Written by Matt Fiel
In this article, I’ll interpret the updated guidance and describe what has changed – and what hasn’t.
The updated guidance covers three main points:
- Defining tracking technologies
- The differences between tracking on authenticated pages, unauthenticated pages, and mobile apps
- Your obligations under HIPAA
What are tracking technologies?
The updated guidance starts by redefining tracking technology – and this is smart because I get tons of questions from healthcare providers about whether tracking technologies include cookies, scripts, beacons, pixels, network requests, or all of the above. Despite its goal to clarify, the updated guidance still leaves room for interpretation – but I’ll do my best to explain.
According to the OCR, tracking technologies involve placing a script on your website or mobile app. The script could use cookies, web beacons, tracking pixels, session replay scripts, or fingerprinting to identify users, collect data, and track behaviors. However, the bulletin focuses explicitly on third-party trackers, not proprietary trackers that send data to first-party platforms.
Here are some of the data points that the OCR considers identifiers:
- Medical Record Numbers
- Home Address
- Email Address
- Appointment Dates
- IP Address
- >Geographic Location (More precise than state)
- Device IDs
What constitutes a violation?
Much of the debate around the original OCR bulletin focused on what a violation was. For instance, does a simple pairing of an identifier like an IP address, device ID, or Google SID with a webpage addressing a health condition constitute a violation?
I’ve played mediator between marketing and legal teams seeking to answer this question, and that’s no easy task due to their underlying goals. Marketing aims to gather as much data as possible, and legal seeks to mitigate as much risk as possible.
Unfortunately, the updated ruling is still too vague to provide a healthy balance between marketers and legal teams.
Here’s the best way I can describe it:
It does not constitute a violation if the webpage is unrelated to an “individual’s past, present, or future health, health care, or payment for health care.” So, whether a violation has occurred entirely depends on why users access information and the type of page they visit.
The page type comes down to authentication, which is another way of asking, “Is the user logged into a portal or mobile app?”
Authenticated webpages
Let me be clear. I would not put any third-party trackers on an authenticated web page unless you have a BAA with the tracker – and the OCR bulletin aligns with this conservative approach. It states:
“A regulated entity must configure any user-authenticated webpages that include tracking technologies to allow such technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule.”
It goes on to say that tracking technologies are business associates, so you must have a business associate agreement (BAA) in place with them. Famously, Google Analytics will not sign a BAA, so I do not recommend using Google Analytics on authenticated portals.
Authenticated webpages
Unauthenticated webpages serve a wide spectrum of purposes, from general information, visiting hours, policies, services, operations, and conditions to career opportunities.
Part of the problem is that you probably don’t know for sure why a user is visiting your website. Are they searching for job opportunities? Are they a student researching information? Or are they prospective patients?
Ultimately, because their intent is unknowable, you need to treat all these visits equally.
The OCR bulletin focuses on pages related to conditions, operations, and services—anything related to an individual’s past, present, or future healthcare. If a user is browsing your website for potential procedures, questions about their health, or anything related to their health, you cannot pair an identifier with PHI unless you have a BAA.
Mobile Apps
Mobile apps are often built on frameworks that may disclose PHI and frequently include third-party trackers, just like a webpage. So, when paired with a name, mobile phone number, IP address, or device ID, disclosure of a health condition is considered a violation of the OCR bulletin.
The safest interpretation of this law requires covered entities to enter BAAs with every vendor participating in the mobile application, including the framework and tracking technologies.
Enforcement
The updated OCR bulletin ends with a blunt warning. They prioritize investigations into online tracking technologies by ensuring healthcare providers identify the trackers used, assess their risk, and mitigate the risk of PHI disclosure.
Avoiding non-compliance
In summary, the updated OCR bulletin comes down to four primary actions.
- Ensure that PHI is not paired with a user identifier when sent to third-party trackers.
- Ensure that you’re sending the minimum amount of PHI necessary.
- Ensure a BAA is in place with vendors receiving PHI linked with an identifier.
- Ensure tracking technologies are part of your risk management process and safeguard PHI with administrative, physical, and technical safeguards.
- Ensure you have a breach notification process in place.