BLOG

by Angela Fitzpatrick 

In the rapidly evolving digital landscape, the intersection of healthcare data privacy and online tracking technologies has become a focal point for both regulatory bodies and privacy advocates. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently published updated guidance on “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” illuminating the complexities and responsibilities that HIPAA-covered entities and their business associates face in this regard. 

What are Tracking Technologies 

Tracking technology refers to scripts or codes on websites and mobile apps that gather user information and behavior. This data is then analyzed by the site or app owners, or third parties, to gain insights into online activities. The information gathered can be used in positive ways, such as improving user experience, web utility, and resource allocation. For instance, hospitals can use this data to better allocate their resources based on the number of IP addresses accessing specific information.  

However, there's potential for misuse of this information, such as promoting misinformation or enabling identity theft. Tracking technologies collect data in various ways, often without the users' knowledge. They can employ cookies, web beacons, or tracking pixels, among others, to monitor user activity. Mobile apps often have embedded tracking code to collect user-provided information, including unique device identifiers.  

Tracking technologies can either be developed internally or by third parties, with the latter often continuing to track users even after they've left the original site. This document primarily focuses on the obligations of regulated entities when using third-party tracking technologies. 

PHI Exposure and Compliance Risks 

The intersection of HIPAA and online tracking technologies is a focal point of concern due to the sensitive nature of healthcare information. Personal Health Information (PHI) encompasses a broad spectrum of data, including medical histories, treatment records, and even geographic locations when tied to health services. 

The article offers an in-depth analysis of how online tracking technologies—ranging from cookies to more sophisticated digital fingerprinting methods—can inadvertently or deliberately capture Protected Health Information (PHI). The unauthorized disclosure of PHI not only undermines patient confidentiality but can also lead to significant legal and reputational consequences for healthcare providers. The guidance underscores the potential risks these technologies pose to the privacy and security of patient information. 

Exposure of PHI Through Online Tracking  

There are various scenarios where PHI could be exposed to unauthorized parties via online tracking tools, including the collection of IP addresses, email addresses, or even browsing behaviors linked to healthcare-related inquiries, which could reveal sensitive health information. The inadvertent or unauthorized disclosure of PHI not only compromises individual privacy but also places HIPAA-covered entities at risk of non-compliance with stringent HIPAA Privacy and Security Rules. 

User authenticated webpages, for example patient portals, use tracking technologies that can access PHI and must be secured in accordance with the HIPAA Security Rule (45 CFR part 164, subparts A and C).  

Unauthenticated webpages are more complicated when it comes to determining compliance. Typically, these webpages don’t have access to PHI; however, searching for healthcare information and then requesting an appointment may disclose PHI making it subject to HIPAA. 

Mobile apps provided by a regulated entity typically collect PHI and are subject to HIPAA. Mobile apps provided by non-regulated entities may not be subject to HIPAA but may be subject to other laws such as the Federal Trade Commission (FTC) Act and it’s Health Breach Notification Rule (HBNR).    

If a website or mobile app is managed by a vendor, HIPAA requires a business associate agreement (BAA) that guarantees PHI protection. This BAA should cover the use of online tracking and requirements for maintaining compliance with HIPAA. 

Actionable Steps to Minimize Exposure 

To mitigate the risks associated with online tracking technologies, the following steps are recommended: 

• Conduct a Comprehensive Assessment: HIPAA-covered entities should evaluate their use of online tracking technologies to identify potential risks to PHI. 
• Implement Privacy-Preserving Practices: Adopt practices such as anonymizing data, obtaining explicit consent before tracking, and ensuring third-party vendors comply with HIPAA regulations. 
• Educate Staff and Patients: Raise awareness about the implications of online tracking and the importance of protecting PHI among employees and patients alike. 
• Utilize Privacy Tools: Leverage tools and technologies designed to enhance online privacy and security, including encryption and secure web gateways. 

For those seeking to delve deeper into HIPAA regulations and patient rights, resources such as the HHS website, privacy advocacy groups, and educational materials on cybersecurity best practices offer valuable information. 

Conclusion: Taking Control of Online Privacy and HIPAA Compliance 

In conclusion, the article serves as a critical reminder of the ongoing challenges and responsibilities facing healthcare providers, business associates, and patients in protecting sensitive health information in the digital age. By understanding the risks, implementing robust privacy measures, and fostering a culture of compliance and awareness, entities can safeguard PHI against unauthorized access and ensure adherence to HIPAA regulations. 

Remember, protecting PHI is not only a regulatory requirement but a fundamental aspect of maintaining trust and integrity in the healthcare industry. 

Meditology Services is a leading provider of risk management, cybersecurity, and regulatory compliance consulting services that is exclusively focused on serving the healthcare community. More than a provider of services, Meditology is a strategic partner committed to providing our clients actionable solutions to achieve their most pressing objectives. With experience serving healthcare organizations ranging in size, structure, and operational complexity, we uniquely understand the challenges our clients face every day and dedicate ourselves to helping solve them. 

Our services span cybersecurity certifications, security risk assessments, penetration testing, medical device security, incident response, staff augmentation, and more. Our team includes former CISOs and privacy officers who have walked in our clients’ shoes, and our experienced consultants hold certifications spanning CISSP, CEH, CISA, HCISPP, CIPP, OSCP, HITRUST, and more. In addition, we maintain strong relationships with healthcare regulatory and standards bodies, including serving as HIPAA expert advisors to the Office for Civil Rights, providing us a uniquely thorough perspective on the healthcare cybersecurity landscape. 

Together with our sister company, CORL Technologies, we serve hundreds of leading healthcare payers, providers, and business associates across the United States. 

---

Author 

ANGELA FITZPATRICK | VICE PRESIDENT OF DELIVERY OPERATIONS 

Angela is an experienced Vice President of Delivery Operations who leads the firm’s IT Risk Management services practice. For more than fifteen years, Angela has managed critical technology, security, and privacy initiatives in a variety of healthcare settings. Angela’s strong track record includes experience developing complete security programs, leading security breach response efforts, and building audit functions. In addition to her security expertise, Angela has on-premises experience as a healthcare clinician and biomedical program manager, providing valuable insight into the operational workings of the healthcare industry. 

---

Resources 

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html  

HIPAA Guidance 

Health Apps: https://www.hhs.gov/hipaa/for-professionals/special-topics/health-apps/index.html  

Security Rule: https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html?language=es  

Cybersecurity: https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html  

Privacy Rule: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html  

Business Associate Contracts: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html   

Health Apps and Online Tracking 

FTC Guidance on online tracking: https://consumer.ftc.gov/articles/how-protect-your-privacy-online  

https://www.ftc.gov/business-guidance/resources/mobile-health-apps-interactive-tool  

https://www.ftc.gov/business-guidance/resources/sharing-consumer-health-information-look-hipaa-ftc-act  

https://www.ftc.gov/business-guidance/blog/2022/07/location-health-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal-use  

FTC Health Breach Notification Rule: https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule  

ONC’s Model Privacy Notice for technology developers: https://www.healthit.gov/sites/default/files/2018modelprivacynotice.pdf