Pixels, cookies, and trackers continue to be front of mind for HIPAA regulated entities seeking clarity on their ability to advertise, market, and engage with existing and prospective patients. On March 18, 2024, the U.S. Department of Health and Human Services (HHS), issued updated guidance to its December 2022 Bulletin on the topic "to increase clarity for regulated entities and the public."
"IIHI (individually identifiable health information) collected on a regulated entity's website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as in some circumstances IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services."
-HHS, Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, March 18, 2024
What stayed the same?
Generally, the Bulletin can be read as a re-emphasis of HHS' December 2022 Bulletin on the same topic. HHS' position regarding individually identifiable health information collected on either a HIPAA regulated entity's mobile application (app) or user-authenticated webpage (post-user login) is protected health information (PHI) remains the same. That is, HHS' position is that the sharing of PHI obtained from a mobile app or user-authenticated webpage offered by or on behalf of a HIPAA regulated entity with third parties, such as social media companies, for purposes of marketing, retargeting, custom audiences, or to create a look-a-like audience will require a HIPAA compliant authorization or business associate agreement with the third party.
HHS is clear in the Bulletin that disclosing the use of tracking technologies in a privacy policy, notice, or terms of use, or posting a banner asking users to accept tracking technologies, does not constitute a valid HIPAA authorization.
Finally, and most importantly, HHS reiterates in its Bulletin that HIPAA regulated entities impermissibly sharing PHI with tracking technology vendors must follow HIPAA's Breach Notification Rule and provide notification of a breach of unsecured PHI to HHS, the individual, and the media (when applicable), "when there is no Privacy Rule requirement or permission to disclose PHI" and there is no business associate agreement with the tracking technology vendor.
Are there any changes?
While HHS' position on unauthenticated webpages (pre-user login) did not materially change, the Bulletin does clarify that a tracking technology connecting an IP address of a user's device with a visit to webpage addressing specific health conditions may not be PHI if the visit to the webpage is not related to an individual's past, present, or future health, health care, or payment for health care. This seemingly would include cases such as a user visiting the website to find visiting hours or employment opportunities, a user accidently or mistakenly accessing a HIPAA regulated entity's landing page, or a student user conducting research for academic purposes.
However, based on the examples given by HHS in the Bulletin, if the tracking technologies are accessing information regarding an individual seeking health care services (e.g., looking at oncology services to seek treatment options, scheduling an appointment, or using a symptom tracker tool even without entering credentials), that tracking technology has access to PHI. This would mean the HIPAA regulated entity needs a business associate agreement with the third party or a HIPAA compliant authorization for the sharing.
Why did HHS update its Bulletin?
This latest Bulletin comes as a surprise given that HHS is currently defending the December 2022 Bulletin in a lawsuit filed by the American Hospital Association and certain Texas hospitals. The lawsuit alleges that HHS expanded the definition of "individually identifiable health information" by including within the definition information collected "when an online technology connects (1) an individual's IP address with (2) a visit to an Unauthenticated Public Webpage that addresses specific health conditions or healthcare providers..." The American Hospital Association argues that HHS exceeded its statutory authority by interpreting the definition of individually identifiable health information this broadly, and thus, the portion of the Bulletin specific to unauthenticated webpages should be invalidated. The American Hospital Association is not challenging the Bulletin's position on mobile apps and user-authenticated webpages.
What should a HIPAA regulated entity do?
As was the case under the December 2022 Bulletin, HIPAA regulated entities should review their websites and mobile apps in light of the Bulletin. If tracking technologies are used on mobile apps or authenticated webpages, ensure a HIPAA compliant authorization has been obtained from the users or that a business associate agreement is in place with the third party. If tracking technologies are used on unauthenticated websites, assess where tracking technologies may be accessing information regarding an individual seeking health care services. Note that if the entity has a health condition specific website or is utilizing tools such as calendaring apps, symptom trackers, or questionnaires soliciting medical information, there is a greater likelihood that the entity's unauthenticated webpages are collecting PHI per HHS. With regard to the entity's use of tracking technologies in the past that may not have complied with HHS guidance, the entity should assess its obligations under the Bulletin and HIPAA. Also, keep in mind that HIPAA is only one law to consider when assessing the use of tracking technologies – other federal and state laws may also apply and impose additional obligations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
