HIPAA and the use of online tracking technology

| April 1, 2024

HIPAA and the use of online tracking technology

The Health Insurance Portability and Accountability Act (HIPAA) governs when and how allergists (and other health care clinicians) can store, transmit, use, and disclose individuals’ protected health information (PHI). Specifically, the HIPAA Privacy Rule establishes federal standards governing the use and disclosure of PHI. The HIPAA Security Rule requires that health care providers and their business associates maintain certain technical, administrative and physical safeguards to ensure the reasonable and appropriate protection of electronic PHI.

Tracking technologies

In 2022, the Office for Civil Rights (OCR) issued guidance that pertained to the use of tracking technologies by HIPAA covered entities. Tracking technologies (i.e., cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts) are used to collect and analyze information about how users interact with websites or mobile apps. Owners of the website or mobile app (or third parties) often analyze the information collected through tracking technologies to observe insights about users’ online activities. OCR is concerned that tracking information could be misused to enable identity theft, stalking, or harassment.

The 2022 guidance stated that health care providers must comply with the HIPAA Rules when using tracking technologies. Health care providers must ensure that all disclosures of PHI to tracking technology vendors are only the minimum necessary to achieve the intended purpose.


HIPAA covered entities may only use tracking technologies if either:

  1. HIPAA laws permit the disclosure, and the covered entity has signed a business associate agreement (BAA) with the technology provider, or
  2. The covered entity has obtained consent from the individual.

It is insufficient for a tracking technology vendor to agree to remove PHI it receives or de-identify the PHI before the vendor saves the information. This guidance resulted in covered entities avoiding the use of tracking technologies altogether because it is uncommon for technology providers to sign BAAs with health care providers, and it is difficult to obtain consent from individuals.

Last month OCR issued new guidance to clarify its previous policy, although it remains largely unchanged. In the new guidance, OCR clarifies that the purpose of an individual’s visit to a website is relevant in determining whether that person’s IP address qualifies as PHI. If a person visits an allergist’s website to obtain information about a diagnosis or to seek treatment this individual’s IP address is PHI.

However, if the same individual merely visits the webpage that provides information about a practice’s office hours or if the individual is conducting independent research unrelated to his or her medical condition, their IP address does not meet the definition of PHI.

In addition, the new guidance clarifies the appropriate method covered entities may use to obtain consent from individuals if no BAA is in place with the tracking technology provider. Specifically, proper consent can only be put in place under a valid HIPAA authorization –meaning that pop-up banners asking a user to reject or accept cookies are insufficient.

Key takeaways and best practices for allergists

Allergists should understand that the purpose of an individual’s visit to their website may inform whether the individual’s IP address constitutes PHI. Because making this determination is nearly impossible, allergists should err on the side of caution when using tracking technologies.

If allergists choose to use tracking technologies, they must do so through one of the following methods:

  1. Obtain a BAA with the provider of the tracking technology and ensure that there is an applicable Privacy Rule permission for disclosure. An allergist may choose to establish a BAA with another vendor, for example a Customer Data Platform vendor, that will de-identify online PHI tracking information and then disclose only de-identified information to tracking technology vendors; or
  2. Obtain valid consent from the patient. This may not be done through a simple accepting or rejecting of cookies.

Allergists must address the use of tracking technologies in the Risk Analysis and Risk Management processes, as well as implement other administrative, physical, and technical safeguards in accordance with the Security Rule (e.g., encrypting electronic PHI that is transmitted to the tracking technology vendor).

They must also provide breach notification to affected individuals, HHS, and the media (when applicable) of an impermissible disclosure of PHI to a tracking technology vendor when there is no Privacy Rule permission to disclose PHI and there is no BAA with the vendor. Under such a circumstance, there is a presumption that there has been a breach of unsecured PHI unless the allergist can demonstrate that there is a low probability that the PHI has been compromised.