Office of Civil Rights Issues Guidance on the Use of Third-Party Tracking Technologies by HIPAA-Regulated Entities

Posted By Madilyn Moeller, Thursday, December 29, 2022

Tablet Computer Technology

The U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) issued guidance regarding the obligations of HIPAA Covered Entities and Business Associates under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when they use online third-party tracking technologies (“tracking technologies”) as part of their operations.

HIPAA Covered Entities may employ tracking technologies (directly or through vendors) to analyze how customers interact with the entity’s website or mobile app. The HIPAA Rules apply when a covered entity’s use of tracking technologies leads to the collection or disclosure of protected health information (PHI). The collection or disclosure of PHI (including the sharing of PHI with third-party vendors for marketing purposes) must have HIPAA-compliant authorizations.

As explained more below, the most important takeaway from the OCR’s new guidance is that an IP address itself constitutes “individually identifiable health information” (“IIHI”) when it is collected through tracking technology on a covered entity’s website or mobile app.

Covered Uses of Tracking Technologies

The guidance defines tracking technologies as “script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app.” The most common tracking technologies are cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts.

Under the guidance, IHII includes:

  • Individual’s medical record number,
  • Home or email address,
  • Dates of appointments,
  • An individual’s IP address or geographic location,
  • Medical device IDs, or
  • Any unique identifying code.

The guidance states that the foregoing IIHI is also PHI because “when a regulated entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the regulated entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity.)”

The guidance addresses the use of tracking technologies on user-authenticated web pages, unauthenticated web pages, and within mobile apps.

Read more at Clark Hill >>

Read the Bulletin at >>