Website or mobile app owners may use tracking technologies developed internally or those developed by third parties. Generally, tracking technologies developed by third parties (e.g., tracking technology vendors) send information directly to the third parties who developed such technologies and may continue to track users and gather information about them even after they navigate away from the original website to other websites. This Bulletin focuses on regulated entities’ obligations when using third party tracking technologies.

How do the HIPAA Rules apply to regulated entities’ use of tracking technologies?

Some regulated entities may be disclosing a variety of information to tracking technology vendors through tracking technologies placed on the regulated entity’s website or mobile app, such as information that the individual types or selects when they use regulated entities’ websites or mobile apps. The information disclosed might include an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, device IDs, or any unique identifying code.19 In some cases, the information disclosed may meet the definition of individually identifiable health information (IIHI),20 which is a necessary pre-condition for information to meet the definition of PHI when it is transmitted or maintained by a regulated entity.

IIHI collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as in some circumstances IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services.21 But the mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute IIHI if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care.22

The information below highlights how the HIPAA Rules apply in the context of tracking on user-authenticated webpages and unauthenticated webpages, and within mobile apps.

Tracking on user-authenticated webpages

Regulated entities may have user-authenticated webpages, which require a user to log in before they are able to access the webpage, such as a patient or health plan beneficiary portal or a telehealth platform. Tracking technologies on a regulated entity’s user-authenticated webpages generally have access to PHI. Such PHI may include, for example, an individual’s IP address, medical record number, home or email addresses, dates of appointments, or other identifying information that the individual may provide when interacting with the webpage. Tracking technologies within user-authenticated webpages may even have access to an individual’s diagnosis and treatment information, prescription information, billing information, or other information within the portal. Therefore, a regulated entity must configure any user-authenticated webpages that include tracking technologies to allow such technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the electronic protected health information (ePHI)23 collected through its website is protected and secured in accordance with the HIPAA Security Rule.24

U.S. Healthcare Homepage