Blog February 26, 2024
Beyond Cookies: Patient Privacy, Online Tracking, and HIPAA Compliance Strategies


The fusion of digital technologies with medical service delivery has emerged as both a boon and a challenge, particularly concerning safeguarding patient privacy. At the heart of this evolution is the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which mandates rigorous protections for health information. This legislative framework, designed to secure the confidentiality and integrity of healthcare data, faces new tests as online tracking technologies become integral to enhancing patient services.


The proliferation of digital tools in healthcare—marked by the pervasive use of cookies and other website tracking mechanisms—brings complex compliance demands under HIPAA to light. These technologies, pivotal for customizing and enhancing user experiences, tread a fine line when they encounter Protected Health Information (PHI). The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS), alongside the Federal Trade Commission (FTC), has helped to delineate the contours of legal compliance for the digital engagements of healthcare entities. Their guidance and enforcement actions spotlight the nexus of privacy regulation and technological advancement.


A case in point is the action taken against GoodRx, a platform at the intersection of telehealth and prescription drug discounting. This instance is a stark reminder of the regulatory vigilance awaiting digital health practices that stray from compliance pathways.GoodRx’s experience underlines the tangible repercussions that arise from navigating the digital health ecosystem without due adherence to established privacy standards.


Section 2: OCR’s Stance on Online Tracking Technologies:

The OCR has articulated clear guidance regarding the use of online tracking technologies by entities regulated under the HIPAA. This guidance addresses the obligations of HIPAA-covered entities in deploying technologies like Google Analytics and Meta Pixel, which gather and assess user interactions on websites or mobile apps. The OCR emphasizes that employing such technologies must not lead to unauthorized disclosures of PHI.


For HIPAA-covered entities, ensuring compliance involves meticulously adhering to the HIPAA Privacy Rule, particularly where PHI is disclosed to vendors of tracking technology. The OCR mandates that such disclosures must be explicitly permitted under the Privacy Rule, necessitating that only the minimum necessary PHI to fulfill the intended purpose is shared. The guidance further specifies that reliance solely on privacy policies, notices, or terms is insufficient for justifying PHI disclosures to tracking technology vendors. Instead, a comprehensive approach requires that all vendors have executed Business Associate Agreements (BAAs) so that before any PHI disclosure, an established applicable permission is established. In situations where a vendor is not deemed a business associate or without appropriate Privacy Rule permission, obtaining HIPAA-compliant authorizations from individuals is imperative before any PHI can be disclosed.


This section of the OCR’s guidance underscores the nuanced responsibilities placed upon HIPAA-regulated entities in the digital realm. It highlights the need for covered entities to navigate these obligations with due diligence, ensuring that interactions with tracking technology vendors are conducted within the legal boundaries established by HIPAA.


Section 3: Tracking Technology Tools, HIPAA Implications, and Patient Care

The deployment of tracking technologies in healthcare websites and applications introduces complex challenges in managing PHI within the HIPAA framework. The OCR delineates practical guidelines on how data collected via these technologies—distinguishing between authenticated (user-logged) and unauthenticated (public) web pages—must be managed to comply with HIPAA. This differentiation is pivotal, emphasizing the necessity for healthcare entities to meticulously identify data that constitutes PHI and ensure its appropriate handling.


Enhancing Patient Engagement and Care Through Technology

Digital advancements have revolutionized patient engagement and healthcare delivery, offering enhanced opportunities for patient care optimization:

Personalized Patient Experiences: Leveraging patient preferences and behavior data, digital platforms facilitate tailored health information and engagement strategies. This personalization supports improved treatment adherence and health outcomes.

Streamlined Care Coordination: Digital tools have significantly improved communication channels between patients, providers, and healthcare teams, which is especially important for multidisciplinary patient care.

Privacy Considerations: While these technologies provide substantial benefits, they also raise privacy concerns. Ensuring the security of patient information against unauthorized access or misuse is paramount, requiring stringent privacy and security measures compliant with HIPAA regulations.


Cookie Tracking Companies as Business Associates

With the evolution of digital health technologies, cookie-tracking companies increasingly intersect with handling PHI, potentially categorizing them as Business Associates under HIPAA. This designation triggers specific compliance requirements:

Analytics and PHI: When cookie tracking analytics involve PHI, these companies must conform to HIPAA’s privacy and security mandates, underlining the necessity for BAAs.


Personalization Efforts and Privacy: Personalizing patient experiences on healthcare platforms using PHI demands careful navigation of HIPAA compliance, ensuring the protection of patient information.


Marketing Activities: Marketing efforts using cookie-tracking technologies that process PHI illustrate the role of these companies as Business Associates, requiring adherence to HIPAA’s stringent standards to safeguard patient data.


Impact of Online Tracking on Patient Privacy and Trust

Utilizing online tracking technologies, while beneficial for enhancing healthcare services and operational efficiency, introduces significant privacy challenges. Balancing the advantages of digital health technologies with the imperative to protect patient privacy is important for maintaining trust in the healthcare system.


Integrating tracking technologies into healthcare necessitates a balanced approach, prioritizing patient-centered designs, privacy considerations, and adherence to HIPAA guidelines. By embracing these principles, healthcare providers can leverage digital advancements to enrich patient care and engagement while ensuring strong privacy protections.


Section 4: Legal Challenges and the Implications of the GoodRx Case

The legal landscape surrounding digital health privacy is increasingly complex, highlighted by the American Hospital Association’s (AHA) challenge to the OCR’s guidance and the significant enforcement action against GoodRx. These instances reveal the evolving challenges and regulatory responses at the intersection of healthcare delivery and digital technology.


AHA’s Challenge to OCR Guidance

The AHA’s legal challenge against the HSS-OCR guidance underscores a dialogue on the breadth of PHI definitions in the age of digital technology. The AHA argues that the OCR’s December 2022 guidance, broadly classifying digital identifiers like IP addresses as PHI, could severely limit healthcare entities’ ability to utilize essential digital tools. These tools are necessary for analyzing web presence, extending patient outreach, and ensuring the accessibility of health information, especially to underserved communities.


Concerns Raised by the AHA:

Broad Definition of PHI: The AHA contends that including digital metadata such as IP addresses within the scope of PHI could unnecessarily restrict the use of digital analytics tools that enhance patient services and information dissemination.


Impact on Accessibility: The guidance’s broad interpretation may obstruct the flow of accurate and accessible health information online, potentially limiting the effectiveness of digital health initiatives aimed at improving patient care.


Legal and Regulatory Overreach: The lawsuit suggests that the OCR guidance may exceed the statutory authority of the HHS, challenging its development process for lacking adequate public input and consultation with healthcare providers, and raising concerns about potential First Amendment implications.


The GoodRx Case: An Enforcement Precedent

GoodRx Holdings Inc., a telehealth and prescription drug discount provider, found itself at the center of regulatory scrutiny due to its sharing consumers’ PHI with third-party advertising and analytics services, including but not limited to Facebook and Google. This action by GoodRx represented a pivotal issue: the unauthorized disclosure of sensitive health information without consumer consent.


The FTC’s enforcement action against GoodRx was groundbreaking as it was the first application of the Health Breach Notification Rule in this context. This rule mandates certain unregulated health apps and connected device companies to notify consumers and others when their health data is disclosed without authorization.


The FTC found that GoodRx had failed to notify consumers and relevant parties of these unauthorized disclosures, directly violating the Health Breach Notification Rule. Consequently, GoodRx agreed to a settlement that included a $1.5 million penalty. The company was required to implement comprehensive changes to its data privacy practices, notably ceasing the sharing of health information with third parties for advertising purposes without obtaining explicit user consent.


In response to the FTC’s enforcement action, GoodRx agreed to cease sharing health information with third parties for advertising purposes without explicit user consent. This commitment was part of GoodRx’s broader initiative to enhance its data privacy practices and align with regulatory expectations. The company’s efforts to address the identified issues proactively highlighted the importance of compliance with privacy laws in the digital health sector.


The GoodRx settlement serves as a cautionary tale for Covered Entities and their Business Associates, including cookie-tracking companies and other digital service providers working within the healthcare sector. It elucidates the legal and ethical imperatives of adhering to privacy regulations, obtaining necessary consumer consent, and the role of Business Associate Agreements in delineating responsibilities related to PHI handling.


Implications for Healthcare Entities:

The GoodRx settlement and the AHA’s legal challenge collectively highlight the nuanced regulatory environment surrounding digital health privacy. These cases emphasize the importance for covered entities and their business associates, including digital service providers like cookie tracking companies, to:

Ensure Clear Consent Mechanisms: Obtain explicit user consent before sharing health information with third parties for advertising or analytics purposes.


Adhere to Privacy Regulations: Rigorously comply with privacy laws and regulations, understanding the implications of broad PHI definitions on digital health practices.


Implement Robust Data Protection Measures: Strengthen privacy and security measures to protect PHI, particularly in digital interactions and online tracking technologies.


The evolving discourse on digital health privacy, illustrated by the AHA’s challenge and the GoodRx case, underscores the balance between leveraging digital technologies for healthcare delivery and ensuring strong privacy protections. As healthcare providers navigate this landscape, staying informed and proactive in compliance efforts is paramount to safeguarding patient privacy while harnessing the benefits of digital innovation in healthcare.


Section 5: Compliance Strategies for Covered Entities

In the rapidly evolving digital healthcare landscape, HIPAA-covered entities confront a complex matrix of compliance obligations, underscored by the OCR’s guidance on online tracking technologies and illuminated through legal precedents such as the AHA challenge and the GoodRx enforcement case. These developments underscore the need for entities to employ strategic, robust frameworks to navigate the intricate interplay between digital innovation and patient privacy.


Identifying PHI in Digital Interactions

A cornerstone of HIPAA compliance in the digital domain is the precise identification of PHI(PHI). The nuanced landscape, delineated by the OCR’s distinction between authenticated and unauthenticated web pages, demands that entities meticulously review their data collection practices. This includes understanding that seemingly innocuous data, such as IP addresses, may constitute PHI under specific conditions, thereby requiring careful management in line with HIPAA regulations.


Implementing Effective Business Associate Agreements

The enforcement action against GoodRx has spotlighted the importance of BAAs in managing PHI within the scope of third-party engagements, including online tracking technologies. Effective BAAs should comprehensively cover:

Permissible Uses and Disclosures: Clearly articulate the scope of work and PHI handling, ensuring alignment with HIPAA’s minimum necessary standard.


Safeguards for PHI Protection: Specify the administrative, physical, and technical safeguards that business associates must implement.


Reporting Protocols: Establish clear procedures for the timely reporting of any PHI breaches or security incidents.


Subcontractor Compliance: Ensure that PHI protection requirements are extended to subcontractors through cascading agreements.


Terms and Termination Conditions: Define the agreement’s duration and stipulate the handling of PHI upon termination.


Best Practices for Covered Entities

To effectively address potential challenges, such as vendor resistance to BAAs or the management of multiple agreements, covered entities should:

Conduct Thorough Vendor Due Diligence: Assess potential vendors’ privacy and security practices to ensure compliance with HIPAA standards.


Customize BAAs to Specific Risks: Tailor agreements to the particular risks and services involved, incorporating explicit data use policies and breach notification procedures.


Regularly Update BAAs: Adapt agreements in response to technological advancements and regulatory changes to ensure ongoing compliance.


Educate Staff and Foster Transparency: Provide comprehensive training for staff on the HIPAA implications of digital technologies and maintain transparent communication with patients regarding their data rights and protections.


Challenges and Adaptive Solutions

Covered entities face several challenges in navigating digital compliance, including negotiating BAAs with resistant vendors and overseeing the complexity of multiple agreements. Practical solutions include leveraging negotiation strategies to achieve compliance goals and employing centralized systems to manage and review BAAs.


The digital age demands an enhanced and adaptive compliance strategy from covered entities, incorporating rigorous PHI identification, effective BAAs, strategic best practices, and the capacity to navigate challenges with flexible solutions. By embracing such an approach, covered entities can ensure HIPAA compliance amidst the evolving demands of digital health technologies, safeguard patient privacy, and reinforce trust in the digital healthcare ecosystem.