Could Cookies and Other Tracking on Websites Violate HIPAA – HHS Warns Covered Entities About Tracking on Websites and Use of Vendors to Develop Them

December 20, 2022

Earlier this month, the United States Department of Health and Human Services’ Office of Civil Rights (“OCR”), the organization that has jurisdiction over enforcement of the Health Insurance Portability and Accountability Act of 1996 (the Federal law that we all know and love under the name HIPAA), released a bulletin (Bulletin) addressing the use of a variety of website tracking technologies.

The central message of the Bulletin was that “[r]egulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of Protected Health Information (“PHI”) to tracking technology vendors or any other violations of the HIPAA Rules.”  The Bulletin called out some commonly used website technologies such as website cookies that OCR claims can lead to the disclosure of identifiable patient information protected under HIPAA.  You can access the OCR Bulletin Here.

The Bulletin is issued amidst a wider national and international privacy landscape increasingly focused on regulating the collection and use of personal information through web-based technologies and software that may not be readily apparent to the user.

So, what does the OCR have against cookies that they would release such a document just before holiday cookie time?

The OCR gave its reason for chilling our holiday spirit.  The agency recognized it has always been true that regulated entities may not impermissibly disclose PHI to tracking technology vendors.  But in OCR’s opinion, the proliferation of tracking technologies collecting sensitive information makes it critical for HIPAA-covered entities to ensure they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule.

The OCR identified a strong concern that some of those beloved technological cookies, not the holiday ones, but the ones used by websites to collect and analyze information about how users interact with websites or mobile applications, could result in a harmful side effect: they may result in the disclosure of Protected Health Information that could be identified to patients.  When covered entities (healthcare providers, healthcare clearinghouses, etc.) use these technologies it can violate HIPAA.  The OCR Bulletin expresses the concern of the regulatory agency that “the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors [might include] protected health information (PHI) that is protected from disclosure by HIPAA.”  OCR is concerned that website tracking used by HIPAA-covered entities might end up sharing sensitive information with online tracking technology vendors and others.  Sharing this information may constitute unauthorized disclosures of PHI to such vendors.

In fact, OCR comes right out and says that HIPAA-covered entities “are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors.”  By way of example, OCR described disclosures of PHI to tracking technology vendors for marketing purposes, without proper release and authorization by patients, would constitute impermissible disclosures and would violate the HIPAA Privacy Rule.

In addition to violating HIPAA, the OCR identifies “a wide range of additional harms to the individual or others” such as creating the potential for “identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s PHI.”  According to OCR, these types of disclosure can “reveal incredibly sensitive information about an individual, including diagnoses, frequency of visits to a therapist or other health care professionals, and where an individual seeks medical treatment.”

The Bulletin was relatively detailed in its description of the various tracking technologies currently being used and provides an overview of how the HIPAA rules apply to the use of tracking technologies by HIPAA-covered entities. The Bulletin specifically covered:

  • A description of the various tracking technologies in use on websites.
  • Discussion of how these various tracking technologies might violate HIPAA when used by covered entities.
  • How existing HIPAA rules might apply to the use of these technologies.
  • Tracking on user-authenticated web pages, unauthenticated web pages, and on mobile applications.
  • Discussion of the compliance obligations of covered entities when they utilize tracking on their websites.

Tracking Technologies Sometimes Used by Health Care Providers

Healthcare providers often use tracking technologies.  Use of tracking enables the provider to collect useful data about patients and others who visit their sites.  Tracking technologies collect information and track users in various ways such as cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts.  These tracking mechanisms are often not apparent to the user.

Tracking technologies often involve the use of a script or code on a provider’s website or mobile app that is used to gather information about users.  Collected data can then be analyzed to gain insights into the online activities of patients and others who visit the provider’s website.  Oftentimes information gathered is used in beneficial ways and can help improve care and patient experience interacting with web portals.  Yet, information a healthcare provider obtains through tracking could also be misused if it were to get into the wrong hands.  Patient data, particularly data found via the login area of a website, is often quite sensitive and includes information that could be used maliciously to promote misinformation, identity theft, stalking, and harassment.  As long as the data stays in the hands of the healthcare provider and is properly secured, the risk of misuse is low.

The problem with user data normally comes when third parties have access to this information.  This may be done by a hacker for malevolent purposes.  Covered entities are required to maintain the security of their electronic access to information under HIPAA security rules.  Unauthorized access constitutes a data breach and invokes regulatory requirements that must be taken in the event of a breach such as investigation, patient notification, and notice to the OCR.

Special steps must be taken to protect this data when a healthcare provider contracts out its data tracking to a third party.  Use of third-party vendors is not at all uncommon.  Providers may not have the internal resources to build their own tracking technologies.  Even if they could develop the tracking system on their own, the use of vendor-created tracking is normally more cost-efficient.

A third-party vendor of tracking solutions may have access to sensitive data made available through use of their tracking technology.  The focus of the OCR Bulletin is on protection of sensitive information when a third-party vendor is used by healthcare providers.  A third-party vendor will often have access to sensitive data such as an individual patient’s medical record number, contact information, information about appointments and procedures, medical device identification information, and other information that pertains to the patient’s health care and may identify the patient’s identity in connection with that information.  This information will generally be protected health information under HIPAA and is subject to HIPAA privacy and security rules.

Steps to Take to Assure Portal Security

Much of the sensitive patient data lies beneath authenticated patient portal sites.  As a result, the security of these portal sites is most critical in terms of compliance with HIPAA.  The OCR Bulletin lays out requirements that providers need to take to properly secure their patient portal sites including:

  • Configuring user-authenticated webpages that include tracking technologies to allow such technologies to only use and disclose PHI in compliance with the HIPAA privacy rules.
  • Taking steps to ensure electronic protected health information collected is protected and secured as required by the HIPAA security rules.
  • Ensuring that any disclosures made to the vendor of tracking technologies are limited to the information necessary for performance of the vendor’s contracted tasks.
  • Ensuring vendors enter into valid business associate agreements with the provider. Vendors who create or operate tracking technologies for a health care provider are clearly “business associates” and the contractual relationship requires compliance with standards for business associates contained in HIPAA.
  • A healthcare provider’s “front” pages normally do not make individually identifiable data available through tracking technologies. If identifiable patient information is not available through these unsecured portions of the website, those portions of the site should not require HIPAA compliance, at least in terms of tracking technologies.  Providers should make certain that protected health information is not available through unauthenticated portions of their websites.  The exception where there could be access from unauthenticated pages might be the login and/or patient registration pages.  However, if tracking technologies on a regulated entity’s patient portal login page or registration page collect an individual’s login information or registration information, that information is protected under HIPAA.
  • If information on unauthenticated portions of the website addresses specific symptoms or health conditions or permit a doctor search or appointment scheduling without entering credentials and accessing secure portions of the site, collected data could include HIPAA-protected information. It is possible that information could be collected and identified to a patient through IP tracking, e-mail address, or other data.  If this data is tracked, even from the “public” unauthenticated portions of the website, the private information could make its way into the hands of the vendor of the tracking technology.

Big Picture Takeaways from OCR Bulletin on Tracking Technologies

The big takeaway in terms of using third-party vendors is to make certain of two things:

  • Maintain a valid business associate agreement with the vendor that meets the requirements set forth in the HIPAA rules.
  • Make certain the vendor has access only to information that is the “minimum necessary” for the vendor to perform its function.

Back to all News & Insights


The content in the following blog posts is based upon the state of the law at the time of its original publication. As legal developments change quickly, the content in these blog posts may not remain accurate as laws change over time. None of the information contained in these publications is intended as legal advice or opinion relative to specific matters, facts, situations, or issues. You should not act upon the information in these blog posts without discussing your specific situation with legal counsel.

© 2024 Ruder Ware, L.L.S.C. Accurate reproduction with acknowledgment granted. All rights reserved.