Earlier this week, our Fox partner Odia Kagan spoke on HIMSS TV about the risks associated with what may be a “blind spot” in your data privacy compliance efforts: the use of data trackers (such as cookies, tracking pixels, session replay scripts) on company websites or apps. This blind spot is particularly perilous when the data being tracked is patient medical information or other personal data subject to data privacy laws. Perhaps the HIPAA regulators were listening.

Yesterday, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a Bulletin warning HIPAA covered entities and business associates about the use of tracking technologies that may collect protected health information (PHI) in violation of HIPAA. The Bulletin is a comprehensive description of how and when patient data trackers present HIPAA compliance hurdles. A few good take-aways::

  1. Make sure you have a business associate agreement (BAA) in place with any company (including a data tracking company) that can access and use protected health information
  2. Even trackers on unauthenticated webpages (those not requiring user log-in) may collect PHI. As per OCR: “Tracking technologies on a regulated entity’s unauthenticated webpage that addresses specific symptoms or health conditions, such as pregnancy or miscarriage, or that permits individuals to search for doctors or schedule appointments without entering credentials may have access to PHI in certain circumstances. For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider. In this example, the regulated entity is disclosing PHI to the tracking technology vendor, and thus the HIPAA Rules apply.”
  3. It’s not good enough to have the tracking technology remove or de-identify the PHI it collects: “[i]t is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information. Any disclosure of PHI to the vendor without individuals’ authorizations requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure.”
  4. Remember that even an IP address alone can be PHI when collected on a covered entity or business website or app: “Regulated entities disclose a variety of information to tracking technology vendors through tracking technologies placed on a regulated entity’s website or mobile app, including individually identifiable health information (IIHI) that the individual provides when they use regulated entities’ websites or mobile apps. This information might include an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, medical device IDs, or any unique identifying code. All such IIHI collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services.”