About a year ago, the Health and Human Services (HHS) Office for Civil Rights (OCR) provided updated guidance regarding the use of tracking technologies on websites and mobile apps and their implications for HIPAA compliance.
The issue came about because many healthcare organizations, like other businesses, used Meta’s pixel technology to collect user information to analyze data for things like marketing campaigns. The data collected was transmitted to Meta. However, Meta didn’t have a business associate agreement (BAA) and OCR considered the sharing of this data to be a HIPAA violation.
Their guidance for this covered not only pixels but also IP Address and location. According to OCR, “An IP Address or precise location constitutes ‘individually identifiable health information’ (IIHI) when it is collected through a patient’s use of a covered entity’s website or mobile app.”
The guidance states that the IP Address or precise location is also PHI because “when a regulated entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the regulated entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity.)”
This guidance is applicable to user-authenticated web pages, unauthenticated web pages, and mobile apps.
So, what does that mean for healthcare organizations?
Health systems need to take steps to mitigate non-compliance. That includes requiring vendors that offer solutions that collect IP addresses or precise location information to sign a BAA and ensure that the data is secured in a HIPAA-compliant manner.
We recommend asking any vendors you work already work with or any you are vetting who touch your website or mobile app, a few simple questions:
- Will the vendor collect IP address or location data?
- Is that data secured in a HIPAA compliant way?
- Can they sign a BAA to ensure HIPAA compliance?
One other issue to be aware of is the use of third-party solutions to create links or QR codes to promote an app or website. This is an easily missed source of potential non-compliance. Be sure to ask any vendor if they are able to provide that capability in a HIPAA compliant way.
If you are looking to dive into this topic further, read this interview on Swaay.health with Matt Fisher who is an expert in healthcare law and Matt’s own article on tracking technologies in healthcare.