SHARE

January 18, 2023

Cookies and Other Tracking Technologies May Violate HIPAA

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

New Guidance from OCR Presents Challenges for HIPAA-Regulated Entities

In the midst of significant privacy changes in many U.S. states affecting tracking technologies such as cookies, pixels, and adtech, new lawsuits are alleging entities violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) via impermissible disclosure of protected health information due to the use of these technologies.

On Dec. 1, 2022, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) joined the discussion when it issued a bulletin warning that HIPAA "regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of [protected health information] to tracking technology vendors or any other violations of the HIPAA Rules." It is important to note that the bulletin is not limited to use of tracking technologies by covered entities, but also applies to use of these tracking technologies by business associates.

Via the bulletin, OCR clarifies that personal information collected by tracking technologies on a HIPAA-regulated entity's platform, website or mobile app ("Digital Platform") can qualify as protected health information (PHI) subject to the HIPAA Privacy, Security, and Breach Notification Rules ("HIPAA Rules"). OCR stated that any personal information collected on a HIPAA-regulated entity's platform, website, or mobile app could be PHI, even if: (a) the individual does not have a relationship with the HIPAA-regulated entity or (b) the personal information does not include treatment or billing information (i.e., device information, IP address, or location information could be PHI). The bulletin also cautions that "disclosures of PHI to tracking technology vendors for marketing purposes, without individuals' HIPAA-compliant authorizations, would constitute impermissible disclosures" under the HIPAA Rules. While a business associate agreement (BAA) could render a disclosure to a tracking technology vendor permissible, some tracking technology vendors may refuse BAAs as incompatible with their tracking technologies, as they cannot operate the tracking technologies as intended without violating the BAA.

Analyzing whether or not personal information collected via tracking technologies on a HIPAA-regulated entity's Digital Platform is PHI, and whether use of such tracking technologies violates the HIPAA Rules, is a complex process requiring review of each tracking technology and its specific deployment on the Digital Platform.

Considerations for HIPAA-Regulated Entities

Given OCR's guidance, HIPAA-regulated entities should consider immediately taking the following steps to reduce the risk associated with their use of tracking technologies:

  • Establish the Scope of Tracking Technology Use on Digital Platforms. Before a proper analysis can be done of tracking technology-related HIPAA risk, it's important to establish what platforms and technologies you are utilizing. HIPAA-regulated entities may be unaware what tracking technologies are deploying on what portions of their Digital Platforms. Tracking technologies can be deployed on websites, mobile apps, patient platforms, and more. Tracking Technologies may also appear on unintended portions of a Digital Platform, such as inside a patient portal. Additionally, HIPAA-related entities may be unclear on which tracking technologies are sharing information with third parties. 
  • Review Tracking Technology Use on Digital Platforms. HIPAA-Regulated entities should review their Digital Platforms to determine: (1) whether personal information processed by tracking technologies could be PHI, and (2) whether any such tracking technologies may constitute an impermissible disclosure that violates the HIPAA Rules. This process is fact-specific to each tracking technology used and its specific deployment on the Digital Platform.
  • Don't Rely on Cookie Banners. HIPAA-regulated entities may be using a banner or similar mechanism for tracking technologies. However, the OCR bulletin stated that such banners are not a valid form of HIPAA authorization.
  • Update and Implement Business Associate Agreements. In certain scenarios, tracking technology risk can be reduced with a proper business associate agreement. HIPAA-regulated entities should (1) update their BAA templates to specifically contemplate tracking technologies, and (2) have the tracking vendors sign BAAs whenever possible.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

CFPB Says 'Show Me The (Consumer Unfriendly) Fine Print'

By Timothy A. Butler Greenberg Traurig January 25 , 2023

On Jan. 11, the Consumer Financial Protection Bureau (CFPB) released a proposed rule that would require certain nonbank financial companies subject to its supervisory jurisdiction to submit annual reports about their use of terms and conditions that attempt to waive or limit consumer rights and protections.

FINRA Files Amendments to Proposed Rule Change That Will Allow Remote Inspections

By William B. Mack Greenberg Traurig January 25 , 2023

Last summer, the Financial Regulatory Authority (FINRA) proposed a rule change to its supervision rule (FINRA Rule 3110) to allow member firms to conduct remote inspections of some or all branch offices and locations.

5 Trends to Watch: 2023 Venture Capital

By Chinh H. Pham Greenberg Traurig January 20 , 2023

The current macroeconomic environment, coupled with record increases in valuations over the last several years, is creating an increase in down-rounds, re-pricings, and recapitalizations.

More From Privacy

5 Trends to Watch: 2023 Venture Capital

By Chinh H. Pham Greenberg Traurig January 20 , 2023

The current macroeconomic environment, coupled with record increases in valuations over the last several years, is creating an increase in down-rounds, re-pricings, and recapitalizations.

5 Trends to Watch: 2023 Hospitality

By Samantha Ahuja Greenberg Traurig January 18 , 2023

For many hotels, the pandemic exacerbated the challenges of finding enough qualified workers to fill jobs.

10 Issues to Watch in the New Congress

By Robert Mangas Greenberg Traurig January 17 , 2023

The split party control in the U.S. Senate and House of Representatives will require bipartisanship to produce successful legislation over the next two years.

Featured Stories
Closeclose
Search
Menu

Working...