Using Tracking Technologies on Websites Without a BAA Violates HIPAA

The HHS’ Office for Civil Rights has issued an announcement stating that adding third-party tracking technologies on websites, web programs, and mobile apps without signing a business associate agreement (BAA) violates HIPAA in case the tracking technology gathers and transfers individually identifiable health data. Despite having a BAA, using tracking technology could still mean HIPAA violation.

The announcement was given after discovering at the beginning of this year the extensive use of the Meta Pixel tracking code on the websites of hospitals and the transfer of data to Meta, which include sensitive patient information. An investigation by The Markup and STATT exposed these privacy breaches involving the use of Meta Pixel on the websites of a third of the top 100 U.S. hospitals. In 7 cases, the code was put in password-protected patient websites. The study was restricted to the top 100 hospitals, therefore most likely hundreds of hospitals have utilized the code and have unknowingly transmitted sensitive information to Meta/Facebook without a signed business associate agreement and without getting patient permission.

After the report was published, healthcare companies faced a number of lawsuits because of these impermissible disclosures. A number of plaintiffs said the data exposed on the healthcare providers’ websites was transmitted to Meta and was utilized to show them targeted ads associated with their health conditions. The news shocked healthcare companies, prompting investigations and the latest data breach notifications; nonetheless, even with the prevalent usage of the tracking code, only a few hospitals and health centers have submitted breach reports and have issued notifications to date. The announcement from the HHS will probably cause a number of breach notifications as companies learn that the usage of Meta Pixel and different tracking codes point to a HIPAA violation.

What are Tracking Technologies?

Tracking technologies are generally snippets of code that are put on websites, web programs, and mobile apps for monitoring user activity, typically for determining the activities of end users while utilizing websites and checking their on-site activities. The data gathered by these technologies may be reviewed and utilized to enhance the services offered by the websites and apps and improve the user experience, which is beneficial to patients. Although using this code has advantages for people because the HIPAA-covered entity gets useful information, there is a big possibility of causing harm, as the data gathered via these technologies is often sent to the vendor.

For example, when a female patient booked an appointment on a healthcare provider’s website to consult a pregnancy issue, the tracking technology on the website could transmit the information to the vendor, and eventually share it with other third parties. That data can be given to authorities or other third parties. Data shared by a person on a website or web app may be transmitted to a third party and be employed for fraudulence, identity theft, extortion, harassment, or to disseminate false information.

In a lot of instances, these tracking technologies are put on websites and apps without the users’ awareness, and it is frequently uncertain how any shared data will be utilized by a vendor and to whom it will be transmitted. Tracking technologies usually employ cookies and web beacons that enable the tracking of persons online, enabling the collection of even more data about them to create complete profiles. If tracking codes are used in web apps, they can gather device-associated data, such as demographic data which is linked to a distinct identifier for that unit to identify a user.

Tracking Technologies Should Comply With HIPAA

The HIPAA does not prohibit using tracking technologies, however, the HIPAA Rules are applicable when using third-party tracking technologies:

  • in case the tracking technology gathers individually identifiable data that is covered by HIPAA if the information is transmitted to a third party, whether to the tracking technology vendor or another third-party
  • in case the tracking technology gathers any identifiers, they are categorized as protected health information (PHI) since the information links the person to the regulated entity, showing the person has gotten or will get medical care services or benefits from the covered entity, and that pertains to the person’s past, present, or future health care or payment for medical care.

There is an increased possibility of an impermissible PHI disclosure when tracking code is used on patient websites or any other webpages that demand authentication since these webpages normally have PHI access. In case the tracking code is put on these pages, it should be set up in a way that ensures the code uses and discloses PHI according to the HIPAA Privacy Rule, and that any data gathered is according to the HIPAA Security Rule.  The same rule should be followed when using tracking technologies in a HIPAA-covered entity’s mobile applications when it gathers and sends PHI. OCR states that only mobile applications used by healthcare companies are under HIPAA. HIPAA is not applicable to third-party applications that individuals voluntarily download, even when the applications gather and transfer health data.

The OCR announcement states that when tracking technologies are employed, the code provider, such as Google (Google Analytics) and Meta Platforms (Meta Pixel), would be categorized as a business associate and should have a business associate agreement (BAA) signed together with the HIPAA-covered entity prior to adding the code to a web page or application. The BAA should state the vendor’s responsibilities regarding the PHI and define the allowed uses and disclosures of that data. In case the vendor does not have a signed BAA, the PHI provided to the vendor is illegal, thus the code should not be used or should be set up in a way that PHI is not collected or transmitted. OCR additionally stated that when a vendor claims that they will remove any identifiable information before keeping or utilizing the transferred information, the vendor still needs a signed BAA and only if the disclosure is permitted by the HIPAA Privacy Rule.

Other possible HIPAA violations could happen. When any PHI is shared with a vendor, it should be consistent with the company’s privacy policy and be stated in their Notice of Privacy Practices. It is not enough to merely mention the use of tracking technology in a notice of privacy practices. Aside from a BAA, any PHI disclosure of PHI for a purpose not specifically allowed by the HIPAA Privacy Rule needs authorization from a patient, stating their consent to share that data. Website banners that ask a website guest to agree to cookies and the usage of web tracking technologies is not considered valid HIPAA authorization.

Actions that HIPAA-Regulated Entities Must Undertake Right Away

HIPAA-covered entities must read the bulletin very carefully to ensure they fully grasp the application of HIPAA to tracking technologies. They must additionally perform an evaluation of any tracking technologies that they add on their web pages, web programs, or mobile applications to make sure the use of the technologies is HIPAA compliant. When they are not yet evaluated, website tracking technologies should be added to a HIPAA-covered entity’s risk evaluation and risk management procedures.

It is essential to mention that a tracking technology vendor is categorized as a business associate as per HIPAA, even when there’s no BAA. Consequently, any disclosures to that vendor are categorized as impermissible PHI disclosure when there’s no BAA in place. The HIPAA-covered entity may be issued fines and other sanctions when PHI is sent with no signed BAA.

In case the review indicated that a HIPAA-regulated entity used tracking technologies in a HIPAA non-compliant way now or in the past, the HIPAA Breach Notification Rule is applicable. The entity must send notifications to OCR and those who had their PHI impermissibly disclosed.