There is a persistent misconception about the use of online tracking technologies for marketing purposes in compliance with the U.S. Health Insurance Portability and Accountability Act.
A recent article laid out different paths for HIPAA-regulated entities to use OTTs for marketing purposes. Two are predicated on situations where a tech vendor is not willing to sign a business associate agreement, with the implication this is a compliance issue.
There was much discussion around OTTs and HIPAA compliance in the summer of 2022 after The Markup reported several large health care entities used the Meta Pixel, and other OTTs, resulting in the disclosure of health information to Meta and other tech companies who then used the information for their own marketing purposes. Regulatory investigations commenced, guidance was issued, litigation ensued, and much was written on the topic.
BAAs are one component of a larger conversation, with some suggesting the lack of an agreement leads to the compliance issue in using OTTs.
BAAs are not a silver bullet, and, in the case of OTTs used for marketing purposes, they can create a false sense of compliance.
Under the HIPAA Privacy Rule, a covered entity may not use or disclose protected health information unless otherwise permitted. For example, the rule permits covered entities to use personal health information for various purposes, like health care operations. Covered entities often use third parties to perform those health care operations, but this requires the disclosure of personal health information to those third parties.
The Privacy Rule permits these types of disclosures where the third party, such as a tech vendor, meets the definition of "business associate." A business associate performs certain functions, activities or services to or on behalf of a covered entity, typically in relation to a covered entity's health care operations.
Prior to sharing personal health information with the business associate, a covered entity must first execute a BAA — a written contract similar to a data protection agreement. The BAA includes certain safeguards to be implemented by the business associate and spells out how a business associate may use, or process, personal health information.
It is important to highlight that the definition of business associate is specific and provides an exhaustive list of functions, activities or services. This means that a third party who provides a function, activity or service to a covered entity that does not fall under this definition does not meet the definition of business associate and cannot disclose personal health information to that third party under the Privacy Rule's business associate provision.
Notably, marketing is not a function, activity or service found under the business associate definition. Further, HIPAA explicitly requires that prior to any use or disclosure of personal health information for marketing purposes, a covered entity must first obtain a valid authorization — that is, a written consent — from each individual whose personal health information is subject to the use or disclosure.
One last important thing to note about business associates is that with very narrow exceptions usually tied to internal uses, a business associate may not use or disclose personal health information for its own purposes. In other words, a business associate cannot use the personal health information it receives to train its own artificial intelligence model or algorithm.
In 2022, the U.S. Department of Health and Human Services issued guidance on the use of OTTs. That guidance, the subject of pending litigation, was updated in early 2024. Notably, it strongly suggests that even if a covered entity obtains an authorization to use personal health information for marketing purposes, it cannot rely on the business associate provision to disclose to a third party.
Specifically, it states, "disclosures of PHI to tracking technology vendors for marketing purposes, without individuals' HIPAA-compliant authorizations, would constitute impermissible disclosures."
Remember, there are two things happening with personal health information in this situation. First, the covered entity wants to use the data for marketing purposes. Second, it is disclosing personal health information to the tech vendor in order for that third party to support the covered entity's marketing activities.
Nothing in the guidance states or suggests that a covered entity only need obtain an authorization for use, and then may rely on the business associate provision to disclose to the tech vendor.
So what does this all mean?
It means that compliantly using OTTs does not necessarily hinge on having a BAA executed. As noted, a covered entity cannot use or disclose personal health information for marketing purposes unless it first obtains a valid authorization.
Moreover, a business associate may not use personal health information for its own purposes, such as using the data for its own marketing campaigns, as was alleged in the case of Meta.
Neither of these compliance issues are resolved by signing a BAA.
To compliantly use OTTs for marketing purposes, a covered entity must first obtain a valid authorization from each individual whose personal health information will be subject to the use or disclosure, including, as implied by HHS guidance, the disclosure of personal health information to a tech vendor.
It's important to note there could be situations where the use of OTTs fall within the business associate provision. However, that is a fact specific analysis that would need to focus on how the collected personal health information is used to see whether that use falls under the definition of "business associate."
John Haskell is the former privacy counsel and HIPAA privacy official for Medline Industries and is a former investigator with the U.S. Department of Health and Human Services Office for Civil Rights.