Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates

On June 20, 2024, the U.S. District Court for the Northern District of Texas issued an order declaring unlawful and vacating a portion of this guidance document. See Am. Hosp. Ass’n v. Becerra, — F. Supp. 3d ----, No. 4:23-cv-1110, 2024 WL 3075865 (N.D. Tex. June 20, 2024). Specifically, the Court vacated the guidance to the extent it provides that HIPAA obligations are triggered in “circumstances where an online technology connects (1) an individual’s IP address with (2) a visit to a[n] [unauthenticated public webpage] addressing specific health conditions or healthcare providers.” Id. at *2. HHS is evaluating its next steps in light of that order.

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) is issuing this Bulletin to highlight the obligations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities¹ and business associates² (“regulated entities”) under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies (“tracking technologies”).³ OCR administers and enforces the HIPAA Rules, including by investigating breach reports and complaints about regulated entities’ noncompliance with the HIPAA Rules. A regulated entity’s failure to comply with the HIPAA Rules may result in a civil money penalty.⁴

Tracking technologies are used to collect and analyze information about how users interact with regulated entities’ websites or mobile applications (“apps”). For example, a regulated entity may engage a technology vendor to perform such analysis as part of the regulated entity’s health care operations.⁵ The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes protected health information (PHI).⁶ Some regulated entities may share sensitive information with tracking technology vendors and such sharing may involve unauthorized disclosures of PHI with such vendors.⁷ Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures⁸ of PHI to tracking technology vendors or any other violations of the HIPAA Rules. For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures.⁹

An impermissible disclosure of an individual’s PHI not only violates the Privacy Rule¹⁰ but also may result in a wide range of additional harms to the individual or others. For example, an impermissible disclosure of PHI may result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s PHI. Such disclosures can reveal incredibly sensitive information about an individual, including diagnoses, frequency of visits to a therapist or other health care professionals, and where an individual seeks medical treatment.

While it has always been true that regulated entities may not impermissibly disclose PHI to tracking technology vendors, because of the proliferation of tracking technologies collecting sensitive information, OCR is providing this reminder that it is critical for regulated entities to ensure that they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule.

To this end, this Bulletin provides guidance for regulated entities to consider when contemplating the use of tracking technologies, including an overview of how the HIPAA Rules apply to regulated entities’ use of tracking technologies. This Bulletin addresses:

• What is a tracking technology?
• How do the HIPAA Rules apply to regulated entities’ use of tracking technologies?
  • Tracking on user-authenticated webpages¹¹
  • Tracking on unauthenticated webpages¹²
  • Tracking within mobile apps¹³
  • HIPAA compliance obligations for regulated entities when using tracking technologies

What is a tracking technology?

Generally, a tracking technology is a script or code on a website or mobile app used to gather information about users or their actions as they interact with a website or mobile app. After information is collected through tracking technologies from websites or mobile apps, it is then analyzed by owners of the website or mobile app (“website owner” or “mobile app owner”), or third parties, to create insights about users’ online activities. Such insights could be used in beneficial ways to help improve care or the patient experience, improve the utility of webpages and apps, or allocate resources. For example, hospitals might use data analytics to determine how many IP addresses accessed webpages providing information about COVID-19 vaccines or treatment in a particular area, which in turn could help the hospitals make decisions about how to allocate their medical and other resources. However, this tracking information could also be misused to promote misinformation, identity theft, stalking, and harassment.

Tracking technologies collect information and track users in various ways,¹⁴ many of which are not apparent to the website or mobile app user. Websites commonly use tracking technologies such as cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts¹⁵ to track and collect information from users. Mobile apps generally include/embed tracking code within the app to enable the app to collect information directly provided by the user, and apps may also capture the user’s mobile device-related information. For example, mobile apps may use a unique identifier from the app user’s mobile device, such as a device ID¹⁶ or advertising ID.¹⁷ These unique identifiers, along with any other information collected by the app, enable the mobile app owner or vendor or any other third party who receives such information to create individual profiles about each app user.¹⁸

Website or mobile app owners may use tracking technologies developed internally or those developed by third parties. Generally, tracking technologies developed by third parties (e.g., tracking technology vendors) send information directly to the third parties who developed such technologies and may continue to track users and gather information about them even after they navigate away from the original website to other websites. This Bulletin focuses on regulated entities’ obligations when using third party tracking technologies.

How do the HIPAA Rules apply to regulated entities’ use of tracking technologies?

Some regulated entities may be disclosing a variety of information to tracking technology vendors through tracking technologies placed on the regulated entity’s website or mobile app, such as information that the individual types or selects when they use regulated entities’ websites or mobile apps. The information disclosed might include an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, device IDs, or any unique identifying code.¹⁹ In some cases, the information disclosed may meet the definition of individually identifiable health information (IIHI),²⁰ which is a necessary pre-condition for information to meet the definition of PHI when it is transmitted or maintained by a regulated entity.

IIHI collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as in some circumstances IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services.²¹ But the mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute IIHI if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care.²²

The information below highlights how the HIPAA Rules apply in the context of tracking on user-authenticated webpages and unauthenticated webpages, and within mobile apps.

Tracking on user-authenticated webpages

Regulated entities may have user-authenticated webpages, which require a user to log in before they are able to access the webpage, such as a patient or health plan beneficiary portal or a telehealth platform. Tracking technologies on a regulated entity’s user-authenticated webpages generally have access to PHI. Such PHI may include, for example, an individual’s IP address, medical record number, home or email addresses, dates of appointments, or other identifying information that the individual may provide when interacting with the webpage. Tracking technologies within user-authenticated webpages may even have access to an individual’s diagnosis and treatment information, prescription information, billing information, or other information within the portal. Therefore, a regulated entity must configure any user-authenticated webpages that include tracking technologies to allow such technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the electronic protected health information (ePHI)²³ collected through its website is protected and secured in accordance with the HIPAA Security Rule.²⁴

Furthermore, tracking technology vendors are business associates if they create, receive, maintain, or transmit PHI on behalf of a regulated entity for a covered function (e.g., health care operations²⁵) or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI. In these circumstances, regulated entities must ensure that the disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement (BAA) with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules.^{26 27} For example, if an individual makes an appointment through the website of a covered health clinic²⁸ for health services and that website uses third party tracking technologies, then the website might automatically transmit information regarding the appointment and the individual’s IP address to a tracking technology vendor. In this case, the tracking technology vendor is a business associate, and a BAA is required.

Tracking on unauthenticated webpages

Regulated entities may also have unauthenticated webpages, which are webpages that do not require users to log in before they are able to access the webpage, such as a webpage with general information about the regulated entity like their location, visiting hours, employment opportunities, or their policies and procedures. Tracking technologies on many unauthenticated webpages do not have access to individuals’ PHI; in this case, a regulated entity’s use of such tracking technologies is not regulated by the HIPAA Rules. However, in some cases, tracking technologies on unauthenticated webpages may have access to PHI, in which case the HIPAA Rules apply to the regulated entities’ use of tracking technologies and disclosures to the tracking technology vendors. Regulated entities are required to “[e]nsure the confidentiality, integrity, and availability of all electronic PHI the [regulated entity] creates, receives, maintains, or transmits.”²⁹ Thus, regulated entities that are considering the use of online tracking technologies should consider whether any PHI will be transmitted to a tracking technology vendor, and take appropriate steps consistent with the HIPAA Rules.

The examples below illustrate when certain visits to an unauthenticated webpage may or may not involve the disclosure of PHI.

Visits to unauthenticated webpages do not result in a disclosure of PHI to tracking technology vendor if the online tracking technologies on the webpages do not have access to information that relates to any individual’s past, present, or future health, health care, or payment for health care.

• For example, where a user merely visits a hospital’s webpage that provides information about the hospital’s job postings or visiting hours, the collection and transmission of information showing such a visit to the webpage, along with the user’s IP address, geographic location, or other identifying information showing their visit to that webpage, would not involve a disclosure of an individual’s PHI to  tracking technology vendor. This is true even if there is a reasonable basis to believe that the information can be used to identify the user who visited the webpage, because the online tracking technologies in this example did not have access to information about an individual’s past, present, or future health, health care, or payment for health care.

Further, visits to unauthenticated webpages do not result in a disclosure of PHI to tracking technology vendor if the visit is not related to an individual’s past, present, or future health, health care, or payment for health care.

• For example, if a student were writing a term paper on the changes in the availability of oncology services before and after the COVID-19 public health emergency, the collection and transmission of information showing that the student visited a hospital’s webpage listing the oncology services provided by the hospital would not constitute a disclosure of PHI, even if the information could be used to identify the student.
• However, if an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI to the extent that the information is both identifiable and related to the individual’s health or future health care.

Tracking technologies on a regulated entity’s unauthenticated webpage that permits individuals to schedule appointments or use a symptom-checker tool without entering credentials may have access to PHI in certain circumstances.

• For example, tracking technologies might collect an individual’s email address, or reason for seeking health care typed or selected by an individual, when the individual visits a regulated entity’s webpage and makes an appointment with a health care provider or enters symptoms in an online tool to obtain a health analysis. In this example, the regulated entity is disclosing PHI to the tracking technology vendor, and thus the HIPAA Rules apply. This is because, unlike the general situation for many unauthenticated webpages, the information collected in this example meets the definition of IIHI.

The login page of a regulated entity’s patient portal (which may be the website’s homepage or a separate, dedicated login page), or a user registration webpage where an individual creates a login for the patient portal, generally are unauthenticated because the individual did not provide credentials to be able to navigate to those webpages. However, if the individual enters credential information on that login webpage or enters registration information (e.g., name, email address) on that registration page, such information meets the definition of IIHI.³⁰ Therefore, if tracking technologies on a regulated entity’s patient portal login page or registration page collect an individual’s login information or registration information, that information is a disclosure of PHI and is subject to the HIPAA Rules.

Tracking within mobile apps

Mobile apps³¹ that regulated entities offer to individuals (e.g., to help manage their health information, pay bills) collect a variety of information provided by the app user, including information typed or uploaded into the app, as well as information provided by the app user’s device, such as fingerprints,³² network location, geolocation, device ID, or advertising ID. Such information collected by a regulated entity’s mobile app generally is PHI and the regulated entity must comply with the HIPAA Rules for any PHI that the mobile app uses or discloses, including any subsequent disclosures to the mobile app vendor, tracking technology vendor, or any other third party who receives such information. For example, a patient might use a health clinic's diabetes management mobile app to track health information such as glucose levels and insulin doses. In this example, the transmission of information to a tracking technology vendor as a result of using such app would be a disclosure of PHI because the individual’s use of the app is related to an individual’s health condition (i.e., diabetes) and that, together with any individually identifying information (e.g., name, mobile number, IP address, device ID), meets the definition of IIHI.

However, the HIPAA Rules do not protect the privacy and security of information that users voluntarily download or enter into mobile apps that are not developed or offered by or on behalf of regulated entities, regardless of where the information came from. For example, the HIPAA Rules do not apply to health information that an individual enters into a mobile app offered by an entity that is not regulated by HIPAA (even if the individual obtained that information from their medical record created by a regulated entity). In instances where the HIPAA Rules do not apply to such information, other law may apply. For instance, the Federal Trade Commission (FTC) Act and the FTC’s Health Breach Notification Rule (HBNR) may apply in instances where a mobile health app impermissibly discloses a user’s health information.³³

HIPAA compliance obligations for regulated entities when using tracking technologies

Regulated entities are required to comply with the HIPAA Rules when using tracking technologies. Some examples of the HIPAA Privacy, Security, and Breach Notification requirements that regulated entities must meet when using tracking technologies with access to PHI include:

• Ensuring that all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.³⁴
  • Regulated entities may identify the use of tracking technologies in their website or mobile app’s privacy policy, notice, or terms and conditions of use.³⁵ However, the Privacy Rule does not permit disclosures of PHI to a tracking technology vendor based solely on a regulated entity informing individuals in its privacy policy, notice, or terms and conditions of use that it plans to make such disclosures. Regulated entities must ensure that all tracking technology vendors have signed a BAA and that there is an applicable permission prior to a disclosure of PHI.³⁶
  • If there is not an applicable Privacy Rule permission or if the vendor is not a business associate of the regulated entity, then the individuals’ HIPAA-compliant authorizations are required before the PHI is disclosed to the vendor. Website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization.
  • Further, it is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information. Any disclosure of PHI to the vendor without individuals’ authorizations requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure.
• Establishing a BAA with a tracking technology vendor that meets the definition of a “business associate.”
  • A regulated entity should evaluate its relationship with a tracking technology vendor to determine whether such vendor meets the definition of a business associate and ensure that the disclosures made to such vendor are permitted by the Privacy Rule. A tracking technology vendor is a business associate if it meets the definition of a business associate, regardless of whether the required BAA is in place.³⁷ Moreover, signing an agreement containing the elements of a BAA does not make a tracking technology vendor a business associate if the tracking technology vendor does not meet the business associate definition.
  • The BAA must specify the vendor’s permitted and required uses and disclosures of PHI and provide that the vendor will safeguard the PHI and report any security incidents, including breaches of unsecured PHI, to the regulated entity, among other requirements.³⁸
  • If the chosen tracking technology vendor will not provide written satisfactory assurances in the form of a BAA that it will appropriately safeguard PHI, then the regulated entity can choose to establish a BAA with another vendor, for example a Customer Data Platform³⁹ vendor, that will enter into a BAA with the regulated entity to de-identify online tracking information that includes PHI and then subsequently disclose only de-identified information to tracking technology vendors that are unwilling to enter into a BAA with a regulated entity.
  • If a regulated entity does not want to create a business associate relationship with a vendor that meets the definition of business associate, it cannot disclose PHI to such a vendor without individuals’ authorizations.
• Addressing the use of tracking technologies in the regulated entity’s Risk Analysis and Risk Management processes,⁴⁰ as well as implementing other administrative, physical, and technical safeguards in accordance with the Security Rule (e.g., encrypting ePHI that is transmitted to the tracking technology vendor;⁴¹ enabling and using appropriate authentication, access, encryption, and audit controls when accessing ePHI maintained in the tracking technology vendor's infrastructure)⁴² to protect the ePHI.
• Providing breach notification⁴³ to affected individuals, the Secretary, and the media (when applicable) of an impermissible disclosure of PHI to a tracking technology vendor that compromises the security or privacy of PHI when there is no Privacy Rule requirement or permission to disclose PHI and there is no BAA with the vendor. In such instances, there is a presumption that there has been a breach of unsecured PHI unless the regulated entity can demonstrate that there is a low probability that the PHI has been compromised.⁴⁴

OCR’s Enforcement Priorities

Compliance with the Security Rule helps lower the risk of unauthorized access to ePHI collected through a regulated entity’s website or mobile app that could lead to harm to individuals. Therefore, OCR is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies. OCR’s principal interest in this area is ensuring that regulated entities have identified, assessed, and mitigated the risks to ePHI when using online tracking technologies and have implemented the Security Rule requirements to ensure the confidentiality, integrity, and availability of ePHI. OCR investigations are fact-specific and may involve the review of technical information regarding a regulated entity’s use of any tracking technologies. OCR considers all of the available evidence in determining compliance and remedies for potential noncompliance.

Filing a Privacy Complaint

If you believe that your (or someone else’s) health privacy rights have been violated, visit the OCR complaint portal at https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf to file a complaint online.

DISCLAIMER: The contents of this document do not have the force and effect of law and are not meant to bind the public in any way. This document is intended only to provide clarity to the public regarding existing requirements under the law or the Departments’ policies.

To obtain this information in an alternate format, contact the HHS Office for Civil Rights at (800) 368-1019, TDD toll-free: (800) 537-7697, or by emailing OCRMail@hhs.gov, opens in a new window. Language assistance services for OCR matters are available and provided free of charge.

Resources

HIPAA Guidance:

• Health Apps: https://www.hhs.gov/hipaa/for-professionals/special-topics/health-apps/index.html
• Security Rule: https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html?language=es
• Cybersecurity: https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html
• Privacy Rule: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html
• Business Associate Contracts: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html 

For more information on health apps and online tracking, visit:

• FTC Guidance on online tracking: https://consumer.ftc.gov/articles/how-protect-your-privacy-online, links to an external website
• FTC Guidance for mobile health apps:
  • https://www.ftc.gov/business-guidance/resources/mobile-health-apps-interactive-tool, links to an external website
  • https://www.ftc.gov/business-guidance/resources/sharing-consumer-health-information-look-hipaa-ftc-act, links to an external website
  • https://www.ftc.gov/business-guidance/blog/2022/07/location-health-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal-use, links to an external website
• FTC Health Breach Notification Rule: https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule, links to an external website
• ONC’s Model Privacy Notice for technology developers: https://www.healthit.gov/sites/default/files/2018modelprivacynotice.pdf, opens in a new tab

Endnotes:

¹  See 45 CFR 160.103 (definition of “Covered entity”).

²  See 45 CFR 160.103 (definition of “Business associate”).

³  See 45 CFR parts 160 and 164. See also OCR’s Fact Sheet on Direct Liability of Business Associates, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html

⁴  See 42 USC 1320d-5; see also 45 CFR part 160, subpart D; and 2019 Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties, 84 FR 18151 (April 30, 2019). For more information on breach reporting, see also OCR’s Guidance on the Breach Notification Rule, https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.  

⁵  Health care operations include customer service, business planning and development, and business management or general administrative activities. See 45 CFR 164.501 (definition of “Health care operations”). This Bulletin does not address all potential purposes for which a regulated entity might use tracking technologies and the specific conditions that apply to uses and disclosures for those purposes. For example, uses and disclosures of PHI for purposes of research, such as research studies that involve the collection of PHI using tracking technologies, are not within the scope of this bulletin; those uses and disclosures are subject to the requirements of the Privacy Rule’s research provisions at 45 CFR 164.512(i).

⁶  See 45 CFR 160.103 (definition of “Protected health information”).

⁷  See, e.g., https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites, links to an external website, opens in a new tab and https://jamanetwork.com/journals/jamainternalmedicine/article-abstract/2796236, links to an external website, opens in a new tab.

⁸  Regulated entities can use or disclose PHI, without an individual’s written authorization, only as expressly permitted or required by the HIPAA Privacy Rule. See 45 CFR 164.502(a).

⁹  See 45 CFR 164.508(a)(3); see also 45 CFR 164.501 (definition of “Marketing”).

¹⁰  45 CFR part 160 and subparts A and E of part 164.

¹¹  This Bulletin uses the term “user-authenticated webpages” to refer to webpages that users can access only after they log in to the webpage, such as by entering a unique user ID and password or other credentials.

¹²  This Bulletin uses the term “unauthenticated webpages” to refer to webpages that are publicly accessible without first requiring a user to log in to such webpage.

¹³  A mobile app is a software program for mobile devices. This Bulletin uses the term “mobile apps” to refer to apps offered to individuals by regulated entities to allow the individuals to, for example, find providers, access or manage their health information or health care, or pay bills.

¹⁴  See FTC Report on Cross-Device Tracking, https://www.ftc.gov/reports/cross-device-tracking-federal-trade-commission-staff-report-january-2017, links to an external website.

¹⁵  Cookies are files placed on a user’s device to customize a user’s browsing experience but can also be used to track a user's activities. A web beacon or tracking pixel is a tiny graphic image (usually 1 pixel) placed on a webpage that allows the website owner or a third party to collect information regarding the use of the webpage that contains the web beacon. Session replay scripts record a user’s activities (e.g., mouse movements, clicks, and typing) when using a webpage or app.  Fingerprinting uses a browser’s and/or device’s unique configurations and settings to track user activity.

¹⁶  A device ID is a unique string of numbers and letters associated with a smartphone or similar mobile device.

¹⁷  An advertising ID is a unique string of numbers and letters assigned to smartphones or similar mobile devices that allows advertisers to track user activity.

¹⁸  For additional information on the collection of sensitive information obtained from tracking technologies, see https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal, links to an external website.

¹⁹  For more information on identifiers under the Privacy Rule, see 45 CFR 164.514(b).

²⁰ Generally, individually identifiable health information is a subset of health information, including demographic information collected from an individual, that is created or received by a covered entity (or its business associate) or employer; and relates to the past, present, or future health, health care, or payment for health care of an individual; and identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual. See 45 CFR 160.103 (definition of “Individually identifiable health information”).

²¹ There are limited situations in which an IP address or geographic location by itself may not be PHI, such as where the individual uses a computer at a public library instead of using their personal electronic device. This is because the IP address or geographic location will not be related to the individual when using a public device. However, even in such cases, the IP address or geographic location from such devices, combined with any information provided by users through a webpage or mobile app, could be used to identify the individual and therefore may be PHI.

²² See “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule”, 78 FR 5566, 5598 (January 25, 2013).

²³  See 45 CFR 160.103 (definition of “Electronic protected health information”).

²⁴  See 45 CFR part 164, subparts A and C.

²⁵  See 45 CFR 164.506; see also 45 CFR 164.501 (definition of “Health care operations”).

²⁶  See 45 CFR 164.504(e) and 45 CFR 164.308(b).

²⁷  See OCR’s Fact Sheet on Direct Liability of Business Associates, supra note 3.

²⁸  A health clinic is covered if it is a heath care provider that transmits any health information in electronic form in connection with a transaction covered by 45 CFR part 162.

²⁹ 45 CFR 164.306(a).

³⁰  See 45 CFR 160.103 (definition of “Electronic media”); see also 45 CFR 160.103 (defining “Protected health information” as “individually identifiable health information . . . that is transmitted by electronic media; maintained by electronic media; or transmitted or maintained in any other form or medium”).

³¹  For additional resources for mobile health app developers, see https://www.hhs.gov/hipaa/for-professionals/special-topics/health-apps/index.html.

³²  A mobile device fingerprint typically includes information such as the device name, type, operating system version, and IP address.

³³  For more information on the privacy and security of personal consumer apps, see https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html.

³⁴  See 45 CFR 164.502(a), 45 CFR 164.502(b), and 45 CFR 164.514(d).

³⁵  See, e.g., https://www.healthit.gov/sites/default/files/2018modelprivacynotice.pdf, opens in a new tab.

³⁶  See 45 CFR 164.502(a) and 164.502(e).

³⁷  See, e.g., 45 CFR 164.308(b)(3) and 45 CFR 164.502(e)(2).

³⁸  See, e.g., 45 CFR 164.504(e); and 45 CFR 164.314(a). See also OCR’s Sample Business Associate Contract, https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.

³⁹ A Customer Data Platform (CDP) is software that can combine data from multiple sources regarding customer interactions with a company's online presence to support a company's analytic and customer experience analysis. Some CDP vendors may be willing to work with regulated entities as their business associates and enter into appropriate business associate agreements. Such CDP vendors may include services providing for de-identification of online tracking data that contains PHI.

⁴⁰  See 45 CFR 164.308.

⁴¹ A regulated entity must implement encryption for ePHI in transit and at rest if it is a reasonable and appropriate safeguard. If it is not reasonable and appropriate, the regulated entity must document why not and implement an equivalent alternative measure if reasonable and appropriate. See 45 CFR 164.312(a)(2)(iv); 45 CFR 164.312(e)(2)(ii); and 45 CFR 164.306(d). See also OCR’s HIPAA FAQ #2020, https://www.hhs.gov/hipaa/for-professionals/faq/2020/what-is-the-difference-between-addressable-and-required-implementation-specifications/index.html.

⁴²  See 45 CFR 164.308(a)(4); 45 CFR 164.312(a); 45 CFR 164.312(b); and 45 CFR 164.312(d).

⁴³  See 45 CFR 164.402 (definition of “Breach”).

⁴⁴  See 45 CFR 164.400 et seq.  Impermissible disclosures of health information by non-HIPAA regulated entities may be subject to the FTC’s Health Breach Notification Rule. See 16 CFR 318 et seq.