Use of Online Tracking Technologies May Result in HIPAA Breaches


December 27, 2022

In last month’s Health Law Update, we reported on a Notice of Data Breach posted on the website of Advocate Aurora Health, Inc. (Advocate) on October 20, 2022, and the subsequent class action lawsuit filed against Advocate and Meta Platforms, Inc. That lawsuit related to Advocate’s use of Internet tracking technologies and disclosures of certain protected health information (PHI) to specific vendors because of pixels on the health system’s websites or applications.

On December 1, 2022, the Department of Health & Human Services, Office for Civil Rights (OCR) posted a Bulletin on its website titled, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” In the Bulletin, the OCR addresses the obligations of covered entities and business associates when using online tracking technologies. “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules. For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures.”

The Bulletin addresses:

  • What is a tracking technology?
  • How do the HIPAA Rules apply to regulated entities’ use of tracking technologies?

o Tracking on user-authenticated webpages

o Tracking on unauthenticated webpages

o Tracking within mobile apps

o HIPAA compliance obligations for regulated entities when using tracking technologies

Important takeaways include:

  • The OCR has concluded that when a health care provider collects a patient’s individually identifiable information through its website or mobile app, the information connects the individual to the provider, thus making such information PHI.
  • Simply providing notice about use of tracking technologies to website or app users by virtue of a website privacy policy, notice, or terms and conditions of use is not enough to permit a covered entity to disclose PHI to a tracking vendor; a business associate agreement and full compliance with HIPAA is required.
  • Website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization from such users.
  • Use of such tracking technologies and disclosures of PHI to tracking technology vendors creates unreasonable risk of HIPAA breaches, absent full HIPAA compliance.

For additional information or if you would like assistance with your HIPAA compliance program, please contact:

Lani M. Dornfeld, CHPC (Certified in Healthcare Privacy Compliance), Member, Healthcare Law, at 973-403-3136 or


About Brach Eichler LLC

Brach Eichler LLC is a full-service law firm based in Roseland, NJ. With over 80 attorneys, the firm is focused in the following practice areas: Healthcare Law; Real Estate; Litigation; Trusts and Estates; Corporate Transactions & Financial Services; Personal Injury; Criminal Defense and Government Investigations; Labor and Employment; Environmental and Land Use; Family Law; Patent, Intellectual Property & Information Technology; Real Estate Tax Appeals; Tax; and Cannabis Law. Brach Eichler attorneys have been recognized by clients and peers alike in The Best Lawyers in America©, Chambers USA, and New Jersey Super Lawyers. For more information, visit

This alert is intended for informational and discussion purposes only. The information contained in this alert is not intended to provide, and does not constitute legal advice or establish the attorney/client relationship by way of any information contained herein. Brach Eichler LLC does not guarantee the accuracy, completeness, usefulness or adequacy of any information contained herein. Readers are advised to consult with a qualified attorney concerning the specifics of a particular situation.

Related Practices:   Healthcare Law

Related Attorney:   Lani M. Dornfeld