Shading the Gray for Tracking

By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

The use of tracking technology in healthcare continues to garner a lot of attention. The issue first came to the fore in 2022 following an expose that discovered a large majority of hospitals and health systems across the country included Meta Pixel on their websites in numerous different places. Since the initial revelation around the scope of tracking technology deployment, a lot of action has occurred on a variety of fronts, which pushes a viewpoint that tracking should not be done and will only cause headaches.

The First Response: OCR Guidance

After the initial outcry from the report and then class action lawsuits being filed across the country, the Office for Civil Rights put its stake in the ground on the interaction of tracking technology with HIPAA. Distilling the guidance down first, OCR takes a fairly dim view of tracking technology and asserts that almost all information collected through tracking technology is protected by HIPAA. What are the specific details though?

The first component of the guidance is defining tracking technology and the information that it collects. For a brief overview, tracking technology can be embedded in websites or mobile applications. The technology can capture information such as an IP address, navigation behavior, link clicking, screen tapping, and more. The technology can be included in all areas of a website or application, which may impact the scope of information that would be captured.

After defining what tracking technology does, OCR went on distinguish between the areas of a website or application where the tracking technology can be found. The two areas can be broadly defined as user-authenticated areas or unauthenticated pages. The user-authenticated areas require a login or other credential to enter. The user-authenticated areas almost certainly contain information subject to HIPAA because it is clear that a relationship exists between the user of the website or mobile application and the healthcare entity. On the other hand, unauthenticated webpages are the general, public facing parts of the website that anyone can visit, such as providing information about the organization or helpful information about healthcare issues. Tracking on mobile applications is fairly similar, though the distinguishing characteristics with respect to the application will be whether the application is provided by the covered entity organization or acquired by the patient user on their own.

Going with an assumption that the information collected by the tracking technology is subject to HIPAA, then the organization using the tracking technology needs an appropriate relationship with the developer of the tracking technology. That rests on the assumption that the developer will have access to and/or receive the information collected by the tracking technology. An appropriate relationship is the fancy way of saying that a covered entity to business associate relationship exists, which requires putting a business associate agreement into place. If the BAA is in place, then it is also important to confirm that the developer actually complies with HIPAA and is not just signing the BAA to get the business. Finding a tracking technology developer that actually complies with HIPAA may limit the number of choices, but it is a better option than sticking one’s head in the sand and hoping that nothing is ever found.

All of that can be avoided if the developer does not get the collected data. If the collected data stays internal to the covered entity organization, then that likely removes the business associate concerns. A business associate only exists if the entity provides a service on behalf of or for the benefit of a covered entity and interacts with protected health information. If no PHI interaction occurs, then the provision of the service likely does not fall under HIPAA.

The final scenario is a service is provided and the tracked information received, but the developer will not sign a BAA. In that instance, the developer should not be used if PHI will be collected.

What scope of information collected by tracking technology is PHI though? As suggested, OCR’s guidance tries to assert that almost everything swept up by tracking technology could be PHI. For example, OCR views the collection of an IP address and other behavior about locations of a webpage, even the unauthenticated portions, could be PHI. The analysis goes that PHI, which is composed of individually identifiable health information, relates past, present, or future health, health care services, or payment for care. OCR believes that applies even when there is no presently existing relationship between the healthcare organization and the individual visiting the webpage. From OCR’s perspective, navigating to specific section of a website indicates a potential for wanting to receive those services or otherwise initiate a relationship. Is that a step too far? That is the open question. Going from that example and as already stated, OCR tries to sweep in pretty much all of the information caught by tracking technology under the definition of PHI and thus subject to HIPAA.

A final somewhat editorial comment about the guidance. Guidance issued by an agency is not legally binding precedent. Guidance does not follow the formal notice and comment process for a full regulation. That means guidance is really a notice of an agency’s intent or perspective on how it will interpret and apply regulations. That means it can very much be subject to challenge and does not necessarily receive deference in the event an issue is presented to a court.

The Second Response: AHA Pushes Back

Months after OCR issued its guidance, the American Hospital Association offered its perspective. The AHA’s response centered a lot on OCR claiming that collecting an IP address along with website behavior is sufficient to frame the information as PHI. The AHA picked on the guidance language around an individual potentially having no relationship with the healthcare organization and the information still being considered PHI.

The response explained that hospitals and health systems have been identified by the Centers for Disease Control and other government agencies as trusted sources of accurate healthcare information. That means individuals have been specifically directed to hospital websites to get information about specific diseases or conditions. Some of the larger health systems have earned reputations in that regard and make information generally available regardless of whether an actual treating relationship could be created. Coming from a different angle, it was also pointed out that a use of the website could be looking for visiting information or other information completed unrelated to receiving a healthcare service. From that perspective, the AHA asserted that an IP address alone should not be enough to constitute PHI and called for OCR to rescind the guidance.

The Third Response: A Court Decision

Taking up the editorial comment at the end of the discussion around OCR’s guidance, a court recently offered its point of view. The court was not directly considering whether a HIPAA violation occurred, which should be an obvious point because HIPAA does not allow a private right of action. However, HIPAA was being used as a standard to assert a violation of other obligations, which meant that the parties bringing the claim pointed to OCR’s guidance as the support for the claim that tracking technology use was not permissible.

Since OCR’s guidance was advanced in support of a position, the court offered its commentary on the scope of the guidance. In particular, the court questioned whether OCR’s interpretation of website metadata fit within the statutory definition of individually identifiable health information. The court focused on the definition relating to the actual health or condition of an individual as well as the provision of healthcare. The court went on to say that while it was possible that such information would be disclosed through the use of a website, the particulars of a situation would need to be sufficiently pled to establish that claim. A broad brush statement that the use of a website without revealing the information exchanged could support the claim.

The focus on the lack of specifics may offer more of a clue into the court’s ruling. However, the open questioning of OCR’s interpretation does show that a challenge in court could bear fruit.

Is Tracking Ok, or Not?

The question that remains is whether tracking technology is ok. The answer, as all good legal answers usually are, is that it depends. The specific facts and circumstances of a situation will determine whether the proposed tracking is acceptable. There are certain things to keep in mind though that can help calculate and manage the risk.

First, actually conduct an assessment of what, if any, tracking is currently happening. It is often way too easy to put technology into place or activate without fully understanding what it does. That arguably may have been what happened in the first place with the tracking technology, but the clear warnings remove an ability to say “I didn’t know.” The assessment should consider what technology is deployed, what the technology does, what information it collects, who receives the information, and how the information is being used.

Once the assessment is completed, then an organization can make a more informed decision about what to do. Maybe it isn’t necessary to collect all of the information. In that instance, the organization could reduce the scope of what is collected, which in turn could move the needle fully into or at least closer to a zone of safety under HIPAA or other applicable regulations. Aside from the scope of what is collected, it could also be possible to change what developer is used for the tracking technology, specifically using one that will sign and comply with a BAA, which alleviates the HIPAA issue to a large degree.

Further, ongoing assessments should occur around the use of the tracking technology. It is not enough to review it only when it is first put into use. Circumstances always change and evolve. There is also the compliance component since HIPAA does require a risk analysis on at least an annual basis. Since the tracking technology could capture PHI, it should always be a part of that risk analysis.

What all of the assessment underscores is that tracking technology is not verboten. Utilization of tracking technology does call for well thought out and considerate use though, which arguably applies to the use of most if not all technology in healthcare. The headlines, class action lawsuits, and OCR guidance are all various forms of a wake up call. With that siren sounding, now is the time to conduct a good assessment and bring practices up to speed.

This article was originally published on The Pulse blog and is republished here with permission.