While maintaining a website has several benefits for healthcare organizations, risks and critical regulatory requirements must be considered, especially if using tracking technologies, performing marketing activities, or collecting individually identifiable health information (IIHI).
Just last year, the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a warning to hospitals and telehealth providers about the privacy and security risks related to the use of online tracking technologies integrated into their websites or mobile apps that may be impermissibly disclosing consumers' sensitive personal health data to third parties.
"Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital's website," said Melanie Fontes Rainer, OCR Director. "OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue."
In more recent guidance, OCR aimed to clarify for regulated entities (covered entities and business associates) the importance of complying with all Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements. What stands out is the following sentence in bold: Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.
Comments and guidance from OCR should be taken seriously; you've been warned! It's critical to not get caught off guard and verify your website is HIPAA compliant.
Summary of OCR Guidance
The following is a summary of OCR guidance, an explanation of what this means for your organization, and a checklist of HIPAA compliance obligations regulated entities should consider when using tracking technologies.
What is tracking technology?
Tracking technologies are scripts or code used on websites and mobile apps to gather information about user interactions and activities. This data is then analyzed by website/app owners or third parties to gain insights about user behavior. Tracking can be used for beneficial purposes like improving services, but also raises privacy concerns around misuse for misinformation, identity theft, stalking, etc.
Websites use cookies, web beacons, tracking pixels, session replay scripts, and fingerprinting to track users. Mobile apps can use device IDs, advertising IDs, and other data to create user profiles. Tracking technologies may be developed internally or by third-party vendors, who can continue tracking users even after they leave the original site.
How do the HIPAA Rules apply to regulated entities' use of tracking technologies?
Tracking technologies regulated entities use may disclose various information to vendors, including medical record numbers, contact information, appointment details, IP addresses, device IDs, and other identifiers.
This information can meet the definition of individually identifiable health information (IIHI), a prerequisite for it to be considered protected health information (PHI) under HIPAA. IIHI collected on a regulated entity's website or mobile app is generally considered PHI, even if the individual has no existing relationship with the entity and the IIHI does not include specific health care details.
However, the mere fact that a user visits a webpage to learn more about health conditions or providers does not automatically constitute PHI unless the visit is related to the individual's past, present, or future health, healthcare, or healthcare payment.
This means you must be cautious when using tracking technologies, as the information collected could be deemed PHI and subject to HIPAA requirements around use and disclosure.
Tracking on user-authenticated webpages
According to OCR, regulated entities may have user-authenticated webpages, which require users to log in before accessing the webpage, such as a patient or health plan beneficiary portal or a telehealth platform.
Tracking technologies on regulated entities' user-authenticated web pages have access to PHI. This PHI can include an individual's IP address, medical record number, contact information, appointment details, and even diagnosis, treatment, and billing information.
Since this information constitutes PHI, regulated entities must ensure that any tracking technologies on user-authenticated webpages only use and disclose this PHI in compliance with the HIPAA Privacy Rule. The ePHI collected through these tracking technologies must be protected and secured by the HIPAA Security Rule.
Suppose the tracking technology vendor meets the definition of a HIPAA business associate. If you are a covered entity or business associate, you must enter into a business associate agreement (BAA) with the vendor to ensure PHI is adequately protected. For example, if a health clinic's website uses third-party tracking technologies that collect appointment and IP address information, the tracking vendor would be considered a business associate and require a BAA.
Tracking on unauthenticated web pages
Regulated entities may have unauthenticated web pages that are publicly accessible without requiring users to log in. Tracking technologies on many of these unauthenticated web pages, such as those providing general information about the entity, do not have access to PHI and are not regulated by HIPAA.
However, in some cases, tracking technologies on unauthenticated webpages may have access to PHI, such as if the webpage is related to an individual's health, healthcare, or payment for healthcare. In these situations, the HIPAA Rules apply to the regulated entity's use of the tracking technologies and any disclosures of PHI to the tracking technology vendors.
Suppose your organization meets the definition of a covered entity or business associate. In that case, you must ensure the confidentiality, integrity, and availability of all electronic PHI created, received, maintained, or transmitted, including when using online tracking technologies. Therefore, healthcare organizations should carefully assess whether any PHI will be shared with tracking technology vendors and take appropriate steps to comply with HIPAA requirements.
Latest judicial development about this guidance - Read the HHS disclaimer about how to handle "unauthenticated public webpages" in this section:
On June 20, 2024, the U.S. District Court for the Northern District of Texas issued an order declaring unlawful and vacating a portion of this guidance document. See Am. Hosp. Ass'n v. Becerra, — F. Supp. 3d ----, No. 4:23-cv-1110, 2024 WL 3075865 (N.D. Tex. June 20, 2024). Specifically, the Court vacated the guidance to the extent it provides that HIPAA obligations are triggered in "circumstances where an online technology connects (1) an individual's IP address with (2) a visit to a[n] [unauthenticated public webpage] addressing specific health conditions or healthcare providers." Id. at *2. HHS is evaluating its next steps in light of that order.
Tracking on mobile apps
Mobile apps offered by regulated entities collect user information, including data typed/uploaded into the app, as well as device-related data like fingerprints, location, device IDs, etc.
This information collected by a regulated entity's mobile app is generally considered PHI under HIPAA, and the entity must comply with HIPAA rules for how this PHI is used and disclosed, including to any third-party vendors.
For example, if a patient uses a diabetes management app offered by a health clinic, transmitting the patient's health information to a tracking technology vendor would be a disclosure of PHI.
What if the patient voluntarily enters information into mobile apps that are not developed or offered by your organization? HIPAA does not protect the privacy and security of health information. Users voluntarily enter mobile apps that are not developed or provided by regulated entities, even if the information comes from the user's medical record. In those cases, other laws like the FTC Act may apply to the mobile app's handling of user health information.
HIPAA compliance obligations for regulated entities when using tracking technologies.
According to OCR, regulated entities are required to comply with HIPAA Rules when using tracking technologies. This includes complying with the HIPAA Privacy, Security, and breach notification requirements.
A summary of HIPAA compliance obligations regulated entities
must use when using tracking technologies include:
·
Healthcare organizations should ensure all
disclosures of PHI to tracking technology vendors are specifically permitted by
the Privacy Rule.
·
Unless an exception applies, only the minimum
necessary PHI to achieve the intended purpose is disclosed.
· Consider identifying the use of tracking technologies on your website or mobile app's privacy policy, notice, or terms and conditions of use (caution: see OCR Guidance below).
OCR Guidance: the Privacy Rule does not permit disclosures of PHI to a tracking technology vendor based solely on a regulated entity informing individuals in its privacy policy, notice, or terms and conditions of use that it plans to make such disclosures.
Ensure all tracking technology vendors have signed a BAA with your organization and that there is applicable permission before disclosing PHI.
OCR Guidance: If there is no applicable Privacy Rule permission or the vendor is not a business associate of the regulated entity, then the individuals' HIPAA-compliant authorizations are required before the PHI is disclosed to the vendor. Website banners that ask users to accept or reject a website's use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization.
Establish a BAA with a tracking technology vendor that meets the definition of a "business associate."
OCR Guidance: A tracking technology vendor is a business associate if it meets the definition, regardless of whether the required BAA is in place. Moreover, signing an agreement containing the elements of a BAA does not make a tracking technology vendor a business associate if the vendor does not meet the definition.
Ensure the BAA includes all required elements, such as specifying the vendor's permitted and required uses and disclosures of PHI and provide that the vendor will safeguard the PHI and report any security incidents, including breaches of unsecured PHI, to the regulated entity, among other requirements.
OCR Guidance: If the chosen tracking technology vendor will not provide written satisfactory assurances in the form of a BAA that it will appropriately safeguard PHI, then the regulated entity can decide to establish a BAA with another vendor that will enter into a BAA with the regulated entity to de-identify online tracking information that includes PHI and then subsequently disclose only de-identified information to tracking technology vendors that are unwilling to enter into a BAA with a regulated entity.
·
Suppose your organization does not want to
create a business associate relationship with a vendor that meets the
definition of a business associate. In that case, PHI cannot be disclosed to
the vendor without individuals' authorization.
·
Be sure to address the use of tracking
technologies in your Security Risk Analysis and Risk Management processes.
· Implement all required and addressable administrative, physical, and technical safeguards in accordance with the HIPAA Security Rule to protect the ePHI.
Staying Safe With Regulatory Requirements
While healthcare organizations can benefit from maintaining a website, there are significant risks and regulatory requirements that must be carefully considered. The key points to consider are:
Risks and Regulatory Concerns
·
Online tracking technologies on healthcare
organization websites can lead to impermissible disclosures of sensitive
patient health information to third-party vendors, a significant privacy and
security concern.
·
The FTC and HHS Office for Civil Rights have
issued explicit warnings about these risks, emphasizing that patients should
not have to sacrifice the privacy of their health data when using a healthcare
provider's website.
· Regulated healthcare entities, such as covered entities and business associates under HIPAA, are explicitly prohibited from using tracking technologies in a way that would result in unauthorized disclosures of PHI.
Importance of Compliance
Healthcare organizations must comply with all applicable HIPAA requirements when maintaining a website, including handling and protecting any collection of individually identifiable health information.
Failure to comply with HIPAA and other relevant regulations can expose healthcare providers to significant legal and financial penalties and damage their reputation and public trust.
Careful planning, implementation, and ongoing monitoring are essential to ensure that any online presence fully safeguards patient information and aligns with all applicable laws and guidelines.
If you need assistance with your compliance, contact our
team today. We provide free consultations and can offer guidance on how
your healthcare organization can remain protected from cybersecurity threats causing
problems for healthcare entities.