Key Takeaways | Do Cookies Collect PHI? A Deep Dive into the OCR Bulletin on Online Tracking Technologies

During this webinar on February 22, 2023, McDermott Partners Daniel Gottlieb, Amy Pimentel and Scott Weinstein were joined by Ankura Consulting Group Managing Director Emily Cohen to review the application of HIPAA to online tracking technologies and the recently released Office of Civil Rights (OCR) Bulletin.

Below are key takeaways from the discussion.

1. Regulatory and Litigation Landscape. The OCR issued a Bulletin titled, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” on December 1, 2022, to discuss the obligations of HIPAA covered entities and business associates (regulated entities) when deploying online tracking technologies on their websites and mobile apps. The timing of this Bulletin is not a coincidence, as there have been several lawsuits and complaints alleging privacy violations and other misuses of personal information. The OCR began proactive “compliance reviews” of whether regulated entities have impermissibly disclosed protected health information (PHI) to third-party tracking technology vendors before issuance of the Bulletin, and the reviews are ongoing.
2. Cookies, Pixels and Online Tracking Technologies. It is important for regulated entities deploying tracking technologies on their websites and mobile apps to understand the following terms:
   1. Tracking technology is a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app (i.e., software programs for mobile devices).
   2. Cookies are files placed on a user’s device to customize a user’s browsing experience but can also be used to track a user’s activities.
   3. A web beacon or tracking pixel is a tiny graphic image (usually one pixel) placed on a webpage that allows the website owner or a third party to collect information regarding the use of the webpage that contains the web beacon.
   4. Session replay scripts record a user’s activities (e.g., mouse movements, clicks, and typing) when using a webpage or app.
   5. Fingerprinting uses a browser’s and/or device’s unique configurations and settings to track user activity.
3. Information Collected through Tracking Technology.There is typically a disconnect between what individuals think is being collected and what is actually being collected and shared with a third party through tracking technology. Unique identifiers, along with any other information collected by an app, enable third parties who receive the information to create individual profiles about each app user. The profiles are typically based on either a mobile device ID or an advertising ID, both of which are a unique string of numbers and letters assigned to a device that allows third parties to track user activity. The information that they track is typically the date the user visited a website, the user’s IP address or geographic location, and events such as whether the user entered data into a particular form field or clicked on a link on a website.
4. PHI Collected Online. Information collected online by a health care provider, health plan, health care clearinghouse or employer is considered PHI when it both:
   1. Relates to an individual’s past, present or future physical or mental health condition, the provision of health care to the individual, or the past, present or future payment for the provision of health care to the individual; and
   2. Identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual.
5. HIPAA Compliance Obligations for Use and Disclosure of PHI Online. If a tracking technology collects, uses and/or discloses electronic PHI (ePHI), it must be implemented in accordance with the HIPAA Security Rule (Security Rule). OCR emphasizes that regulated entities should assess the use of tracking technologies in their security risk analysis and secure ePHI by implementing reasonable administrative, physical and technical safeguards in accordance with the Security Rule.
6. Risk of Compromise Assessments for PHI Disclosed to Tracking Technology Vendors. If a regulated entity discovers that it has disclosed PHI to a tracking technology vendor without an applicable Privacy Rule permission, it should evaluate whether the disclosure is a breach of unsecured PHI. If it is a breach, it would trigger breach reporting obligations to affected individuals, OCR and the media under the HIPAA Breach Notification Rule. In this circumstance, a breach means the acquisition, access, use or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI. Unless an exception applies, use or disclosure of a patient’s Unsecured PHI in violation of the Privacy Rule is presumed to be a breach unless the regulated entity demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment that considers at least four required factors.
7. Potential Next Steps for Regulated Entities. Regulated entities should consider following next steps:
   1. Identify their current cookies and other online tracking technologies;
   2. Identify individual identifiers and health information that is currently being collected;
   3. Determine whether information is PHI;
   4. Review contracts with tracking technology vendors, including business associate agreements;
   5. Conduct breach risk assessments for any impermissible disclosures of PHI to tracking technology vendors; and
   6. Establish a plan to proactively monitor and manage tracking technologies.