Three screens display the splash page for the Meta page on the Facebook website. (Photo by Leon Neal/Getty Images)

The Office for Civil Rights is warning covered entities that they might be sharing protected health information with third-party tracking vendors like Facebook and Google through their use of pixel tech, in a manner that violates the Health Insurance Portability and Accountability Act.

Although HIPAA does not apply to third-party apps chosen by consumers for their personal health needs, the privacy and security regulation certainly applies to tech chosen by healthcare covered entities for their purposes.

In fact, the OCR alert warns that regulated entities aren’t permitted to use these tracking technologies “in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.”

The bulletin from the Department of Health and Human Services addresses these questions, including examples of webpage tracking, mobile app tracking, and HIPAA compliance obligations for regulated entities that choose to leverage tracking technologies to improve their care services.

The alert follows several breach notices impacting a total of nearly 6.5 million patients from WakeMed Health and Hospitals, Advocate Aurora Health, Community Health Network, and Novant Health all tied to the providers’ decision to apply the pixel tracking tool to various part of their websites, apps, and patient portals for insights into patient interactions.

As noted in the recent SC Media report, it’s likely these providers were unaware the pixel tool was sharing data with the related tech vendor. CHN’s notice, for example, noted it learned of the possible patient data scraping from its sites after the release of two investigative reports detailing the alleged unauthorized disclosure by Meta’s pixel tracking tool. 

At least three of these providers and Meta are facing patient-led lawsuits over the unintended disclosure, although the tech giants have denied the data scraping from hospital sites.

Unintended or not, OCR Director Melanie Fontes Rainer stressed that “providers, health plans, and HIPAA-regulated entities, including technology platforms, must follow the law. This means considering the risks to patients’ health information when using tracking technologies.” 

In fact, the bulletin makes clear that without HIPAA-compliant patient authorizations, entities that purposefully or inadvertently disclosed health data to tracking technology vendors have likely violated HIPAA with impermissible disclosures.

HHS also noted that it’s not just a HIPAA-violation at stake: these disclosures can result in patient harms. “Such disclosures can reveal incredibly sensitive information about an individual, including diagnoses, frequency of visits to a therapist or other health care professionals, and where an individual seeks medical treatment.”

Disclosures to third-party vendors can lead to fraud attempts, identity theft, discrimination, stigma, financial losses, or other serious consequences to patients identified by their health data.

“While it has always been true that regulated entities may not impermissibly disclose PHI to tracking technology vendors, because of the proliferation of tracking technologies collecting sensitive information, now more than ever, it is critical for regulated entities to ensure that they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule,” according to the alert.

The bulletin reminds provider organizations that online tracking tools like Google Analytics or Meta Pixel, indeed collect and analyze information about consumer interactions with regulated entities’ websites or mobile applications — a possible HIPAA violation.

Not only must covered entities obtain consent from patients before the practice, these entities must also ensure these tracking technology vendors have signed a business associate agreement in order to comply with HIPAA. And unless an exception applies, disclosures of PHI should only be “the minimum necessary… to achieve the intended purpose.”

“If there’s not an applicable privacy rule permission or if the vendor is not a business associate of the regulated entity, then the individuals’ HIPAA-compliant authorizations are required before the PHI is disclosed to the vendor,” according to the alert. 

What’s more, website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization,” it adds. It’s also “insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information.”

By nature of the HIPAA rule, any PHI disclosure to an outside vendor without patient consent “requires the vendor to have a signed business associate agreement in place.” There must also be an applicable HIPAA permission to disclose the data in the first place.

The notice details all potential impermissible disclosures of patient data by covered entities to online technology tracking vendors, how the tech works, and what regulated entities should do now to protect ePHI when using tracking technologies to ensure compliance with HIPAA.

“HIPAA-regulated entities, such as providers, health plans, and business associates, including technology vendors, must follow the law,” according to the alert. “This means understanding the law and considering the risks to patients and consumers when using tracking technologies.”

Providers should promptly review the bulletin to understand tracking tech and possible compliance issues, as well as how to protect both the security and privacy of its patients and their data.