Updated Guidance Issued on the Use of Online Tracking Technologies by HIPAA-Covered Entities

The US Department of Health and Human Services has recently released new guidance on online tracking technologies for HIPAA-covered entities.

Online tracking technologies include scripts or code embedded within websites or mobile applications to collect user data for analysis. Such technologies offer insight into user behavior, yet their use in healthcare raises concerns about the privacy and security of protected health information.

This article considers:

• What is the HIPAA Privacy Rule?

• What is the Background to the HIPAA Guidance?

• What are the Key Milestones in the HIPAA Guidance?

  • Initial OCR Guidance (December 2022)

  • Joint OCR-FTC Letter (July 2023)

  • American Hospital Association Lawsuit (November 2023)

  • Updated OCR Guidance (March 2024)

• Key HIPAA Acronyms Explained

• How Did We Get Here?

• Jscrambler Client-Side Protection Platform

What is the HIPAA Privacy Rule?

Health Insurance Portability and Accountability Act came into being in August 1996. Part of the Act required the Secretary of the U.S. Department of Health and Human Services (HHS) to publicize standards for the electronic exchange, privacy, and security of health information.

After drafting proposals and a series of public consultations, privacy regulations around individually identifiable health information (IIHI) were published in final form in August 2002. 

Summarizing for brevity, the HIPAA Privacy Rule applies to "covered entities", namely health plans, healthcare clearinghouses, and any healthcare provider, who transmits health information in electronic form under HIPPA (Health Insurance Portability and Accountability Act). 

The Privacy Rule protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media. This is generally information about an individual’s past, present, or future health, the provision of or payment for healthcare. This information is known as protected health information (PHI) within the scope of the HIPAA Privacy Rule.

What is the Background to the HIPAA Guidance?

The US Department of Health and Human Services (HHS) is made up of a family of agencies, one of which is the Office for Civil Rights (OCR). Among other things, this agency ensures that individuals receiving services from HHS-conducted or -funded programs can trust the privacy and security of their health information.

In recent years, the OCR has issued and re-issued guidance around the use of online tracking technologies in the context of HIPAA. It has worked together with the Federal Trade Commission, the consumer-protection regulator to issue warning letters and see the legality of its guidance challenged.

Initial OCR Guidance (December 2022)

In December 2022, the OCR issued initial guidance on online tracking technologies under HIPAA Rules. In essence, the guidance confirmed that using third-party tracking technologies on websites, web, and mobile apps without a business associate agreement (BAA) in place was a HIPAA violation if the tracking technology collected and transmitted IIHI. Even with a BAA in pace, the use of such technologies may still violate HIPAA Rules.

The impetus for the December 2022 guidance was research conducted with the top 100 hospitals in the US. It showed that one-third had tracking codes on their websites, which transmitted user data to Meta (Facebook), Google, and others. In seven cases, the code had been added to password-protected patient portals. This made it likely that many more hospitals outside the sample had also transferred sensitive data without a BAA in place and without obtaining patient consent.

Joint OCR-FTC Letter (July 2023)

In July 2023, the OCR and Federal Trade Commission (FTC) sent a joint letter to around 130 hospitals and telehealth providers, warning them about the privacy and security risks of online tracking technologies. For example, if the information disclosed reveals health conditions, diagnoses, medications, medical treatments, frequency of visits to healthcare professionals, and so on. It referred to recent enforcement actions against digital healthcare platforms.

American Hospital Association Lawsuit (November 2023)

In November 2023, the American Hospital Association filed a lawsuit against the HHS and OCR over its December 2022 guidance on website tracking technologies. 

Such technologies are critical for analytics software, video technologies, translation and accessibility services, digital maps, etc on websites and apps. 

The American Hospital Association alleged “gross overreach by federal bureaucracy” and that the HHS rule “exceeds the government’s statutory and constitutional authority” and “harms the very people it purports to protect.”

Updated OCR Guidance (March 2024)

In March 2024, the OCR issued updated guidance on online tracking technologies under HIPAA Rules. This included additional examples of when tracking code can and cannot be used, tips for complying with HIPAA, and enforcement priorities.

In short, the guidance remains that regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI or any other violations of the HIPAA Rules. For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures.

The OCR provides further clarification on different types of tracking technologies and how they work. It explains the difference between tracking on webpages, where login may or may not be required, and within mobile apps. 

For some web pages, the nature of the visit determines whether HIPAA applies. The guidance gives examples of a student researching a paper about oncology services and a patient seeking a second opinion about a brain tumor.

For the former, collecting and transmitting the student’s IP address and other personally identifiable information to third parties without a BAA is not a HIPAA violation, as no PHI is involved. For the latter, the transmission of the same data without a BAA would be a HIPAA violation, as the information would be classed as PHI.

How Did We Get Here?

The Internet was designed for sharing and collaboration not necessarily telemedicine, banking, and shopping. How web applications are built has also changed over time. The business intelligence has moved from web servers, owned and managed by companies, into the consumer web browser, powered by JavaScript, distributed APIs, and microservices.

As a result, any JavaScript running on a web page can access all data entered into form fields on that page. With no separation between different parts of the application, this makes healthcare data susceptible to HIPAA violations and/or client-side attacks. This is where criminals exploit vulnerabilities in a website’s code or infrastructure to harvest data. This goes by many names, including e-skimming, digital skimming, data skimming, and formjacking.

Jscrambler Client-Side Protection Platform

The Jscrambler Client-Side Protection Platform safeguards first-party JavaScript through state-of-the-art obfuscation and exclusive runtime protection.

Its fine-grained JavaScript behavioral analysis also mitigates threats and risks posed by third-party tags. It also complies with the new PCI DSS v4.0 standard for card data security. With Jscrambler, businesses adopt a unified, future-proof client-side security policy all while achieving compliance with emerging security standards.

Trusted by digital leaders from several industries, including healthcare, financial, and entertainment, Jscrambler gives businesses the freedom to innovate securely.

Feel free to connect with our client-side security experts to try our solutions to prevent digital skimming attacks.