• In response to a number of class-action lawsuits against hospitals and technology companies alleging the improper disclosure of information collected through online tracking technology, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) recently issued guidance clarifying that such technology may improperly collect and transmit protected health information (“PHI”), implicating the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
• OCR’s guidance clarifies that online tracking technology may improperly collect and transmit PHI from a regulated entity’s: (i) user-authenticated webpage(s);(ii) unauthenticated webpages, even where there is no preexisting relationship between the user and the regulated entity; and (iii) mobile applications, if offered by or on behalf of a regulated entity.
• OCR’s guidance appears to have emboldened additional class actions by plaintiffs seeking redress for alleged privacy violations. Regulated entities should reevaluate existing and future relationships with online tracking technology vendors to determine what access, if any, vendors may have to PHI, and ensure that any vendor with access to PHI enters into an appropriate Business Associate Agreement with the regulated entities? to safeguard any PHI it receives.

On December 1, 2022, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued guidance to covered entities and their business associates (collectively, “regulated entities”) concerning online tracking technology. The use of tracking technologies on websites and mobile applications has long been a commonplace aspect of the online ecosystem, providing companies with valuable insights into user behaviors as well as opportunities to enhance user experiences. However, healthcare entities’ use of tracking technologies, such as cookies, web beacons and pixels, has recently come under fire: a litany of class-action lawsuits alleging improper disclosure of patient information has been filed against major health systems and hospitals. For example, in 2022, Mass General Brigham and the Dana-Farber Cancer Institute reached an $18.4 million “cookies without consent” settlement to resolve allegations that tracking tools on the institutions’ informational websites transferred and sold users’ information without their prior written consent in violation of state privacy and consumer protection laws.

In the wake of such unlawful tracking suits, OCR issued broad-reaching guidance indicating that certain information collected from websites and applications via online tracking technology may implicate the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Although HIPAA does not itself provide a private right of action, it is commonly cited in consumer actions that allege improper use and disclosure of sensitive patient data. Indeed, OCR’s guidance appears to have emboldened additional class actions by plaintiffs seeking redress for alleged privacy violations: complaints filed this year against Cedars-Sinai Medical Center and Christ Hospital expressly cite the OCR bulletin.

Below, we provide a brief overview of OCR’s guidance as well as preliminary steps regulated entities can take to assess compliance risk.

Key Takeaways from the OCR Bulletin

• Because regulated entities’ user-authenticated webpages generally contain protected health information (“PHI”), regulated entities must enter into a business associate agreement (“BAA”) with a vendor in order to utilize tracking services. OCR guidance states that user-authenticated webpages (e.g., patient portals) often contain PHI such as medical record numbers, appointment dates, diagnosis and billing information and other identifying information provided by a user. Any disclosure is thus regulated by HIPAA and a tracking technology vendor is considered a regulated entity and, therefore, must be bound by a BAA before receiving PHI.
• Utilizing tracking technologies may require a BAA even where there is no patient relationship between the user and the regulated entity. OCR guidance states that unauthenticated webpages are generally not regulated by HIPAA. However, OCR takes the expansive view that information tracked from an unauthenticated site shall nonetheless be considered PHI if: (i) it is collected by a regulated entity; (ii) it relates to an individual’s past, present or future healthcare or payment for healthcare—regardless of whether there is an existing relationship with such regulated entity—and (iii) it can be linked to a specific individual. In other words, tracking information collected by a regulated entity on an unauthenticated webpage from an individual who is not an existing patient of such entity is broadly presumed by OCR to relate to such individual’s past, present or future healthcare or payment for healthcare.
• Mobile applications (“apps”) offered by regulated entities are subject to HIPAA; apps provided from other entities may be governed by other privacy laws. OCR’s guidance recognizes that the provision of healthcare often involves the use of apps, which allow individuals to access and manage their health information and to pay bills. These apps collect a wide variety of information that could qualify as PHI, such as fingerprints, network or geographic location and the user’s device ID. Thus, a regulated entity that collects such information and discloses it to a tracking technology vendor, the app vendor or a third party, must comply with HIPAA. Notably, HIPAA’s restrictions only extend to apps offered by or on behalf of a regulated entity, not to apps offered by non-regulated entities. Nonetheless, OCR warns that other state and federal privacy laws may apply to the use and disclosure of such information.

Action Items for Regulated Entities

OCR’s guidance has far-reaching consequences for covered entities as well as business associates, including heightened risk of litigation. As noted above, complaints filed this year against Cedars-Sinai Medical Center and Christ Hospital expressly cite the OCR bulletin, including the agency’s description of individually-identifiable tracking information as “highly sensitive,” and its bold proclamation that a regulated entity’s implementation of third-party tracking technology absent notice to, and written authorization from, users constitutes a HIPAA violation. In light of these developments, regulated entities should examine whether their current or future tracking technology vendors have or will receive PHI and, if so, should consider the following action items:

• tracking technology vendors with access to PHI must enter into a BAA that specifies the permitted and required uses and disclosures of PHI and provides that the vendor will appropriately safeguard any PHI it receives and report security incidents to the regulated entity;
• absent a BAA, a healthcare entity may not disclose PHI to a vendor without a patient’s authorization and
• regulated entities should appropriately staff compliance teams to address breach notifications requirements, as required by HHS in the event of impermissible disclosure of PHI through the use of tracking technology.

Furthermore, even where online tracking technologies collect information that is not considered PHI, regulated entities should consider whether other privacy laws apply, such as the Federal Trade Commission’s Health Breach Notification Rule and the California Consumer Privacy Act.