OCR issues guidance on web trackers

Web data tracking technology made the healthcare headlines in a big way during the first half of 2023 as dozens of HIPAA-covered entities found themselves fielding lawsuits filled with accusations about sending personal health information (PHI) to third parties. 

Recent research has found that almost all hospital websites use some form of tracking tool that could be used to monitor website use, collect a variety of user data, and potentially share that information with external entities that do not have HIPAA business associate agreements, such as marketing firms and social media companies.   

The ubiquity of the technology – and a rapid surge in class action suits against those employing the tools – has prompted the Office of Civil Rights (OCR) to issue a clarification around the obligations of HIPAA-covered entities in relation to these technologies. 

Simply put, “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules,” OCR says. 

However, that doesn’t mean popular tracking technologies, like Meta Pixel, are completely off limits. OCR acknowledges that HIPAA covered entities may use tracking tools for legitimate purposes related to healthcare operations, such as analyzing web traffic patterns or personalizing user experiences.   

But the risks tend to emerge when web data leaves the organization itself, OCR explains. 

“For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures,” the agency says.    

Impermissible disclosures are a violation of the HIPAA Privacy rule and may cause serious harm to those affected by the improper sharing of information, including “identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s PHI,” OCR states. 

“Such disclosures can reveal incredibly sensitive information about an individual, including diagnoses, frequency of visits to a therapist or other health care professionals, and where an individual seeks medical treatment. While it has always been true that regulated entities may not impermissibly disclose PHI to tracking technology vendors, because of the proliferation of tracking technologies collecting sensitive information, now more than ever, it is critical for regulated entities to ensure that they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule.” 

OCR suggests that healthcare entities review their use of tracking technologies, paying special attention to three main areas: 

Tracking on user-authenticated webpages

User-authenticated pages that require a login are most likely to contain PHI, including demographics, clinical data, and financial information.   

OCR states that “a regulated entity must configure any user-authenticated webpages that include tracking technologies to allow such technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the electronic PHI collected through its website is protected and secured in accordance with the HIPAA Security Rule.” 

Entities must also ensure they have appropriate business associate agreements in place with any third party involved in creating, receiving, maintaining, or transmitting PHI on behalf of a regulated entity for a covered function.   

Tracking on unauthenticated webpages 

Unauthenticated webpages, such as informational pages, are much less likely to contain PHI.  However, there are some potential exceptions, including the login pages for patient portals or user registration pages. Since these pages do collect PHI in the form of credentials, they qualify as protected by HIPAA rules. Healthcare organizations should be wary about using tracking tools in these areas. 

 In addition, pages that allow users to investigate certain health conditions or search for specific providers may indirectly collect PHI. “For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider,” OCR says. “In this example, the regulated entity is disclosing PHI to the tracking technology vendor, and thus the HIPAA Rules apply.” 

Tracking within mobile apps 

Mobile apps are used for a variety of purposes, including paying bills and accessing personal clinical information. They can also interact with data collected by the user’s device, such as fingerprints or facial scans, network and geolocation data, and other identifying information.   

“Such information collected by a regulated entity’s mobile app is PHI, and thus the regulated entity must comply with the HIPAA Rules for any PHI that the mobile app uses or discloses, including any subsequent disclosures to the mobile app vendor, tracking technology vendor, or any other third party who receives such information,” OCR explains. 

“However, the HIPAA Rules do not protect the privacy and security of information that users voluntarily download or enter into mobile apps that are not developed or offered by or on behalf of regulated entities, regardless of where the information came from.” 

For example, this means that users cannot blame a covered entity if the user takes their own personal health information from their patient portal and shares it in an app developed by a non-HIPAA-covered entity, which then shares the data with a social media company or other external partner. 

Overall, OCR cautions healthcare entities to be fully familiar with the rules around data sharing under HIPAA before employing web data tracking tools. Entities should be certain to establish the necessary business associate agreements with their partners and develop transparent, trusted relationships with anyone who interacts with data on their behalf. 

If a breach does occur, entities must be responsive and act swiftly to take responsibility for the issue, notify affected users, and remedy the vulnerability to prevent a recurrence and avoid the threat of class action lawsuits that can cause lasting reputational damage.  

For more resources on the use of web tracking technologies, read the full OCR guidance document here. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.