve legitimate business purposes, including security, improving website function and design, and guiding targeted outreach to the public, particularly during public

[Page 118]

health crises like a pandemic. Further, healthcare companies have argued that unless a patient actually logs into a patient portal, the healthcare company has no way of knowing if the person is a patient versus, for example, a family member or caretaker of a patient, a job applicant, a researcher, or even a bot. A wave of class actions have been filed in 2022, typically seeking many millions in statutory damages under state wiretap act laws, and each potentially turning on how much privacy is expected when a member of the general public uses a website provided by a healthcare company. From a regulatory perspective, some companies have concluded that device identifiers and internet protocol (IP) addresses of website visitors are not protected under HIPAA, while others have limited or even removed third-party trackers from their websites.

The Bulletin on Tracking Technology

The Bulletin indicates that websites and mobile applications that use tracking technology could put healthcare companies at risk of privacy violations, even those websites and mobile apps for which no login is required (unauthenticated). The Bulletin applies to a broad range of healthcare companies—not just providers but also health plans, app developers working with them and others. The Bulletin uses a similarly broad brush to define the information with which it is concerned, emphasizing that all data elements that could be protected health information (PHI)—particularly identifiers listed in the so-called de-identification safe harbor—must be protected in the digital environment. If those identifiers, no matter how innocuous they seem, are going to third parties via tracking technology, covered entities and business associates need to ensure that the PHI is protected with appropriate BAAs or patient authorizations.

The Bulletin addresses tracking technologies in detail, and discusses how the HIPAA rules apply to the use of such technologies in connection with user-authenticated web pages, unauthenticated web pages, and mobile apps. HIPAA protects any unique identifying code relating to an individual if it relates to their healthcare. An individual's IP address, geographic location, dates of...