OCR Tracking Technology Bulletin Summary

On December 1, 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a bulletin discussing the relationship between protected health information (PHI) and tracking technology

Protecting sensitive health information is a core responsibility of medical organizations. This bulletin proves that out of sight should not mean out of mind. Breaches of PHI can occur in unexpected ways, and long-term compliance often requires foresight and flexibility.

HIPAA holds covered entities responsible for breaches caused by their vendors, so it’s urgent to fix compliance errors ASAP. In this article, we’ll break down the requirements of this bulletin for covered entities to help healthcare professionals ensure compliance. 

Bite-Sized Key Takeaways 

Short on time? Check out our brief summary of the major updates from the ONC bulletin.

Generally speaking, the OCR considers individually identifiable health information (IIHI) to be PHI. Name, email, IP address, and other minor details can connect an individual’s tracking profile to their medical history or intent.

Regulated entities can’t use tracking technologies in ways that would result in impermissible disclosures of PHI to vendors. Identifiable information collected that could be used to infer past, present, or future care requires specific authorization to share. 

Covered entities cannot use or disclose protected health information in any way not expressly permitted or required by the Privacy Rule. You can brush up on the Privacy Rule here.

User agreements, privacy policies, and terms & conditions don’t constitute HIPAA authorization. Valid HIPAA authorizations are required for PHI disclosures to vendors, and these disclosures must meet the minimum necessary standard.

The OCR will investigate suspected breaches with civil money penalties and, in some cases, media notification. You can submit complaints to the OCR complaint portal at the following link: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf.

Tracking Technology can Steal PHI

It’s no secret that, without taking extensive privacy measures, various tracking vendors follow you across the internet. Personal data is so valuable for marketing purposes that social platforms make mountains of money by collecting and utilizing it. 

Cookies, tracking pixels, and session replay scripts are common examples of methods vendors use to track user behavior. According to Norton, about 79% of websites contain tracking technology, but most of the information data vendors collect is harmless. 

For healthcare websites, however, the information collected can violate patient privacy. Earlier this year, we talked about how Facebook’s Meta Pixel collected appointment creation details. At the time, we suggested removing the pixel from any webpage that could put PHI at risk. 

Let’s say somebody searches for local obstetricians before landing on a web page for setting up appointments. This would inform the tracking vendor that the individual is pregnant, and if the patient fills out a form on a page with tracking technology, the vendor may get that data too.

The OCR bulletin clarifies that individually identifiable health information (IIHI) is also protected health information (PHI). This is true even if the individual and vendor don’t have a prior relationship, and deidentification doesn’t make collection permissible. 

Do User Agreements Constitute HIPAA Authorization?

Nobody likes reading user agreements. They take too long to read, use complicated language, and act as a barrier you only bypass by checking “Yes.” In fact, a 2017 survey by Deloitte found 91% of individuals polled generally don’t read terms and conditions before agreeing

As we stated in our HIPAA Privacy Rule deep dive, “the form must adequately inform the requestor of their rights to revoke the authorization, exceptions to these rights, and their protections and risks. You must present this information in plain language to ensure the requestor understands these points.” 

Whether labeled as a user agreement, a privacy policy, or the terms & conditions, it’s not HIPAA authorization. Valid HIPAA authorizations are required for any PHI disclosures to vendors, and these disclosures must meet the minimum necessary standard.

Tracking Technology vs. HIPAA

The main reason HIPAA exists is to protect patient privacy and rights in an increasingly digital world, and the December 1 bulletin aims to progress this goal by eliminating unintentional disclosures caused by automatic tracking. 

The bulletin clarified that “tracking technology vendors are business associates if they create, receive, maintain, or transmit PHI on behalf of a regulated entity for a covered function or provide certain services to or for a covered entity that involve the disclosure of PHI.” 

As a trusted business associate for thousands of healthcare professionals across the United States, ChartRequest will never sell patient data. Business associates are held to the same HIPAA standards as covered entities and have sworn to protect patient privacy.

Not all tracking technology vendors are business associates, however, including the aforementioned Meta Pixel. To protect your organization from possible civil money penalties, adjusting the scope of such technology may be necessary.

Tracking technologies can be crucial for some health IT applications to function, but the goal of these trackers is not to market patient data. To clarify when tracking technology should and should not save data, the OCR provided guidance for 3 types of web pages. 

User-Authenticated Webpages

User-authenticated webpages require a specific user login, and they can hold substantial amounts of patient information. Covered entities must configure all tracking on user-authenticated web pages in accordance with the HIPAA Privacy Rule and Security Rule

Additionally, all tracking technology vendors on these pages must be business associates with signed business associate agreements (BAA).

Unauthenticated Webpages

Unauthenticated webpages don’t require a specific user login, and tracking regulations can vary. 

Generally speaking, the average hospital’s home page wouldn’t pose any patient privacy risk. Hospitals perform a wide range of treatments, so the individual’s reason for visiting the page wouldn’t be identifiable. 

If the page visited is very specific, however, it could offer the vendor a window into their care. For example, a webpage detailing a hospital’s obstetrician would indicate the individual’s pregnancy, which would constitute PHI.

Pages with search functions (like provider directories) or data entry fields (like signup pages) may also provide PHI when submitted, so covered entities should configure these pages in accordance with HIPAA Rules. 

Mobile Apps

All identifiable and personal information mobile apps receive from or on behalf of a covered entity is considered PHI, but mobile apps that do not fit this description are not regulated by HIPAA Rules.

If a patient uploads or shares their own PHI with an entity not regulated by HIPAA, the ONC cannot hold that entity liable for misuse. Instead, the Federal Trade Commission (FTC) Act and the FTC’s Health Breach Notification Rule (HBNR) may apply in these instances.

ChartRequest Never Sells Patient Data

ChartRequest is dedicated to ensuring the privacy and security of patient information. With over a decade of experience helping patients, providers, and third-party professionals exchange records quickly, we make HIPAA compliance easy.

Want to read more about compliance with major federal regulations? Check out the following links:

21st Century Cures Act Fact Sheet

HIPAA Right of Access Initiative

Encryption for HIPAA Compliance