For years, patients and healthcare companies have been wrestling with privacy issues relating to cookies, pixels and other tracking technologies. The U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR), which enforces Health Insurance Portability and Accountability Act (HIPAA), has not substantially involved itself in this prolonged and public debate until now. As described below, and as will be developed further in subsequent Holland & Knight alerts and blog posts, OCR has now spoken loudly. On Dec. 1, 2022, without public comment, OCR issued a bulletin that may profoundly impact this debate.
More specifically, since at least the turn of the millennium, plaintiffs and their class action lawyers have alleged that tracking tools on websites and apps infringe on consumer privacy by allowing third parties to snoop without ordinary people understanding what information about them is being shared with others. Over at least the past several years, the focus has shifted to claims that healthcare companies specifically are improperly disclosing patient confidences by integrating into the code on their public websites digital advertising, analytics and even security tools provided by Meta (formerly Facebook), Google and lesser-known third parties not operating under Business Associate Agreements (BAAs). Healthcare companies have pushed back, stating that these tools are ubiquitous on the internet and serve legitimate business purposes, including security, improving website function and design, and guiding targeted outreach to the public, particularly during public health crises like a pandemic. Further, healthcare companies have argued that unless a patient actually logs into a patient portal, the healthcare company has no way of knowing if the person is a patient versus, for example, a family member or caretaker of a patient, a job applicant, a researcher or even a bot. A wave of class actions have been filed in 2022, typically seeking many millions in statutory damages under state wiretap act laws, and each potentially turning on how much privacy is expected when a member of the general public uses a website provided by a healthcare company. From a regulatory perspective, some companies have concluded that device identifiers and internet protocol (IP) addresses of website visitors are not protected under HIPAA, while others have limited or even removed third-party trackers from their websites.
OCR Bulletin on Tracking Technology
The new OCR Bulletin indicates that websites and mobile applications that use tracking technology could put healthcare companies at risk of privacy violations, even those websites and mobile apps for which no login is required (unauthenticated). The Bulletin applies to a broad range of healthcare companies – not just providers but also health plans, app developers working with them and others. The Bulletin uses a similarly broad brush to define the information with which it is concerned, emphasizing that all data elements that could be protected health information (PHI) – particularly identifiers listed in the so-called de-identification safe harbor – must be protected in the digital environment. If those identifiers, no matter how innocuous they seem, are going to third parties via tracking technology, covered entities and business associates need to ensure that the PHI is protected with appropriate BAAs or patient authorizations.
The Bulletin addresses tracking technologies in detail, and discusses how the HIPAA rules apply to the use of such technologies in connection with user-authenticated webpages, unauthenticated webpages and mobile apps. HIPAA protects any unique identifying code relating to an individual if it relates to their healthcare. An individual’s IP address, geographic location, dates of appointments and a number of other data elements are PHI under HIPAA if they relate to the individual’s condition, care or payment. Information is not considered to be completely de-identified unless a qualified expert documents that it is or all identifiers are completely removed.
OCR’s Bulletin presumes that when a regulated entity collects individually identifiable health information (IIHI) through a website or mobile app, the individual is automatically connected to that entity, and that connection “is indicative that the individual has received or will receive health care services or benefits from the covered entity.” The Bulletin assumes that any website or app visitor who is tracked is or will be a patient, even though there are many reasons why a member of the public might visit a particular website, such as to apply for a job or locate a friend who works at the facility. This assumption, which runs contrary to fact and everyday experience, is exactly the same overgeneralization that plaintiffs and class action counsel are urging courts across the country to accept as true.
According to the Bulletin, tracking on user-authenticated websites carries significant risk, since the tracking technologies within such pages may have access to detailed treatment information. Even tracking tools on unauthenticated websites can involve disclosure of PHI, according to OCR’s new guidance. The Bulletin provides, as an example, a visitor on an unauthenticated webpage. This person has not logged in or identified themself in any way, but the webpage includes third-party tracking technology that captures clickstream data and the IP address. If this visitor seeks out information related to specific health conditions (the Bulletin mentions pregnancy and miscarriage) or uses website functionality to search for doctors or schedule appointments, the tracking technology may have access to PHI in OCR’s view. The Bulletin indicates that a regulated entity’s mobile app that collects network location, geolocation, device IDs or advertising IDs would be collecting PHI.
If HIPAA covered entities and business associates use tracking technology, the Bulletin indicates that they must do the following:
- Make sure that all disclosures of PHI are permitted by the Privacy Rule and, unless an exception applies, are the minimum necessary
- Ensure that they have applicable permission prior to any disclosure of PHI and that the tracking vendor has signed a HIPAA BAA or that the patient signs a HIPAA compliant authorization prior to the disclosure
- Even if the vendor does not save the PHI or removes PHI before saving data, the disclosure still requires a signed BAA and permissible purpose
- Analyze the tracking technologies in the entity’s HIPAA Risk Analysis and Risk Management process and ensure that transmitted PHI is properly secured
Breach Risk Assessments
The Bulletin indicates that, unless there is a BAA with the vendor or some other HIPAA compliant pathway, disclosure of PHI to a tracking technology vendor “that compromises the security or privacy of PHI” is a breach. Additionally, the vendor must actually meet the definition of a business associate for the healthcare company to avail itself of the BAA exception. For example, signing a BAA with a third party that plans to use the PHI for its own marketing purposes will not prevent a PHI disclosure from constituting a breach. A breach requires notice to affected individuals, HHS and, in certain cases, the media. The HIPAA rules provide that most impermissible uses or disclosure of PHI are “presumed to be a breach” unless the covered entity or business associate demonstrates, based on a risk assessment, “that there is a low probability that the protected health information has been compromised.” The regulations require an assessment of at least four specific factors.1 A risk assessment based on tracking technology should consider the following.
The Nature and Extent of the PHI Involved, Including the Types of Identifiers and the Likelihood of Re-Identification
Tracking technologies could capture a number of data elements that could constitute IIHI, including device IDs, advertising IDs, geographic location and IP address. These could constitute PHI, so the risk assessment would need to determine the likelihood that these identifiers could identify an individual or the individual’s household member. For example, an IP address associated with a public computer in a library might not be PHI, but an IP address associated with a particular private device would be. To the extent the tracking device collected direct identifiers – including names, medical record numbers, home addresses and email addresses – that factor would be more likely to suggest a compromise of PHI. Additionally, the fact that a person with a particular device clicked on a hospital’s home page might not suggest more than a low probability of compromise, but if that individual clicked on a website of a psychiatric facility or a specialty medical center, it could suggest compromise.
Not all improper disclosures of PHI are automatically a breach. For example, in the preamble to the 2013 HITECH Act omnibus rule, OCR indicated that an impermissible disclosure of a list of patient names, addresses and hospital identification numbers is likely to result in a determination that PHI has been compromised, depending on an assessment of the additional factors below. On the other hand, if the only PHI disclosed was “a list of patient discharge dates and diagnoses, the entity would need to consider whether any of the individuals could be identified based on the specificity of the diagnosis, the size of the community served by the covered entity, or whether the unauthorized recipient of the information may have the ability to combine the information with other available information to re-identify the affected individuals.”2 Even if this factor suggests a low probability of compromise due to the limited nature of the PHI, the regulated entity must still consider the factors below before deciding whether to provide breach notification.
The Unauthorized Person Who Used the PHI or to Whom the Disclosure was Made
If the tracking vendor is a HIPAA business associate that, through a simple mistake, did not sign the BAA or is an entity that otherwise has obligations to protect the privacy and security of the information, such factors could indicate a low probability of compromise. If the vendor is a social media company or search giant that is able to easily combine the PHI with other data it holds to identify an individual, however, then the PHI may be compromised. If the recipient used the PHI for marketing or other impermissible purposes, that would be further evidence of potential compromise.
Whether the PHI was Actually Acquired or Viewed
If the tracking is accomplished through software that does not result in a transfer of PHI to a third party, there may not be a breach. If the tracking vendor receives the PHI, however, there could be a compromise.
The Extent to Which the Risk to the PHI Has Been Mitigated
There could be circumstances where PHI is disclosed to a tracking vendor, but the situation is mitigated sufficiently so as not to constitute a compromise of the PHI, potentially. For example, if the tracking vendor receives PHI for the regulated entity’s health care operations purpose, but no signed BAA is in place, a risk assessment may be able to determine a low probability of compromise if the recipient has only further used and disclosed the PHI for a HIPAA permissible purpose and is otherwise in compliance with HIPAA’s requirements for business associates. OCR has indicated that an entity is a business associate if it meets the definition, even if it fails to enter into a BAA.3 Therefore, it is conceivable that entering into a BAA and obtaining written assurances from the vendor that it has only used and disclosed PHI in accordance with HIPAA could potentially assist with a conclusion of a low probability of compromise.
If the Tracking Technology is a “Breach,” What Then?
If the tracking technology involves a disclosure of PHI in a manner that does not comply with HIPAA and the regulated entity is unable to demonstrate a low probability of compromise, the regulated entity, if it is a business associate, must notify the relevant covered entity. Covered entities must notify the affected individuals no later than 60 calendar days after discovery of the breach.4 A breach is considered to be “discovered” on the first day on which it is known to the covered entity or, by exercising reasonable diligence, would have been known. Arguably, for a number of covered entities using these tracking technologies, Dec. 1, 2022, probably starts the clock ticking. It may have started much earlier, as the potential risks of these technologies has been widely reported and have also been the subject of litigation, even though OCR has chosen until now not to share its views on this contentious topic. The notices must include certain provisions required by the HIPAA rules and must be sent by first-class mail to the individual’s last known address, or it could be sent by electronic mail if the individual agrees to electronic notice and such agreement has not been withdrawn.
Regulated entities may be collecting IIHI from individuals who have not yet received healthcare services or benefits from the covered entity. The Bulletin suggests that the fact that an individual merely connects to the website indicates that the individual may have or will receive services or benefits “and thus relates to the individual’s past, present, or future health care or payment for care.” It is likely that an entity’s website could have thousands or millions of visits from individuals who do not, in fact, have a relationship with the entity and for whom the entity has no contact information. In situations where a covered entity has insufficient or out-of-date contact information but still concludes following the risk analysis that notice is required, the covered entity must provide substitute notice combined with actual mailed notice for any persons for whom adequate contact information exists. If 10 or more individuals have insufficient contact information, the entity can provide substitute notice either by 1) conspicuously posting a notice on the home page of its website for 90 days or 2) providing conspicuous notice in major print or broadcast media in geographic areas where the affected individuals likely reside.
Breaches also require notices to the HHS Secretary. Media notice is mandated for breaches involving PHI of more than 500 residents of a state or jurisdiction. Depending on the nature of the information breached, there may be additional notice requirements under state law.
Likely Litigation Results
While the Bulletin’s content, by its own terms, “do not have the force and effect of law and are not meant to bind the public in any way,” it will likely be cut and pasted into hundreds of class action lawsuits in 2022 and 2023, and cut and pasted again in as many briefs by class action counsel fending off motions to dismiss. The Bulletin reflects the (counterfactual) view that use by the general public of healthcare company websites and apps is tantamount to evidence of a patient relationship, and that even without the user logging in or identifying themselves, PHI may be created. Further, the Bulletin provides dicta without any factual findings or chance for public comment that disclosure of such information “may result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s PHI.” Between the Bulletin itself and the avalanche of breach notices it seems likely to set off, the existing litigation on these issues seems likely to grow in the near term. In addition, while HIPAA has no private right of action, OCR’s new guidance creates additional risk for healthcare companies by inviting individuals who believe their health privacy rights have been violated to file a complaint with OCR.
Compliance and Strategy Implications
In addition to making any required breach notifications, healthcare companies should also work with their privacy and security departments as well as counsel to assess and mitigate ongoing risk. Indeed, per the Bulletin, healthcare companies must now take steps “addressing the use of tracking technologies in the regulated entity’s Risk Analysis and Risk Management processes.”
Healthcare companies must know and reassess their strategy with respect to third-party tracking. This should include:
- inventory of current third-party tracking activity on websites and apps
- assessment of tracking against the Bulletin’s guidance
- considering removing tracking technologies or limiting their placement on certain sensitive pages
- considering changes to technology used or configuration to reduce information provided to third-party trackers
- executing compliant BAAs and/or obtaining specific HIPAA-valid patient authorizations in advance of individuals engaging with website
- evaluating and improving governance over new websites and mobile apps for compliance purposes, including hardening of procurement and vendor oversight programs and the development of rules of the road for healthcare information technology (IT), marketing and digital teams
Healthcare companies can take these reasonable steps to both comply with this new guidance and mitigate litigation and regulatory risk.
1 45 C.F.R. § 164.402.
2 Final Rule, OCR, HHS, “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5566, 5642-43 (Jan. 25, 2013).
3 Id. at 5574.
4 45 C.F.R. §164.404.