Online Tracking Tools—Be Cautious.

Online Tracking Tools—Be Cautious.

By: Kelli C. Fleming, Esq., Burr & Forman LLP

The Office for Civil Rights (“OCR”) and the Federal Trade Commission (“FTC”) recently teamed up to warn several healthcare providers about the privacy and security risks affiliated with online tracking technologies. According to the warning, these online tracking technologies may, under certain circumstances, be improperly disclosing protected health information (“PHI”) to third-parties or using such information for impermissible purposes.

Third-party tracking technologies, for example, Google Analytics, collect information about how users, oftentimes patients, interact with a provider’s website. Once collected, such information may be sent to the third-party who developed such technologies or used for marketing purposes without patient authorization. The unauthorized disclosure of this information to third-parties and the use of this information for marketing purposes could violate both HIPAA and the FTC Act. Providers who use a third-party website developer are unfortunately sometimes unaware that such technologies are even being used on their websites.

Indicating that online tracking is an area of priority, OCR issued guidance regarding online tracking technologies in December 2022. This guidance provides a general overview of how HIPAA applies to a provider’s use of online tracking technologies by addressing the following: (1) what is a tracking technology; (2) how does HIPAA apply to regulated entities’ use of tracking technologies; (3) tracking on user-authenticated webpages; (4) tracking on unauthenticated webpages; (5) tracking within mobile apps; and (6) HIPAA compliance obligations for regulated entities when using tracking technologies. This guidance is available at 

In addition to agency enforcement, lawsuits are starting to be filed for violations of privacy and confidentiality due to improper uses and disclosures stemming from online tracking technologies. Thus, providers utilizing online tracking tools or allowing website developers to use such tools should closely review the relevant guidance to ensure that any disclosures and uses are appropriate. 

Kelli Fleming is a Partner at Burr & Forman LLP practicing exclusively in the firm’s Health Care Practice Group. Kelli may be reached at (205) 458-5429 or

Posted in: Legal Watch, Technology

Leave a Comment (0) ↓