Kirsten Brueggemann

Associate Editor

Loyola University Chicago School of Law, JD 2025

The U.S. is tightening its regulation of online tracking technology, especially in relation to protected health information (PHI). The enforcement of the Health Insurance Portability and Accountability Act (HIPAA) falls under the jurisdiction of the Office of Civil Rights (OCR), which is part of theDepartment of Health and Human Services (HHS). In December 2022, the OCR issued a bulletin addressing the usage of online tracking technologies by entities under its regulation. This guidance was further refined in March 2024 to enhance understanding and compliance among regulated entities and to inform the public. These entities are restricted from using tracking technologies that could lead to unauthorized disclosures of PHI to vendors of such technologies. The HIPAA regulations are applicable in scenarios where the information gathered or shared by regulated entities through tracking technologies encompasses PHI.

What is tracking technology?

Tracking technology is used to gather information about users or their actions during their interactions with a website or mobile application. OCR is particularly concerned with tracking technologies, such as cookies and fingerprinting scripts that embed tracking codes within apps to capture information provided by users. These tracking technologies are typically developed and provided by third parties and receive information directly from these technologies that continue to capture information about users after they leave the website that embedded the tracking technology. Some examples of information collected through online tracking technologies include an individual’s medical record number, home and email address, date of appointments, IP address and geographic location. 

Who does this affect?

According to HIPAA, regulated entities are “covered entities” and “business associates.” These are entities that have a contractual relationship with a provider that allows for the sharing of PHI. These designations are important to ensure that the entities are complying with HIPAA’s Rules’ requirements to protect privacy and security of health information and to provide individuals with rights regarding their health information. Further, regulated entities are required to provide breach notifications to affected individuals, the media, and the regulator regarding impermissible disclosures of PHI. This includes impermissible disclosures of PHI to tracking technology vendors that compromise the privacy and security of PHI. Because of the nature of PHI, there is a presumption of breach of unsecured PHI unless the regulated entity can demonstrate a low probability that the PHI has been compromised. 

Updates in recent guidelines 

In December 2023, HHS released a concept paper that outlined a cybersecurity strategy for the industry. It was a paper built on the National Cybersecurity Strategy President Biden released in 2022, focusing on strengthening resilience for hospitals, patients, and communities that are threatened by cyberattacks. This includes publishing new voluntary health care-specific cybersecurity performance goals, working with Congress to develop supports and incentives for domestic hospitals to improve cybersecurity, and increasing accountability and coordination within the health care industry. Some of the voluntary cybersecurity performance goals include essential goals such as email security, basic cybersecurity training, strong encryption, revoking credentials, separate user and privileged accounts, and vendor/supplier cybersecurity requirements. It further outlines enhanced goals to help organizations improve their cybersecurity capabilities and “reach the next level of defense” to protect against attacks. These enhanced goals include asset inventory, third party vulnerability disclosure, third party incident reporting, cybersecurity testing, cybersecurity mitigation, network segmentation, and centralized incident planning and preparedness. 

Recent incidents

According to the OCR, cyber-attacks in the health care industry are on the rise, from 369 in 2018 to 712 in 2022. Further, there has been a 93% increase in large breaches, and a 278% increase in breaches involving ransomware. A notable incident is the recent ransomware attack on Chicago’s Lurie Children’s Hospital. Lurie initiated an emergency preparedness plan that involved taking its phone, email, and Epic MyChart systems offline. The systems remained offline from January 31 to around mid-February, with clinicians regaining access to the electronic health records in MyChart at the beginning of March. 

Recommended action steps

The bulletin is likely to raise concerns and could lead to an increase in complaints to the OCR, as well as OCR investigations, and class action litigation related to these tracking technologies and their associated third parties. It is recommended that entities take the following steps to mitigate these risks: First, they should identify and evaluate the current use of online tracking technologies on websites and mobile apps. Next, they need to analyze their current practices, compare them with the requirements set forth in the OCR bulletin, and conduct a risk analysis. If the decision is to continue using tracking technologies, entities should then consider reconfiguring these technologies to limit PHI disclosures on unauthenticated webpages. This may involve entering into Business Associate Agreements with tracking technology providers and obtaining HIPAA-compliant authorization from individuals before using authenticated webpages or mobile apps. By taking these proactive steps, entities can significantly reduce the risk of OCR complaints, investigations, and class action lawsuits related to tracking technology.