HHS clarifies application of HIPAA to online tracking technologies

Julie Rubash, General Counsel and Chief Privacy Officer
March 26, 2024

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


HHS Clarifies Application of HIPAA to Online Tracking Technologies

The U.S. Department of Health and Human Services (HHS) issued an updated bulletin (originally issued in December 2022) providing further clarification on the application of HIPAA to online tracking technologies.

While the updated guidance maintains that “disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures”, it adds clarification that “the mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute IIHI [individually identifiable health information] if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care.” The updated bulletin also mentions that HHS’s Office for Civil Rights (OCR) is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies, principally ensuring that regulated entities have identified, assessed and mitigated the risks to electronic protected health information when using online tracking technologies. 


Although this updated guidance may provide HIPAA-covered entities and business associates with some relief that online tracking technologies may be permissible in certain circumstances, it stresses the importance of identifying and assessing the risks of tracking technologies on all authenticated and unauthenticated webpages and mobile apps. 

Kohl’s Wiretapping Class Action Overcomes Motion to Dismiss

 A judge in the Southern District of California has denied Kohl’s Inc.’s motion to dismiss a class action lawsuit (case 3:23-cv-01988-AJB-KSC) alleging that the retailer enabled eavesdropping by an unauthorized third party, Ada Support, Inc. (ASI), in violation of the California Invasion of Privacy Act (CIPA) by embedding ASI chat technology code into the chat feature on its website.

The court found that the plaintiff successfully pled that (a) the plaintiffs never consented to the eavesdropping when they used the website to chat with a Kohl’s customer service representative; (b) ASI did not act as a mere extension of Kohl’s, because ASI used its record of website users’ interaction with the chat feature to enable targeted marketing by Kohl’s and other companies; (c) plaintiffs’ content communications with Kohl’s were recorded, including a transcript of plaintiffs’ interactions with the website, which was routed through ASI’s servers; (d) ASI intercepted plaintiffs’ chat with Kohl’s by having software route the communications to ASI’s servers, allowing ASI to intercept in real time, eavesdrop upon, and store transcripts of plaintiffs’ chat communications; and (e) by using a record of website users’ interaction with the Kohl’s chat feature to enable targeted marketing by Kohl’s and other companies, ASI was using the information it gathered in some manner for Kohl’s and its own benefit.


Lawsuits under CIPA and other federal and state wiretapping laws have been filed with increasing frequency in recent years involving claims that third-party chat technology, session replay software or pixels embedded on defendant websites constitute unauthorized eavesdropping of communications between users and the website. Although many of these cases are dismissed for failing to meet one or more of the elements of a CIPA claim, many others, like the present case, have overcome motions to dismiss, reminding other companies to take proactive steps to identify, assess and action on any third-party technologies embedded on their digital properties that may trigger a wiretapping lawsuit. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

What are the privacy laws in Canada?

June 6, 2024

Everything you need to know about PIPEDA and Quebec’s...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]