While it has always been true that regulated entities may not impermissibly disclose PHI to tracking technology vendors, because of the proliferation of tracking technologies collecting sensitive information, OCR is providing this reminder that it is critical for regulated entities to ensure that they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule.

To this end, this Bulletin provides guidance for regulated entities to consider when contemplating the use of tracking technologies, including an overview of how the HIPAA Rules apply to regulated entities’ use of tracking technologies. This Bulletin addresses:

What is a tracking technology?
How do the HIPAA Rules apply to regulated entities’ use of tracking technologies?
Tracking on user-authenticated webpages11
Tracking on unauthenticated webpages12
Tracking within mobile apps13
HIPAA compliance obligations for regulated entities when using tracking technologies
What is a tracking technology?

Generally, a tracking technology is a script or code on a website or mobile app used to gather information about users or their actions as they interact with a website or mobile app. After information is collected through tracking technologies from websites or mobile apps, it is then analyzed by owners of the website or mobile app (“website owner” or “mobile app owner”), or third parties, to create insights about users’ online activities. Such insights could be used in beneficial ways to help improve care or the patient experience, improve the utility of webpages and apps, or allocate resources. For example, hospitals might use data analytics to determine how many IP addresses accessed webpages providing information about COVID-19 vaccines or treatment in a particular area, which in turn could help the hospitals make decisions about how to allocate their medical and other resources. However, this tracking information could also be misused to promote misinformation, identity theft, stalking, and harassment.

Tracking technologies collect information and track users in various ways,14 many of which are not apparent to the website or mobile app user. Websites commonly use tracking technologies such as cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts15 to track and collect information from users. Mobile apps generally include/embed tracking code within the app to enable the app to collect information directly provided by the user, and apps may also capture the user’s mobile device-related information. For example, mobile apps may use a unique identifier from the app user’s mobile device, such as a device ID16 or advertising ID.17 These unique identifiers, along with any other information collected by the app, enable the mobile app owner or vendor or any other third party who receives such information to create individual profiles about each app user.18

U.S. Healthcare Homepage