On December 1, 2022, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released a newsletter warning that commonly used website technologies, including cookies, pixels and session replay, may result in the improper disclosure of protected health information (“PHI”) to third parties in breach of the Health Act 1996 Health Insurance Portability and Accountability (“HIPAA”). The bulletin states that “[r]regulated entities are not permitted to use tracking technologies in a manner that would result in improper disclosures of protected health information (“PHI”) to tracking technology providers or otherwise violate HIPAA rules. The Bulletin is published within a broader national and international privacy context that increasingly focuses on regulating the collection and use of personal information through web-based technologies and software that may not be readily apparent to the user.
Tracking technology takes different forms, but is often encoded on a website that collects information about users from their web visit and may then transmit that information to a third party. Examples include third-party cookies, web beacons or tracking pixels, and session replay software. These technologies generally operate in the background of a web session and may automatically collect information when the user visits a website. Website operators use these technologies to collect information for a variety of purposes, including to improve website operations and user experience. The proliferation of website tracking technology and targeted advertising is nothing new and multiple states (California, Virginia, Colorado, Connecticut, and Utah) have enacted laws designed to provide privacy rights to individuals in connection with the collection and use of their personal information online, including for the purposes of targeted advertising. While HIPAA-covered entities and business associates are generally excluded from these national privacy laws through statutory exclusions when collecting PHI, HHS has now asserted that the privacy protections of the HIPAA applies with equal force to websites and emerging tracking technologies where PHI is involved.
In the bulletin, HHS primarily addresses user-authenticated web pages maintained by HIPAA-covered entities and business associates. These web pages require a user to log in, for example to access a patient health portal or telehealth platform. According to HHS, when tracking technology is active on user-authenticated web pages, it will likely result in the collection of PHI. The internet user will likely provide or access medical record numbers, appointment dates, home and email addresses, and other identifying information all of which can be retrieved by tracking technology on the site. website. HHS advises that “a regulated entity must configure all user-authenticated web pages that include tracking technologies to permit those technologies to use and disclose only PHI in accordance with the HIPAA Privacy Rule and must ensure that electronic protected health information (ePHI) collected through its website is protected and secured in accordance with the HIPAA security rule.
Importantly, HHS further notes that while access to PHI is “usually not” provided on unauthenticated web pages (for example, pages containing general information about the regulated entity such as location or the services it provides), there may be instances where tracking technologies on Unauthenticated web pages may still collect PHI based on the types of information accessed on the page. According to HHS, unauthenticated web pages (i.e., web pages accessed without a login) that can still retrieve PHI include those that “address specific symptoms or health conditions, such as pregnancy or miscarriage, or that allow individuals to search for doctors or schedule appointments without entering credentials may have access to RPS under certain circumstances.According to HHS, even if the user does not access own medical record, information identifying the visitor may be gathered via an IP or email address or other identifying data and coupled with the information sought (e.g. doctor’s appointments available) and sent to the third-party provider.HHS is apparently concerned that such searches could potentially reveal the individual’s particular medical condition (among other things).
HHS notes that mobile applications offered by Covered Entities may also collect PHI, but points out that HIPAA rules do not protect the privacy and security of information that “users voluntarily download or enter into mobile applications that are not developed or offered by or on behalf of regulated entities. HHS notes, however, with reference to the broader privacy landscape, that Federal Trade Commission (FTC) law and the FTC Health Breach Notification Rule (HBNR) may apply in cases where a mobile health application inadmissibly discloses a user’s health information.
To comply with HIPAA, Covered Entities may need to enter into Business Associate Agreements (“BAAs”) with their third-party tracking website providers where permitted by HIPAA. HHS states that “tracking technology providers are business associates if they create, receive, maintain, or transmit PSI on behalf of a regulated entity for a covered function (for example, healthcare operations) or perform certain services to or for a Covered Entity (or other business associate) that involve the disclosure of PSI. If there is no applicable HIPAA Privacy Rule authorization, and if the third-party provider is not a business associate, it is likely that “HIPAA-compliant authorizations are required before PHI can be disclosed to the supplier”. Predictably, HHS states that the website’s cookie banners “do not constitute a valid HIPAA authorization.” Further, HHS states that anonymization of PHI by a provider after it is received by the provider will not prevent a violation of HIPAA because the violation occurs in the initial disclosure.
HHS advises regulated entities to consider the use of tracking technologies in their risk analysis and to implement administrative, physical, and technical safeguards in accordance with the security rule. This may include encryption of ePHI transmitted to the tracking technology provider; and enable and use appropriate authentication, access, encryption, and auditing controls when accessing ePHI stored in the tracking technology provider’s infrastructure.
In light of this bulletin, Covered Entities and Business Associates should immediately review their patient-facing websites and applications, the uses and purposes of any tracking technology embedded therein, agreements and BAAs with vendors. third parties, as well as data privacy policies, practices, and consents, including their web disclosures, to determine what additional steps might be necessary to remain or become a HIPAA complaint.
[View source.]
#HHS #Warns #HIPAACovered #Entities #Business #Associates #Cookies #Pixels #Website #Tracking #Technologies #Violate #HIPAA #Rules #Supra