Developers and HIPAA

Are all cookies considered identifiable?

One of our physicians requested the use of a website which requires a patient to create an account, then the physician can add medical information about that individual, so the individual can then filter an e-commerce platform to make purchases that are consistent with their medical conditions. As we would be offering the service to patients and uploading the PHI, this would fall under a business associate relationship.

 

The website has third-party advertising banners, which have cookies that collect information about the user. The website's privacy policy states that all cookies are de-identified, specifically they do not collect name, address, email, or telephone number. However, it is a common practice for data aggregators to be able to associate technical fingerprints (IP address, browser, etc.) with an individual to enrich data for direct marketing purposes. This is why laws like GDPR consider cookies to be identifiable, regardless of the specific data collected. The advertiser's cookies could easily gather enough information to re-identify later with high degree of confidence, as well as associate the individual's medical condition based on the website's filtered views for that individual. With that in mind, we are uncomfortable with the possibility that using this website would, in effect, be indirectly selling patient medical data under the guise of de-identified cookies.

 

The website does provide a bona fide solution to a medical problem and many patients have requested such a solution. If a patient specifically requested that website without us offering it, according to the HHS guidance below, it sounds like that would be approved despite the risk. However, since we would be offering it, it sounds like we would be responsible for the HIPAA security and could not allow it. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access-right-health-apps-apis/index.html

 

My question is: does HIPAA consider all cookies to be identifiable, such that if they contain medical information they would be ePHI and protected by the HIPAA Security Rule?

Tags (If you have a multi-word tag, add a hyphen (-) between the words.)

Voting

1 vote
1 up votes
0 down votes
Question No. 131