Protected Health Information and Tracking Technologies
The US Department of Health and Human Services Office for Civil Rights has provided guidance about the use of tracking technologies on digital content that could qualify as health information. Tracking technologies can include web analytics, like Google Analytics, digital advertising platforms and other technologies that place cookies, beacons or tracking pixels on a website or mobile app.
The HHS guidance states that HIPAA “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of protected health information (PHI) to tracking technology vendors or any other violations of the HIPAA Rules.”
In this case PHI not only includes personally identifiable information (PII) like email address or IP address, but it can also include behavioral data like tracking which pages a user visits. The guidance states that "tracking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider. In this example, the regulated entity is disclosing PHI to the tracking technology vendor, and thus the HIPAA Rules apply."
Most web analytics and digital advertising platforms collect IP addresses or other PII. Having any tracking technology on websites for HIPAA-covered entities makes it necessary to ensure that any PHI included in the collected data is shared in a HIPAA-compliant way.
Recommendations
Remove all tracking technologies, including Google Analytics, from any web content or app that is or could be regulated by HIPAA. Any web analytics, ads or other tracking data that is collected must be stored and shared in a HIPAA-compliant manner. Providers of the tracking technology must be willing to sign a Business Associate Agreement with Tulane University that outlines requirements for data handling and HIPAA compliance.
Tulane’s Office of the General Counsel, Information Security Office, and Office of University Communications and Marketing continuously review technologies in use at the university as well as relevant laws, guidelines and recommendations for privacy regulation compliance. If you have questions about tracking technologies or privacy compliance, please submit a request through the UCM Support Request Form.
