**Important – The information covered in this article is not intended to be legal advice or counsel. You should not act or refrain from acting on the basis of any content included in this article regarding legal compliance without obtaining appropriate legal guidance. The contents of this article contain general information related to various laws and regulations, but may not reflect your current situation. In addition, applicable laws and regulations regularly change. This is particularly true with respect to data privacy laws and regulations. Therefore, any laws and regulations described or otherwise referenced in this article may not be current when you read the article or even at the time of publication. We disclaim all liability for actions you take or fail to take based on anything in this article. Any action you take or any action you refrain from taking based on the information in this article is entirely at your own discretion and risk.**
Data collected from websites and mobile applications is critical to optimize user experience and marketing campaigns. For organizations in the healthcare space, however, using tracking technologies to collect said data has never been more fraught. Following the Bulletin on Tracking Technologies published in December 2022 by the OCR of the HHS, many of these organizations are left wondering if it’s even possible to conduct analytics on their digital properties or measure the effectiveness of their digital marketing campaigns.
Yes, it is possible. But also, yes, healthcare organizations need to be very mindful that proper protections are in place for any health-related information and that risks are mitigated where possible. The first step is understanding and documenting any tracking technologies in use to remove any ‘unknown unknowns’.
Let’s explore a list of possible questions the OCR might ask if conducting an investigation about tracking technologies in use on a HIPAA-covered entity’s digital assets.
List the name(s) of any and all third-party data tracking technology vendors or suppliers of web tracking services used.
The first step is identifying any platforms that are collecting data from digital assets. While this should be a straightforward process, many organizations using advertising technologies have platforms piggybacking off (or loading through) other technologies in place. Conducting an audit using a platform like Tag Inspector is helpful in identifying these types of behaviors.
This inventory of platforms will form the foundation for all additional tasks. It is critical to outline all technologies collecting and sending information to make sure nothing is inadvertently missed in the evaluation and review process.
List the applications or platforms where third-party data tracking technology is implemented. (examples: a web-based patient portal, informational websites, mobile application, etc).
Here you will list out the digital assets where any of the listed platforms from the first question are loading and collecting data. The purpose of this question is to identify if there are certain assets likely to contain PHI where technologies are loading. For example, the OCR Bulletin specifically calls out “tracking on user-authenticated web pages” as likely to contain PHI. If it is identified that tracking technologies are loading on these types of assets (as opposed to something like an informational website) there is a higher risk of impermissible disclosure.
From the organization’s perspective, it is necessary to understand these risks to then review and ensure any and all protections are in place to make sure no PHI is being impermissibly disclosed.
Provide the details for how third-party data tracking technologies are implemented (examples: via an SDK in the application, script in the source code of the page, via a Tag Management System). If via a Tag Management System, specify whether the instance is configured for client-side tagging or server-side tagging.
With the rising popularity of server-side tag management, visibility into exactly what data is being sent to third-party platforms is becoming more opaque for an end-user. As a result, enforcement agencies are likely to ask for comprehensive documentation if this type of architecture is in place.
When implementing any data architecture, it is important to consider privacy and compliance requirements at the outset. Always document all data flows as well as what is configured where and for what purpose.
Provide the details of the third-party data tracking technology service provided by each vendor. Detail what data is transmitted to third-party data tracking technology vendor(s) or suppliers of web tracking services and for what purpose.
Using the inventory of tracking technologies from the first question, detail all data collected by each platform as well as the purpose for which data is collected and used. It is likely to be necessary to segment the collection and use by each of the digital assets on which each technology is loading as it is possible different data is collected. For example, if Google Analytics is in use, it is likely configurations may be different on an informational website vs a patient portal.
Explicitly detailing the data collected as well as the purpose for collection allows an organization to identify any potential personal information as well as any health information which may be collected and by which platforms. This informs the risk assessment as well as any specific action items for modifications necessary to compliantly handle any of the sensitive data.
List the date that each third-party data tracking technology vendor or supplier of web tracking services was first engaged, if the technology is still in use, and if not, the date it ended.
It is important to understand when platforms have been implemented and if they are still actively in use. This allows an organization to understand where risks could have been present and if they are still applicable.
Provide a copy of the service agreement(s) and business associate agreement(s) in place with each third-party data tracking technology vendor(s) or supplier(s) of web tracking services.
Contractual agreements are very important to understand the purposes for which third parties will use any data provided to them as well as the protections in place to ensure privacy and security safeguards are in place.
Central to HIPAA compliance is the Business Associate Agreement (BAA), establishing a third-party technology vendor as a business associate and attesting that they have proper systems in place to ensure privacy and security. According to the OCR Bulletin, a BAA must be in place for the lawful disclosure of PHI. Make sure all relevant documentation is in place and available in the event of an investigation into data practices.
Provide evidence that an evaluation was conducted after implementing third-party data tracking technology. Also include information which documents the process for the introduction of any tracking technologies that transmit PHI to the technology vendors or suppliers of web tracking services (example: approval emails, review documentation, etc).
HIPAA requires the performance of a “periodic technical and nontechnical evaluation …” of any business associate’s security policies and procedures (45 C.F.R. § 164.308(a)(8)). For any tracking technology vendor in place on the website that is collecting PHI, it is critical to ensure an evaluation is conducted and documented. In addition to the evaluation, there should be an internal review process to document the decision to approve using each technology.
Both the evaluation (containing all necessary aspects as outlined in the law) as well as the decision process should be documented to provide a defensible position for decisions made in the event of an investigation.
Was or is your organization disclosing PHI through the use of third-party data tracking technology such as Google Analytics or Meta/Facebook Pixel? If yes, identify what PHI is/was disclosed, to whom, and the date(s) of disclosure(s).
Informed by the platform inventory and data assessments conducted in the above review processes, an organization should be able to identify if any third-party tracking technologies have had PHI disclosed to them, as well as the timelines of that behavior.
The OCR has specifically focused on data collection from Google Analytics and Meta/Facebook Pixel in enforcement efforts. This is likely due to the prevalence of said platforms as well as the automatic data collection happening via these technologies, including identifying information. Ensure that the usage of these platforms is reviewed and the architecture is modified to reduce compliance risk as necessary.
Provide documentation about your organization’s use of third-party data tracking tools for advertising purposes, including, but not limited to, information received by your organization concerning conversions, retargeting, and attribution relative to the third-party data tracking tools deployed on your website(s).
Central to the enforcement focus of the OCR is the usage of any data for advertising purposes. The misuse of PHI for targeting has the potential to significantly harm the data subject and therefore is of heightened concern. Also, many platforms used for advertising use cases have a wealth of additional data about web users which can make seemingly disparate data points become identifiable.
When mapping data flows and defining the purpose for using each third-party tracking technology, pay extra attention to any platforms in use for advertising use cases. Review the architecture to ensure no information which could reasonably be used to assign a health condition to an individual is made available. Document all technical and operational safeguards in place to ensure privacy protections and be ready to make the documentation available in the case of an investigation.
Describe whether data at-rest and in-transit for web applications is encrypted. Describe the procedure as well as the implementation date of the procedure.
HIPAA requires implementing a mechanism to encrypt ePHI in motion as well as to encrypt and decrypt ePHI at rest. (45 C.F.R. § 164.312(a)(2)(iv) and § 164.312(e)(2)(ii)). Ensure these mechanisms are in place and documented both in your first-party architecture for transmitting data to third parties as well as on the side of the business associate for their security practices once within their systems.
The collection and usage of user information and behavioral information on the owned digital assets of healthcare organizations is critical for the success of marketing and advertising efforts. The usage of third-party technology providers to facilitate the collection, activation, and analysis of said data is necessary to efficiently accomplish those same goals. Meanwhile, the protections and enforcement focus from federal agencies is important to protect health-related information and privacy for consumers. Protection and privacy do not have to be at odds with using technologies to accomplish business use cases—there just needs to be a heightened duty of care and deliberate privacy strategy behind data and technology architectures. Understanding what is necessary for building a defensible position for that strategy is a great start. Focus on these questions and requirements to get you started down that path.