On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), issued a Bulletin regarding the use of online tracking technologies (which includes other tracking technologies such as fingerprinting and by HIPAA covered entities and business associates). The Bulletin states (internal citations omitted), “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible of Protected Health Information (PHI) to tracking technology vendors or any other violations of the HIPAA Rules. For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures. It is important to note that use of a cookie banner with a linked privacy policy is considered insufficient authorization under the HIPAA Privacy Rules. The full text of the Bulletin can be found here: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html
Website Tracking Technologies Can Introduce Big Risk
Companies have recognized information is an asset and have sought to gather as much information as possible about consumer behavior in order to drive growth. Some companies use third-party tracking tools such as pixels to track website activity. However, some of these tracking tools may collect and transfer to a third-party sensitive personal information which can run afoul of state privacy laws or HIPAA regulations.
What is a tracking pixel?
A pixel is a small snippet of code added to a website to gather information about a how website visitors use the website. While gathering this information is helpful for marketing purposes such as monitoring the success of an advertising campaign, personalizing a website visitor’s experience, or delivering targeted ads based on viewing history, they can also introduce risk if the information collected contains personal information or protected health information that is collected, stored, or transmitted to a third party without consent.
What is the risk?
Lawsuits have been filed across the United States related to the use of tracking technologies, including pixels, session replay, and chatbot. These suits allege violations of the HIPAA Privacy Rule, state privacy laws, and federal and state wiretapping laws. While the success of these suits has varied between jurisdictions, companies would be wise to examine whether and which tracking technologies are used on their websites, the information collected, and if the collected data is being transmitted to third parties.
Tracking pixels embedded in patient portals or telemedicine sites where users must log in are particularly problematic because they likely contain PHI; however, even content available through general searching may pose problems. The pixel may capture the user’s IP address, which can be linked to a specific individual or household and track the health care services the website visitor viewed, which may relate to the individual’s past, present, or future health or health care.
How to mitigate risk?
Companies may be unaware that third-party tracking tools are being used on their websites or may not know which ones. The first step is to understand what technologies are being used, what data is being collected, and for what purpose. If there a legitimate business need to collect the data, the data collected should be limited to only what is necessary to fulfill the business purpose. Companies should then ensure their privacy policies provide adequate disclosures. Health care organizations should take extra care to ensure that the use of third-party tracking tools does not violate HIPAA laws.
YES! PLEASE SIGN ME UP TO RECEIVE EMAIL ALERTS FROM OTHER GUNSTER PRACTICE AREAS.
This publication is for general information only. It is not legal advice, and legal counsel should be contacted before any action is taken that might be influenced by this publication.
About Gunster
Gunster, Florida’s law firm for business, provides full-service legal counsel to leading organizations and individuals from its 12 offices statewide. Established in 1925, the firm has expanded, diversified and evolved, but always with a singular focus: Florida and its clients’ stake in it. A magnet for business-savvy attorneys who embrace collaboration for the greatest advantage of clients, Gunster’s growth has not been at the expense of personalized service but because of it. The firm serves clients from its offices in Boca Raton, Fort Lauderdale, Jacksonville, Miami, Orlando, Palm Beach, Stuart, Tallahassee, Tampa, Vero Beach, and its headquarters in West Palm Beach. With over 240 attorneys and consultants, and more than 240 committed support staff, Gunster is ranked among the National Law Journal’s list of the 500 largest law firms and has been recognized as one of the Top 100 Diverse Law Firms by Law360. More information about its practice areas, offices and insider’s view newsletters is available at www.gunster.com.
