On December 1, the Office for Civil Rights (OCR) issued guidance on the use of online tracking technologies by HIPAA covered entities and business associates. Health care providers, including hospital and health systems, have recently reported that third party tracking technologies installed on their patient portal webpages collected patient data and impermissibly shared that patient data with the tracking technology vendors. Health care providers, including health centers, have recently been notified by vendors of scheduling apps that tracking technologies embedded in the apps collected patient data and impermissibly shared patient data with third parties. The OCR Bulletin makes clear that covered entities and business associates “are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”

How the Online Tracking Technologies Work

Tracking technologies, usually a script or code included or embedded in a website or app, are designed to track users as they interact with a website or app. As OCR notes, tracking technologies could be used to improve care or patient experience; however, they can also be misused. Tracking technologies developed by third parties generally send the information collected directly to the tracking technology vendor. If the information collected (names, contact information, appointment dates and times, IP address or geographic location, etc.) connects the user to a covered entity, the information is protected health information (PHI) and the HIPAA Rules apply.

The OCR Bulletin identifies three instances in which tracking technologies may be used by covered entities and/or their business associates and the HIPAA implications:

1. User-authenticated webpages: These webpages require users to log-in and include webpages such as patient portals and telehealth platforms. Tracking technologies on these webpages generally have access to PHI and must be configured to comply with the HIPAA Rules. If a vendor provides tracking technologies on user-authenticated webpages and receives PHI, the covered entity must ensure the disclosure is permitted by the HIPAA Privacy Rule and execute a business associate agreement (BAA) with the vendor.
2. Unauthenticated webpages: These webpages do not require users to log-in and include webpages with general information. Tracking technologies on these webpages generally do not have access to PHI; however, OCR provided two examples where the HIPAA Rules apply to tracking technologies on unauthenticated webpages:
   • A patient portal login webpage or registration webpage, if the tracking technology collects an individual’s name, email address, etc.
   • Webpages that address specific symptoms or health conditions or that permit individuals to search for doctors or schedule appointments, if the tracking technology collects an individual’s email address, IP address, etc.
3. Mobile apps: Apps collect a variety of health and payment information from individuals. If a covered entity develops or offers the app (either directly or through a vendor), the information collected is PHI and the HIPAA Rules apply. If the app is offered by an entity that is not regulated by HIPAA, the HIPAA Rules do not apply.

What Health Centers Should Do Next

Based upon the OCR Bulletin and our experience advising clients in this area, health centers should:

• Identify tracking technologies on authenticated webpages, unauthenticated webpages, and apps and identify the type of information collected by the tracking technologies. This may involve communicating with vendors that create and maintain the websites and apps on behalf of the health center.
• Ensure that if tracking technologies provide access to PHI to a third party, the disclosure is permitted by the HIPAA Privacy Rule (for example, the disclosure is not for marketing purposes which requires patient authorization) and a BAA has been executed.
• Clarify in the BAA the tracking technology vendor’s responsibility for providing breach notification to affected individuals, the media (if applicable), OCR and any other law enforcement agencies.
• Include the use of tracking technologies in the health center’s Security Risk Analysis and Risk Management processes.