Skip to content
Fey LLC, Attorneys at Law
Health Privacy

Cookies May Be Bad for Your Health: OCR Warns Covered Entities and Business Associates of Its Broad View of HIPAA's Applicability to Cookies, Pixels, and Other Tracking Technologies

By Laura Fey, Principal (with contribution from Eleazar Rundus)

On December 1, 2022, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services issued nonbinding guidance regarding online tracking technologies used by covered entities and business associates under HIPAA. The OCR bulletin demonstrates a regulatory perspective that tracking technologies face increasing scrutiny. While nonbinding, this guidance signals enforcement direction and will likely increase complaints, investigations, and class action litigation.

This alert addresses: (1) underlying tracking technologies drawing regulatory attention; (2) HIPAA application to these technologies; (3) resulting obligations; and (4) risk mitigation recommendations.

Tracking Technologies

OCR focused on information captured through cookies, web beacons/tracking pixels, session replay scripts, fingerprinting scripts, and mobile app embedded tracking codes capturing device IDs or advertising IDs. These technologies are typically provided by third-party vendors who receive information directly and continue collecting user data after users leave the embedding website.

HIPAA Applicability

OCR addressed information collected through tracking technologies including medical record numbers, home/email addresses, appointment dates, IP addresses, geographic location, medical device IDs, and unique identifying codes. The agency stated such information on regulated entity websites or mobile apps constitutes Protected Health Information (PHI) because it indicates individuals have received or will receive healthcare services, even absent existing relationships or specific treatment/billing information.

User-Authenticated Webpages

Tracking technologies on authenticated pages generally access PHI such as IP addresses, medical record numbers, addresses, appointment dates, diagnoses, treatment information, prescriptions, and billing data.

Unauthenticated Webpages

While OCR acknowledged tracking technologies on unauthenticated pages typically don’t access PHI, exceptions exist where HIPAA applies. Examples include:

  • Patient portal login pages
  • Registration webpages
  • Appointment availability pages
  • Doctor search pages
  • Informational pages about specific conditions like pregnancy or miscarriage

Mobile Applications

Apps Developed by Regulated Entities: Mobile app vendors and tracking technology vendors receive PHI access due to the nature of collected information and because downloading the app indicates individuals have or will receive healthcare services. Regulated entities must comply with HIPAA rules for all PHI usage and disclosures.

Apps Developed by Third Parties: HIPAA does not protect information users voluntarily enter into third-party mobile applications not developed by regulated entities.

HIPAA Obligations for Regulated Entities

Entities must ensure PHI disclosures to tracking vendors are permitted, required, or authorized, and limited to minimum necessary information. Merely including disclosures in privacy notices is insufficient.

Business Associate Agreements Requirement

Prior to disclosing PHI to tracking vendors, entities must have signed Business Associate Agreements (BAAs) in place with applicable Privacy Rule permissions. Note: Many tracking technology vendors refuse BAAs. For example, Google Analytics explicitly prohibits use involving Protected Health Information.

Authorization Alternative

If no applicable Privacy Rule permission exists or vendors aren’t business associates, HIPAA-compliant authorizations are required before disclosure. Website banners requesting tracking acceptance do not constitute valid HIPAA authorization.

Additional Obligations

  • Entering into BAAs with vendors meeting the business associate definition
  • Addressing tracking technologies in risk analysis and management processes
  • Implementing administrative, physical, and technical safeguards (45 C.F.R. §§ 164.306-316)
  • Providing breach notification for impermissible PHI disclosures without Privacy Rule permission or BAAs (presumption of breach applies unless demonstrating low compromise probability)

Organizations should take the following steps:

  1. Identify and evaluate current online tracking technology usage
  2. Determine whether disclosed information constitutes PHI based on collection context
  3. Analyze current practices against OCR guidance and conduct regulatory/litigation risk analysis
  4. If continuing tracking technology use involving PHI disclosure:
    • Reconfigure technologies to limit PHI disclosures on unauthenticated pages
    • Enter compliant BAAs with tracking and mobile app companies
    • Obtain HIPAA-compliant authorizations before authenticated webpage/app access
    • Implement required Security Rule safeguards
    • Confirm ongoing security risk assessments account for tracking technology disclosures
    • Train employees on HIPAA compliance obligations
  5. Evaluate breach notification obligations for past disclosures

Conclusion

Regulated entities should prioritize evaluating and updating their tracking technology practices to address OCR expectations. Prompt action reduces risks of OCR complaints, enforcement actions, and class action litigation. This issue is compounded by the FTC’s enforcement activity in this space, see our related post, OCR and FTC Team Up Against Transfers of Health Information Through Online Tracking Technologies.

#HIPAA#OCR#tracking technologies#cookies#pixels#PHI#healthcare#health privacy

Need privacy guidance?

Fey LLC helps organizations navigate complex data privacy and cybersecurity challenges.

Contact Us
Back to Insights