Several months ago Meta and several US hospitals were sued under two class-action lawsuits for allegedly violating the United States Health Insurance Portability and Accountability Act, otherwise known as HIPAA. This cast a light on the often shadowy exchange of data in the name of targeting and attribution that can occur as users browse the web.
Following this, the United States Health and Human Services Department (HSS) issued a bulletin to remind covered entities and their business associates of their obligations under the law and relevant regulations. The HHS Department stresses in the opening of the document the following in regard to Protected Health Information (PHI):
Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules. For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosure.
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html
The bulletin makes clear that the tracking technology it is speaking about basically encompasses all the common martech integration processes – be it pixel, beacon, fingerprinting script, session replay scripts, IP Address, geo-location or cookies. All of these technologies may disclose individually identifiable information (IIHI), and that IIHI is often Protected Health Information under HIPPA and the related privacy rules. The document then proceeds to break down tracking on webpages (in both authentication scenarios ) as well as mobile apps.
Websites
User Authenticated scenarios
HHS believes that in user authenticated scenarios, tracking technology often has access to the users IP Address, medical record number, email address, dates of appointments or other information. They are not wrong in this belief, as the majority of client side scripting vendors can certainly gain access to any information presented to the user via the use of JavaScript DOM Scrapping.
With this being the case, HHS reminds us that the regulated entity must configure any user-authenticated webpages that include tracking technology to only use and disclose Protected Health Information in compliance with the HIPAA Privacy Rule and must ensure that the data that is collected via the website complies with the HIPAA Security Rule.
HSS also reminds covered entities that tracking technology vendors may be considered business associates provided all the requirements are met. Entities subject to HIPAA should consult with their legal teams to ensure their specific use case qualifies, and that the proper disclosures and agreements are in place.
Guest Scenarios
Generally HHS does not consider public facing webpages to contain Protected Health Information, however, specific scenarios exist where tracking technology does have access to information which may be considered PHI, and under those scenarios the HIPAA rules apply.
Scenario 1: Relates to login pages. During the login process the user may be required to enter login information (such as email addresses or their name). This information is PHI and thus protected by HIPAA rules.
Scenario 2: Information pages related to specific medical conditions (such as pregnancy) that permit the user to search for doctors or set appointments may have access to PHI during these process as email address or IP Address may be collected. In this scenario the regulated entity is collecting PHI and disclosing it to the tracking vendor, so HIPAA Rules apply.
If you are subject to HIPAA rules, it may be worth a discussion with your website development team to review your use cases, and ensure that the HIPAA rules are being adhered to.
Mobile Apps
If the mobile app is owned by a regulated entity, then HIPAA rules apply both to the entity, as well as any mobile app vendor, tracking technology vendor or any other third party who receives such information (such as device fingerprints, device ID, advertising ID, or network location).
If however, the mobile app is not owned by a regulated entity, but the user enters health information into it – then HIPAA does not apply. However, even if this is the case, other laws may apply, such as the Federal Trade Commission Act and the FTC’s Health Breach Notification Rule.
So what does this all mean?
The notice makes clear that regulated entities are required to comply with the HIPAA rules when using tracking technologies (pretty much any MarTech solution). They have some handy examples of the HIPAA Privacy, Security and Breach notification requirements, which include:
- Ensuring that all transmission of PHI to tracking technology vendors are permitted by the Privacy Rule and that unless exempted – only the minimum required PHI to achieve the purpose is disclosed.
- Reminding entities that despite declaring tracking tech in their privacy policy or terms of service that the HIPAA Privacy Rule does not permit disclosures of PHI solely on the regulated entity informing users of the disclosure in those locations. The entity must ensure that all vendors have signed a business associate agreement and that there is a applicable permission prior to the disclosure of PHI.
- If there is not an applicable Privacy Rule permission, or the vendor is not an established business associate of the covered entity, then a HIPAA-compliant authorization is required before PHI is disclosed to the vendor. The example makes clear that Consent Banners for items such as cookies do not constitute valid HIPAA authorization.
- The entity must address the user of tracking technology in their Risk Analysis and Risk management processes, as well as comply with the HIPAA Security Rule.
The bulletin also contains examples and things to note regarding breach notifications and things to keep in mind when establishing a business associated agreement. Legal teams would be well served to review the notice, and relevant law sections to ensure compliance needs are being met.
Next Steps
Covered Entities should work with the legal and engineering teams to determine if all the required steps are being taken for their specific use cases. Existing processes should be altered to include the relevant reviews should they be found to be missing. Existing integrations may need to be changed depending on the findings. Finally, vendor onboarding needs to consider the above information prior to deciding to integrate the MarTech solution into the website or app going forward.