Websites using data tracking and collection software risk potentially serious consequences under the Health Insurance Portability and Accountability Act of 1996, commonly referred to as “HIPAA.” In a Bulletin issued December 2022, the U.S. Department of Health and Human Services (HHS) cautioned against the use of cookies, and other data-collection software, that may result in unintended violations of HIPPA.

It is anticipated that the HHS Bulletin will apply to a wide array of healthcare and non-healthcare entities (including entities considered either a “Business Associate” or “Covered Entity” under HIPAA ). This alert is intended to ensure that all entities consider the potential impact of cookies and other tracking technologies when designing websites that interact with patients and drafting privacy and security policies.

Here are some key takeaways from the HHS Bulletin:

• Entities are regularly gathering healthcare data on their websites/mobile apps:
  • This includes businesses in the healthcare sector and non-healthcare sector;
  • The HHS Bulletin addresses data collection beyond instances where data is provided via patient treatment portals or similar websites;
  • The HHS Bulletin concerns those entities that routinely call on the services of third-party data-collection and tracking software (e.g., cookies) who may now need to consider this new HHS Bulletin and otherwise have nothing to do with healthcare operations.
• The HHS Bulletin sounds the alarm for entities to review whether their website tracking activities fall under the auspices of HIPAA:
  • If so, these entities need to ensure they are HIPAA compliant or if additional measures should be taken;
  • The execution of a Business Associate Agreement with third-party data collection entities may also be necessary.
• An illustrative example that the HHS Bulletin highlights:
  • Tracking technologies on a regulated entity’s unauthenticated webpage that addresses specific symptoms or health conditions, such as pregnancy or miscarriage, or that permits individuals to search for doctors or schedule appointments without entering credentials may have access to PHI [protected health information] in certain circumstances. For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider. In this example, the regulated entity is disclosing PHI to the tracking technology vendor, and thus the HIPAA Rules apply.

Companies routinely employ the use of data-collection and tracking software for their websites, mobile applications and portals. These data-sharing practices are subject to increased scrutiny and review, which is equally true in the healthcare space and non-health care space.

Most consumers are likely familiar with the concept of reviewing personal information (name, date of birth, etc.) on a website or portal; or inputting personal information in order to access patient portals and/or review their own medical records online. However, consumers and the companies that collect this data may be unaware that the tracking of an individual’s IP address, home or email address, or the scheduling of medical appointments may be deemed the collection of PHI.

This HHS Bulletin makes it clear that the collection of PHI may extend far beyond the use of routine treatment portals and healthcare applications. As a result, all businesses that may be collecting health-related PHI (even inadvertently) through website technologies need to consider a comprehensive approach to determine whether PHI is being collected.

One unintended effect of the HHS Bulletin is that it may be a valuable tool worth considering when contemplating a business transaction, merger, or acquisition. Particularly, when pursuing a business transaction with a Business Associate, third party data collector of PHI, or healthcare provider, the HHS Bulletin can be a reminder of why certain contractual protections should be considered.

Certain representations and warranties by the acquired business (i.e., the Business Associate or collector of PHI) may be helpful to ensure that it is in full compliance with HIPAA or that it actively reviews and updates its security measures designed to protect the collection of PHI. Alternatively, indemnification obligations may be fundamental if there are questions or uncertainties surrounding whether or not the acquired entity complied with HIPAA and data collection regulations – especially in light of the expanding scope of what PHI consists of.

Regardless of the reasoning, the negative impacts from improper data collection and sharing of PHI and HIPAA violations are significant and should be considered at the onset of any business transaction or when engaging a third-party data collector. The HHS Bulletin makes it clear that additional considerations must be given to the otherwise routine PHI collected online, via portals or mobile applications.

The takeaways within this alert cover only a portion of the full Bulletin that has been provided by HHS. Therefore, legal counsel and corporate leadership are encouraged to review the Bulletin in full on the HHS website. We anticipate that this is only the beginning of future guidance being released and the enforcement against improper collection of PHI, data sharing and the use of cookies.