March 21, 2023

Volume XIII, Number 80


March 20, 2023

Subscribe to Latest Legal News and Analysis

HHS Warns HIPAA Covered Entities and Business Associates That Use of Website Cookies, Pixels, and Other Tracking Technology May Violate HIPAA Rules

On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a bulletin warning that commonly used website technologies, including cookies, pixels, and session replay, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The bulletin advises that “[r]egulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of Protected Health Information (“PHI”) to tracking technology vendors or any other violations of the HIPAA Rules.” The bulletin is issued amidst a wider national and international privacy landscape that is increasingly focused on regulating the collection and use of personal information through web-based technologies and software that may not be readily apparent to the user.

Tracking technology takes different forms but is frequently code on a website that gathers information about users from their web visit and can then transmit such information to a third party. Examples include third party cookies, web beacons or tracking pixels, and session replay software. These technologies generally operate in the background of a web session and may collect information automatically as the user visits a website. Website operators use these technologies to gather information for a variety of purposes, including to improve website operations and user experience. The proliferation of website tracking technology and targeted advertising is nothing new and several states (California, Virginia, Colorado, Connecticut, and Utah) have passed laws designed to provide privacy rights to individuals in connection with the collection and use of their online personal information, including for purposes of targeted advertising. While HIPAA covered entities and business associates are generally excluded from these state privacy laws through statutory carve-outs when they collect PHI, HHS has now affirmed that HIPAA’s privacy protections apply with equal force to websites and emerging tracking technologies where PHI is involved.

In the bulletin, HHS addresses in the first instance user-authenticated webpages run by HIPAA covered entities and business associates. These webpages require a user to log in, such as to gain access to a patient health portal or telehealth platform. According to HHS, when tracking technology is active on user-authenticated webpages, it will likely result in collection of PHI. The web user will likely be providing or accessing medical record numbers, dates of appointments, home and email addresses, and other identifying information all of which may be picked up by tracking technology on the website. HHS advises that “a regulated entity must configure any user-authenticated webpages that include tracking technologies to allow such technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the electronic protected health information (ePHI) collected through its website is protected and secured in accordance with the HIPAA Security Rule.”

Importantly, HHS further notes that while access to PHI is “generally not” provided on unauthenticated webpages (e.g., those pages containing general information about the regulated entity such as location, or services they provide), there may be instances when tracking technologies on unauthenticated webpages may still collect PHI depending on the types of information accessible on the page. According to HHS, unauthenticated webpages (i.e., those web pages accessible without a login) that may still pick up PHI include those that “address specific symptoms or health conditions, such as pregnancy or miscarriage, or that permits individuals to search for doctors or schedule appointments without entering credentials may have access to PHI in certain circumstances.” According to HHS, even if the user is not accessing their own medical records, information identifying the visitor may be pieced together through an IP or email address or other identifying data and coupled with the information searched for (e.g., available doctor appointments) and sent to the third party provider. HHS is apparently concerned that that these searches could potentially reveal the particular medical condition of the individual (among other things).

HHS notes that mobile apps offered by covered entities may also collect PHI, but points out that the HIPAA rules do not protect the privacy and security of information that “users voluntarily download or enter into mobile apps that are not developed or offered by or on behalf of regulated entities.” HHS notes, however, in reference to the wider privacy landscape, that the Federal Trade Commission (FTC) Act and the FTC’s Health Breach Notification Rule (HBNR) may apply in instances where a mobile health app impermissibly discloses a user’s health information.

To comply with HIPAA, covered entities may need to enter into business associate agreements (“BAA”) with their third party tracking website vendors where permissible under HIPAA. HHS advises that “tracking technology vendors are business associates if they create, receive, maintain, or transmit PHI on behalf of a regulated entity for a covered function (e.g., health care operations) or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI.” If there is no applicable HIPAA Privacy Rule permission, and if the third party vendor is not a business associate, then it is likely that “HIPAA-compliant authorizations are required before the PHI is disclosed to the vendor.” Predictably, HHS states that website cookie banners “do not constitute a valid HIPAA authorization.” Furthermore, HHS states that a vendor’s de-identification of PHI after it is received by the vendor will not prevent a HIPAA violation because the violation occurs in the initial disclosure.

HHS advises that regulated entities must address the use of tracking technologies in their risk analysis and must implement administrative, physical, and technical safeguards in accordance with the Security Rule. This may include encrypting ePHI that is transmitted to the tracking technology vendor; and enabling and using appropriate authentication, access, encryption, and audit controls when accessing ePHI maintained in the tracking technology vendor’s infrastructure.

In light of this bulletin, covered entities and business associates should immediately review their websites and patient facing applications, uses and purposes of any tracking technology imbedded therein, agreements and BAAs with third party vendors, and data privacy policies, practices and consents, including their web facing disclosures, to determine what additional steps might need to be taken to remain or become HIPAA complaint.

Alexander J. Franchilli also contributed to this article.

©2023 Epstein Becker & Green, P.C. All rights reserved.National Law Review, Volume XII, Number 361

About this Author

Patricia M. Wagner, Epstein becker green, health care, life sciences

PATRICIA M. WAGNER is a Member of the Firm in the Health Care and Life Sciences and Litigation practices, in the firm's Washington, DC, office. In 2014, Ms. Wagner was selected to the Washington DC Super Lawyers list in the area of Health Care.

Ms. Wagner's experience includes the following:

Advising clients on a variety of matters related to federal and state antitrust issues 

Representing clients in antitrust matters in front of the Federal Trade Commission and the United States Department of...

Brian G. Cesaratto, Epstein Becker, Employment benefits Litigation Lawyer, Workforce Management attorney

BRIAN G. CESARATTO is a Member of the Firm in the Litigation and Employment, Labor & Workforce Management practices, in the New York office of Epstein Becker Green.

Mr. Cesaratto's practice includes complex commercial litigation, criminal defense, internal and law enforcement investigations, employment litigation, and computer and electronic data misappropriation and forensics.

Alaap Shah Attorney Healthcare Life Sciences

Alaap B. Shah is a Member of the Firm in the Health Care and Life Sciences practice, in the firm's Washington, DC, office.

Mr. Shah:

  • Advises clients on federal and state privacy and data security laws and regulations
  • Advises on cybersecurity and data breach matters
  • Advises clients on health care fraud and abuse matters and government investigations relating to health information technology
  • Counsels clients on digital health and data strategies and related compliance issues

His work focuses on defense and counseling...

Shira M. Blank, Employment Related Litigation, Labor Attorney, Epstein Becker Law firm

Shira M. Blank is an Associate in the Employment, Labor & Workforce Management practice, in the New York office of Epstein Becker Green.

Ms. Blank:

  • Represents clients in employment-related litigation on a broad array of matters, including claims of discrimination, sexual harassment and hostile work environment, retaliation, wrongful termination, whistleblowing, and wage and hour claims, among others, in state and federal courts and before various administrative agencies

  • ...

Karen Mandelbaum Healthcare Attorney Epstein Becker Green
Senior Counsel

 Karen Mandelbaum is a Senior Counsel in the Health Care and Life Sciences practice, in the Washington, DC, office of Epstein Becker Green. She has deep experience in all aspects of data privacy and protection due to her work as a privacy and security official at the Centers for Medicare & Medicaid Services (CMS), and in the private sector.

Ms. Mandelbaum:

  • Advises clients on all aspects of federal and state privacy and consumer data protection laws and regulations, including, HIPAA, HITECH, and 42 CFR Part 2
  • Helps design and develop effective data governance...