Tracking Software Can Lead to HIPAA Violations
The HHS Office for Civil Rights (OCR) has released a bulletin warning the use of website tracking technologies could result in HIPAA violations. Covered entities need to review their use of these tracking technologies and make necessary improvements.
OCR explained regulated entities are “not permitted to use tracking technologies in a manner that would result in impermissible disclosures of protected health information (PHI) to tracking technology vendors or any other violations of the HIPAA rules.”
The bulletin specified some commonly used website technology OCR said can lead to the disclosure of identifiable patient information protected under HIPAA.
Healthcare organizations make broad use of website tracking technologies, says Kimberly Castellino Metzger, JD, partner with McCarter & English in Indianapolis.
“Healthcare organizations and other HIPAA-covered entities and their business associates have been using these tracking technologies for a variety of purposes to improve the patient experience, but also for things like marketing, to gather information about people who visit their site, and use their apps for marketing purposes,” Metzger explains. “The bulletin is primarily talking about not necessarily tracking technologies used by the covered entity — although they can certainly be covered as well — but these are mostly vendors who use tracking technology on behalf of the covered entity.”
Metzger recommends organization conduct a mapping exercise so leaders understand what tracking technologies are in use and where. It is important to understand the difference between unauthenticated and authenticated pages.
Pages in which a user must enter login credentials or buying information to gain access — like the patient portal — are authenticated sites, whereas the main website page that introduces the organization might be unauthenticated, Metzger explains. The authenticated page is more likely to contain PHI because identifying information must be entered to access the page.
But the guidance makes clear unauthenticated pages also can contain PHI. The regulators are looking at whether a person may be identifiable through an IP address simply by connecting to the website.
“If you have XYZ HIV clinic, and you’re on that page looking around trying to find a provider, then it can be reasonably inferred that you have a concern about HIV — something that’s considered pretty sensitive,” Metzger explains. “You don’t necessarily have to have an existing treatment relationship with the provider. You don’t necessarily have to provide your name, address, telephone number, healthcare information, things like that, to be considered PHI.”
Covered entities should not define PHI too narrowly for these purposes, Metzger cautions. A healthcare organization may be disclosing PHI to vendors of tracking technology even without giving them direct health-related information about an identified individual.
“If you’re just providing the IP address through an identifiable person who goes on the site, it could still be considered a disclosure of PHI to the vendor,” Metzger explains. “I also think you need to be very, very careful to have a BAA [business associate agreement] in place.”
The use of such tracking technology — especially the potential for PHI transmission — may come as a surprise to many risk managers and compliance officers, says William P. Dillon, JD, shareholder with Gunster in Tallahassee, FL.
“I don’t think people knew there could potentially be disclosure, because I think if they did know, I can’t imagine hospital risk managers or privacy officers and security officers would have ever allowed that to occur,” Dillon says. “In my mind, OCR is putting everybody on notice.”
Now that OCR has issued this bulletin, the onus is on covered entities to address the issue promptly, Dillon says. OCR preached for years about ensuring patients have appropriate access to their information without delay, and it was not happening.
“Lo and behold, what have we had the last three or four years? We’ve had their right of access initiative, and we’ve had all sorts of provider fines levied against people for not adhering to that particular component,” Dillon says. “I think the same potential for enforcement is there with this bulletin.”
As with so many scenarios in healthcare, the specific use of a tracker will guide an assessment of how the use fits under HIPAA, says Matthew Fisher, JD, general counsel for Carium, a telehealth and remote patient-monitoring company based in Petaluma, CA. The guidance from OCR provides some broad strokes, which can be boiled down to a few primary considerations. The considerations include where on a website or in an application the tracker is placed, what information is collected, who can access the information, and where the information is sent.
“From the HIPAA perspective, if information is kept within an organization and not sent outside, it is more likely that a problem will not come up under HIPAA, at least over who has access,” Fisher says. “However, if an organization gives anyone else access to the information collected by the tracker, then it is necessary to consider if the collected information qualifies as PHI, and how to get a business associate agreement in place. Those are some of the initial steps, but they help demonstrate the need to be careful.”
Beyond the potential interaction with outside organizations, Fisher says before a tracker is deployed, the organization should gain an understanding of how it functions. Does the tracker gather more information than is needed? Who can access the information collected by the tracker? Where is the tracker placed?
“Answering those questions will help identify other questions and guide informed usage,” Fisher says. “The ultimate key is to ask questions and go into situations with eyes wide open.”
Action Needed
Healthcare organizations that implement web tracking technologies must take care to ensure tracking of user behavior is not tied to personal information, says Ian Cohen, CEO of Lokker, a provider of online data privacy and compliance solutions in Redwood City, CA.
Many trackers like Facebook, Medtargetsystems, BlueKai, and ShareThis, as well as session replay scripts like Crazy Egg, LogRocket, and Microsoft Clarity, enable website owners to configure the tracking script to prevent incidental collection of personal information, Cohen explains. For safety — and to shield PHI — these trackers should not be included on webpages that use forms to collect personal information and should not use identifiers that can enable third parties to re-identify an otherwise anonymous visitor.
Understanding if PHI is at risk by a website tracking technology requires somewhat sophisticated knowledge of how the tracker is configured and analysis of the “payload” of what user data is transmitted from each page. Cohen says marketing teams that plan to implement these tools for understanding website usage, and wish to retarget visitors, need to address these issues:
- Is the tool configurable as to not collect sensitive information?
- Can the tool be effectively deployed without including it on pages with web forms that capture personal information?
- Does the technology create a user/session ID that can later be used (by a data broker or customer data platform provider) to re-identify the visitor?
“The first step for healthcare providers is to ensure they know exactly which trackers and cookies are currently implemented on their websites,” Cohen says. “With a complete inventory, the marketing, IT, and privacy teams can evaluate the function and business needs of these third-party providers. Next, ensure that the privacy policy and website consent management tools appropriately reflect the tools in use on the site, and provide HIPAA-compliant descriptions of the information to be used and its specific purpose.”
On implementation, marketing/web teams need to properly configure the trackers to avoid collection of sensitive data. This is usually a combination of setting the tracking codes properly as well as managing deployment of these trackers via their tag management system, Cohen explains.
Brad Rostolsky, JD, partner with Reed Smith in Philadelphia, suspects that because the use of tracking technology by vendors has become more prevalent, OCR believed it would be useful to remind everyone HIPAA applies to these relationships.
“Ultimately, most of the guidance really just serves as a reminder that if a covered entity engages a vendor, and that vendor has access to PHI, then the vendor is a business associate and needs to sign a business associate agreement,” Rostolsky says. “This does not reflect a change in approach.”
OCR’s discussion about unauthenticated webpages may be better served with some follow-up discussion, Rostolsky says. Although OCR acknowledged these webpages “generally do not have access to individuals’ PHI,” it also noted all individually identifiable health information “collected on a regulated entity’s website or mobile app generally is PHI.”
“It seems untenable for OCR to treat public-facing websites that do not require a login by an individual as part and parcel of a regulated entity’s PHI repository,” Rostolsky says. “Hopefully, we will see some clarifying guidance on this soon.”
The HHS Office for Civil Rights has released a bulletin warning the use of website tracking technologies could result in HIPAA violations. Covered entities need to review their use of these tracking technologies and make necessary improvements.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.