Earlier today, the Illinois Supreme Court issued a decision in Tims v. Black Horse Carriers, Inc., 2023 IL 127801, in which the court held that a five-year statute of limitations applies to all claims arising under the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (BIPA). There are five primary sections under BIPA. Section 15(a) pertains to the establishment and maintenance of and adherence to a retention schedule and guidelines for destroying collected biometric information. Section 15(b) pertains to notice and written consent before collecting or storing biometric information. Section 15(c) pertains to selling or otherwise profiting from collected biometric information. Section 15(d) pertains to the disclosure or dissemination of biometric information without consent. Section 15(e) pertains to the proper storage and transmittal of collected biometric information.
Andrew joins us most recently from Ethos Technologies, Inc., where he was Senior Corporate Counsel – Privacy, Cybersecurity and Employment.
As a strategic thought partner to businesses, non-profits and other organizations, Andrew provides risk-based options and operationalizes solutions to clients’ privacy and cybersecurity compliance obligations that are designed to optimize clients’ abilities to leverage a key asset: data.
2023 is going to bring big changes to Pennsylvania’s Breach of Personal Information Notification Act. Although the revisions to the law do not go into effect until May 2, 2023, now is the time for Pennsylvania entities to ensure that they are in compliance before the effective date.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued guidance regarding covered entities’ and business associates’ use of tracking technologies (the Guidance). As discussed in greater detail below, the Guidance reveals OCR’s position that an IP address is not just an identifier but is itself individually identifiable health information (IIHI) when collected by tracking technology on a healthcare entity’s website. In light of the significant regulatory and class-action activity against covered entities and business associates regarding their use of this technology, this post provides our analysis of how the Guidance impacts how these entities use and assess their usage of tracking technologies. We also provide general recommendations for healthcare entities in light of the Guidance.
Background – Tracking Technologies
Organizations use various tools to make their websites functional, improve visitor experience and analyze website traffic. These tools are often grouped together and referred to as “tracking technologies” and include things like cookies, web beacons or pixel tags, heatmaps, session replay, and recording scripts, all of which can be used to collect information from website visitors as they navigate a website.
The following list includes a general overview of each of these common technologies and their functions.
Cookies – Cookies are small text files sent to website visitors’ browsers from the websites they visit. They help that website learn or remember information about the visit – such as the user’s preferences (e.g., language choice, page configuration, shopping cart contents) – to improve the web browsing experience. Cookies can also be used for analytics, advertising and personalization. Depending on the user and browser settings, the browser will store cookies locally on the user’s device.
Pixels – Also known as web beacons, trackers or advertising technology (AdTech), a pixel is a piece of code embedded on a website that can be used to track visitor activity on that website. By default, pixels will collect information about URLs visited, buttons clicked and other actions taken by a website visitor on a webpage where the pixel is present. Many pixels interact with cookies to track users’ activity and preferences.
Heatmaps – Heatmaps collect user behavior data – such as button clicks and scrolling – to provide the website owner with a color-coded representation of the website elements that are the most (hot) and least (cold) interacted with.
Session recording – Also known as session replays, user recordings and user/visitor replay tools, session recordings are renderings of real actions taken by visitors as they browse a website. The recordings capture mouse movement, clicks/taps, keyboard strokes and scrolling during the visitor’s website session to help website owners improve site functionality by understanding how users navigate their site, how they interact with elements, where they hesitate and where they get stuck. By default, the session recording tools we have seen (including HotJar and Crazy Egg) automatically anonymize keyboard strokes (i.e., the data a user inputs in a form) and can be configured to suppress specific elements.
Separately, all websites also collect a set of data from website visitors in order for the website to function, known as HTTP headers or “header information.” Without getting too technical, header information is how a website communicates with a device and is a component necessary for the Internet to work. Header information includes data about a visitor’s computer, mobile device and Internet connection, such as the IP address, operating system, browser type and app version. This information tells a website how to present information to the visitor (for example, the website might be presented differently when the visitor is on a computer versus on a mobile device) and how to get it there (i.e., the IP address).
Background – Regulatory Action and Litigation Related to Tracking Technology
Regulatory scrutiny of and class-action litigation based on healthcare providers’ use of tracking technology increased significantly after the June 2022 online publication of an article about healthcare providers’ use of Meta Pixel. Since 2016, there has been ongoing class-action litigation against a small group of entities and tracking technology providers. After June 2022, however, the litigation net was cast much wider, with new cases filed against many of the hospitals named in the article. Additionally, many of our clients (not all of whom were named in the article) began receiving regulatory inquiries from OCR, state attorneys general and departments of justice, and federal congressional committees. While the inquiries were triggered by interest in the use of tracking technology, the OCR inquiries have taken deep dives into general compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules. Several investigations have also revealed an interest in the intersection of tracking technology and its use on webpages related to women’s reproductive health following the Dobbs decision.
The Guidance – OCR’s Position on What Constitutes PHI when Collected from a Covered Entity’s Website
Below we highlight the significant points OCR makes in the Guidance in support of its position that an IP address is itself IIHI when collected by tracking technology on a HIPAA covered entity’s (CE) website. Those points are followed by OCR’s recommendations for using tracking technology in a HIPAA-compliant manner.
First, OCR’s rationale:
OCR asserts that an IP address alone, collected by a CE’s website, is IIHI. In explaining how the HIPAA rules apply to CEs’ use of tracking technologies, OCR begins by asserting that (1) a website user’s IP address or geographic location, or any unique identifying code, is individually identifiable health information (IIHI); and (2) all IIHI, including IP addresses and geographic locations, that a website visitor provides when using a CE’s website “generally is PHI [protected health information],” even if the individual does not have an existing relationship with the CE and even if the IIHI, such as an IP address or geographic location, does not include specific treatment or billing information like dates and types of healthcare services.
According to OCR, “[t]his is because, when a regulated entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the regulated entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or health care or payment for care.”
A business associate agreement (BAA) is required for use of tracking technologies on a CE’s user-authenticated websites. Regarding tracking technologies on a CE’s user-authenticated websites (e.g., a patient portal), OCR states such technologies generally have access to PHI, and therefore a BAA with the technology vendor is required.
A BAA is required for use of tracking technologies on certain unauthenticated webpages. Regarding tracking technologies on a CE’s unauthenticated websites (e.g., any publicly available pages not requiring a login), OCR states such technologies generally do not have access to PHI and the HIPAA Rules do not apply. However, OCR outlines certain cases where it says tracking technologies on unauthenticated webpages may have access to PHI and the HIPAA Rules do apply, including (1) the login page of the CE’s patient portal or a user registration webpage where the user creates a login for the patient portal and (2) webpages that address specific symptoms or health conditions, such as pregnancy or miscarriage, or that allow a visitor to search for doctors or schedule appointments.
OCR provides the following as an example of when tracking technologies on unauthenticated pages have access to PHI: “[T]racking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider. In this example, the regulated entity is disclosing PHI to the tracking technology vendor, and thus the HIPAA Rules apply.”
Information collected from the user or the user’s device by a CE’s mobile app is PHI. Regarding CEs’ mobile apps, OCR notes that such apps collect information provided by the user (i.e., information typed or uploaded into the app) and by the user’s device (i.e., fingerprints, network location, geolocation, device ID or advertising ID) and states that such information is PHI. Thus, CEs must comply with the HIPAA Rules for any PHI that the mobile app uses or discloses, including any subsequent disclosures to mobile app vendors, tracking technology vendors or any other third party that receives such information.
OCR also offers examples of the HIPAA Privacy, Security and Breach Notification Rules’ requirements that CEs must meet when using tracking technologies with access to PHI. The OCR’s requirements are as follows:
Privacy Rule:
CEs must ensure that if PHI is provided to a tracking technology vendor, the disclosure is permissible under HIPAA or subject to an exemption, and that only the minimum necessary PHI to achieve the intended purpose is disclosed.
OCR clarifies that a website or mobile app’s privacy policy, terms and conditions, and/or privacy notice are not sufficient to permit disclosures of PHI to tracking technology vendors if the disclosure is not otherwise a permissible disclosure under HIPAA or pursuant to a valid BAA.
OCR states that tracking technology vendors that receive PHI must sign a BAA, which must include a description of the vendor’s permissible uses and a guarantee of safeguarding PHI. OCR warns CEs that the vendor must meet the definition of a business associate in order for a BAA to permit the disclosure. “Signing an agreement containing the elements of a BAA does not make a tracking technology vendor a business associate if the tracking technology vendor does not meet the business associate definition.”
If there is not a HIPAA-permitted disclosure or BAA, then CEs must obtain a HIPAA-compliant authorization prior to the disclosure of PHI to a tracking technology vendor. Website banners that ask users to accept or reject a website’s use of tracking technologies – such as cookies – do not constitute a valid HIPAA authorization.
Security Rule:
CEs must address the use of tracking technologies in their risk analysis and risk management processes and implement other administrative, physical and technical safeguards (e.g., encrypting PHI transmitted to a technology vendor) to protect the PHI.
Breach Notification Rule:
CEs must notify affected individuals, OCR and the media, as applicable, of an impermissible disclosure of PHI to a tracking technology vendor that compromises the security or privacy of PHI where there is no Privacy Rule permission to disclose PHI and there is no BAA with the vendor, unless the CE can demonstrate that there is a low probability that the PHI has been compromised.
BakerHostetler’s Assessment – Impact of the Guidance
The Guidance appears to conflate the statutory definition of IIHI with the identifiers listed in 45 CFR § 164.514(b)(2), which relates to de-identification of established PHI/IIHI. Under HIPAA:
IIHI is defined as “information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a [CE]; and (2) relates to the past, present, or future [(PPF)] physical or mental health or condition of an individual; the provision of health care to an individual; or the [PPF] payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.” 45 CFR § 160.103 (our emphasis).
Health information (Health Information) is defined as “any information, including genetic information, whether oral or recorded in any form or medium, that: (1) Is created or received by a [CE]; and (2) Relates to the [PPF] physical or mental health or condition of an individual; the provision of health care to an individual; or the [PPF] payment for the provision of health care to an individual.” Id. (our emphasis).
PHI is IIHI that is: “i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium.” Id.
In other words, IIHI creates the threshold for when personal information is considered PHI subject to the Privacy Rule. As such, it must include some Health Information about an individual accompanied by sufficient identifiers such that the individual is/could reasonably be identified.
45 CFR 164.514(b)(2), on the other hand, only applies once a determination has been made that the data at issue is PHI, as it instructs entities on which data elements to remove from PHI in order to render it de-identified. It is not a list of data elements that are, standing alone, individually identifiable.
The Guidance does not acknowledge any of the myriad situations in which the information that can be collected by tracking technologies never even meets the threshold definition of Health Information. Additionally, the Guidance states that something is IIHI if it “connects” a person with a CE, even if the person never becomes a patient. This is not consistent with the statutory definitions of IIHI and PHI. As a result of these two definitional issues, the Guidance could be ripe for challenge by both targets of OCR investigation and industry groups, including with respect to the scope of the OCR’s regulatory authority under HIPAA.
In practice, even if the definitional issues above were not present, the OCR may have a problem sufficiently proving a violation. Namely, the Guidance fails to acknowledge that, while some visitors on a CE’s website are also the CE’s patients, the pervasive use of “Dr. Google” to diagnose oneself or one’s friends/family members means that it is very likely that a significant amount of the data collected is not about the visitors themselves. With that reality, parsing out when such circumstances arise is impossible. For instance, a person may go to a hospital’s website after googling “face rash” because someone else – a friend, relative, co-worker – was experiencing that symptom. That user’s IP address bears no relationship to the person with the condition being searched and thus this is not IIHI. An attorney at a law firm may visit a hospital’s website from his or her office, using the firm’s IP address, to determine whether the notice of privacy practices (NPP) is up to date. The IP address is the firm’s, not the attorney’s, and the perusal of the NPP is not related to a health condition. OCR opts for a sledgehammer over a scalpel here, and in doing so creates guidance so flawed that we believe OCR will find it difficult to sufficiently prove a wholesale violation.
The Guidance does acknowledge the ability of CEs and their business associates to conduct a risk assessment to determine whether the use of a tracking technology resulted in a compromise of PHI. In undertaking that analysis, the basic question of “Was PHI involved?” is crucial, and CEs can defensively continue to use HIPAA’s definition of PHI, rather than the Guidance, to make that determination.
Recommendations
This Guidance should not be retroactively effective, meaning it should only apply on a going-forward basis. However, the going-forward application of this Guidance warrants analysis on whether the benefits of CEs continuing the use of tracking technologies are worth the risk. Specifically, it is possible that OCR could use the Guidance as a basis to find willful noncompliance for entities that continue to use tracking technologies after its publication date – resulting in higher penalty amounts levied.
While we do not believe that the use of tracking technologies is a per se violation and do believe that the Guidance can be successfully defended against, because of the increased potential for high fines after the Guidance came out, in an abundance of caution, we recommend the following:
If, as a CE, you’ve not already done so, determine whether any tracking technology is utilized on your websites, appointment forms and/or patient portal. It is important to understand which specific technology is being utilized and what information may be transmitted with this technology. Common technology products we have examined in our investigations include Meta Pixel, Google Analytics, Google Maps, Yelp, HotJar, Microsoft Clarity and Crazy Egg, to name a few.
To the extent that discussions about continuation/discontinuation of tracking technologies have been tabled, in an abundance of caution, we recommend reprioritizing the assessment and, if discontinuation is planned, implementing it quickly.
Implement a website governance plan so that legal/compliance/privacy professionals are part of any website technology change management process. This plan should be a documented policy and procedure, and training the marketing department and all advertising and marketing vendors on the process is highly recommended.
To the extent you will not discontinue all tracking technology use, ensure that each tracking product will be considered in your regular HIPAA risk analyses.
To the extent you will not discontinue all tracking technology use, the decision as to whether a BAA is appropriate should be documented as to each vendor. Although many vendors refuse to sign BAAs, in light of the Guidance, they may be more willing to do so.
BakerHostetler is proud to announce that Financial Times recently recognized the firm’s IncuBaker team, along with incoming CIO Katherine Lowry, in its annual Innovative Lawyers North America 2022 Awards. The IncuBaker team won in the Innovation in Client Delivery category, and Lowry was named Most Innovative Intrapreneur.
The awards, presented on Dec. 5 in New York, celebrate the best in innovation from law firms and in-house legal teams in the North America region.
“I am thrilled to see Financial Times recognize both IncuBaker and Katherine,” said Bob Craig, BakerHostetler’s current CIO and co-creator of IncuBaker. “BakerHostetler’s collaborative culture and focus on innovation are key components in not only firm achievements, including awards and recognitions like these, but also the overall success of our people and the excellent service we provide our clients.”
The California Privacy Protection Agency (“CPPA” or the “Agency”) published on November 3, 2022, a Public Notice of Proposed Modifications and Additional Materials Relied Upon, which starts what we hope is the last round of rulemaking to finalize the regulations for the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”). The CPRA amendments to the CCPA go into effect on January 1, 2023. Enforcement of those new provisions under the CPRA will become enforceable starting July 1, 2023, and the Agency will be able to bring enforcement actions for violations that occurred on or after July 1. This article summarizes the changes in the Proposed Regulations, what businesses can do now to comply with the January 1 deadline, and what to expect in terms of forthcoming regulations and enforcement of the new California requirements in 2023.
Key Takeaways
SPI and Opt-Out Preference Signal: There was significant discussion by the Agency on two topics, and therefore businesses should continue to monitor updated regulations in these areas: (1) the use and disclosure of sensitive personal information (“SPI”) and (2) opt-out preference signals.
DPA and Notice Requirements: No material changes were made in the November 3 modified draft of the regulations for requirements relating to data protection agreements (“DPA”), notice and privacy policies. The Agency did discuss creating in the future a DPA template that businesses could incorporate by reference, similar to a standard contractual clause that businesses can use to comply with the EU General Data Protection Regulation. For businesses that went forward with updating DPAs and prepared notices and privacy policies to go live on January 1 based on regulations that were proposed this past July, it is our assessment that there should be no material changes needed, at least for the January 1 deadline. For businesses that did not update the service provider and third-party contract terms or review the adequacy of the notices and privacy policies in the past year, they should now review them based on the November 3 draft regulations.
On Sept. 13, California Gov. Gavin Newsom signed into law AB 587, which requires social media companies to publicly post their content moderation policies and semiannually report data on their enforcement of the policies to the attorney general. The first part of this article will discuss the requirements imposed by AB 587 on social media companies. The second part will discuss other state laws that similarly moderate social media content and how they compare to AB 587. The last part of this article will examine the litigation history of content moderation laws and the potential implications of possible Supreme Court intervention on these state laws.
On Nov. 9, 2022, the New York State Department of Financial Services (NYDFS) published a proposed second amendment to its cybersecurity regulation. This follows its pre-proposed amendment that was published on July 29. Our prior analysis of those amendments is available here. NYDFS did consider comments received in response to the pre-proposed amendments, as they clarify and strengthen certain requirements. We highlight some of the key changes.
As a Halloween treat for HIPAA-covered entities and business associates, on October 31, the Department of Health and Human Services Office for Civil Rights (OCR) released a new video on its YouTube channel, in which senior OCR cybersecurity advisor Nick Heesters addresses recognized security practices, or RSPs. In this video, Heesters answers a handful of questions directed to the OCR in response to OCR’s June 2022 call for input on the implementation of RSPs. While the video should be viewed in its entirety, we discuss here some of the more noteworthy aspects: (1) the OCR’s position on the “voluntary” nature of RSPs, (2) the goal posts around implementation; (3) the importance of robust asset inventory practices, and (4) supporting evidence of RSP implementation.
New Software Development Security Attestation and Related False Claims Act Liability for Commercial and Noncommercial Software Developers and Suppliers
Key takeaway
Software producers at all levels in the federal supply chain should prepare to attest that their software development practices comply with National Institute of Standards and Technology (NIST) standards supported by artifacts that demonstrate secure software development and by the software bill of materials.
What happened
On Sept. 14, 2022, the Office of Management and Budget (OMB) issued guidance establishing time frames for requiring all federal agencies to only use software provided by developers (producers) who can attest in writing to complying with the NIST-specified secure software development framework (NIST SP 800-218) and NIST software supply chain security guidance. OMB’s actions implement President Joe Biden’s May 12, 2021 Executive Order requiring NIST to identify practices that enhance the security of the software supply chain.
