OCR Outlines Proper Use of Tracking Tech to Maintain HIPAA Compliance

December 02, 2022 - Following reports that patient data was transmitted to Facebook through the use of tracking technology on hospital websites and within password-protected patient portals, the HHS Office for Civil Rights (OCR) issued a bulletin outlining the dos and don’ts of using tracking tech as a HIPAA-covered entity or business associate.

Covered entities and business associates using tracking tools such as Google Analytics and Meta Pixel should pay close attention to their obligations under HIPAA, OCR noted.

“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules,” OCR stated. 

“For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures.”

Covered entities must also ensure that they have business associate agreements (BAAs) in place with tracking technology vendors if those vendors create, maintain, or receive PHI on behalf of the covered entity for a covered function such as healthcare operations.

“For example, if an individual makes an appointment through the website of a covered health clinic for health services and that website uses third party tracking technologies, then the website might automatically transmit information regarding the appointment and the individual’s IP address to a tracking technology vendor,” OCR noted. “In this case, the tracking technology vendor is a business associate and a BAA is required.”

OCR clarified that whether the tracking tech is present on user-authenticated or unauthenticated webpages, if PHI is involved, HIPAA rules apply. When it comes to mobile apps, OCR noted that apps offered by regulated entities are covered by HIPAA. However, HIPAA rules do not protect information that users voluntarily provide to mobile apps that are not developed or offered by covered entities.

OCR encouraged covered entities to ensure that “all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.”

Covered entities should also ensure that a tracking technology vendor meets the definition of a “business associate” and that the BAA explicitly specifies the vendor’s permitted uses and disclosures of PHI.

“Further, it is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information,” the bulletin continued.

“Any disclosure of PHI to the vendor without individuals’ authorizations requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure.”

Lastly, OCR reminded covered entities to provide breach notifications to HHS in the event that the use of tracking tech leads to an impermissible disclosure of PHI.

"Organizations should ask themselves about the risks and ethical concerns associated with tracking services, as improper use of this technology poses significant risks to the organization and its patients," Andrew Mahler, VP of privacy and compliance at CynergisTek, a Clearwater company, told HealthITSecurity.

"Thorough risk analyses and third-party reviews are also important ways to balance consumer benefits and risk from technology by having clear disclosures and an understanding of what PHI is being used, accessed, or shared."

Some entities have already reported large healthcare data breaches stemming from the use of tracking tech. For example, Advocate Aurora Health notified 3 million patients of a breach that was discovered when the health system realized that tracking tech installed on its patient portals and scheduling widgets had potentially transmitted certain information to the vendors that provided the technology.

Advocate Aurora Health explained that it had previously used the services of several third-party vendors to “measure and evaluate information concerning the trends and preferences of its patients as they use our websites.”

Following the discovery, Advocate Aurora Health disabled the pixels and launched an internal investigation in order to “better understand what patient information was transmitted to our vendors.”

Other healthcare entities, including Novant Health, WakeMed Health and Hospitals, and Community Health Network reported similar incidents.