Online Tracking Technologies, HIPAA, and the Warby Parker Penalty
HHS Office for Civil Rights warns that when covered entities or business associates use Tracking Technologies that collect PHI and disclose it to third-party vendors, that can be an impermissible disclosure violating the HIPAA Privacy Rule. In February 2025 OCR imposed a $1.5 million penalty on Warby Parker for HIPAA Security Rule failures.
HHS Office for Civil Rights (OCR) guidance states that when covered entities or business associates use Tracking Technologies - cookies, pixels, and web or app trackers - that collect PHI and disclose it to third-party tracking vendors, that disclosure can be an impermissible disclosure violating the HIPAA Privacy Rule. Regulated entities must configure user-authenticated pages so trackers use or disclose PHI only as the Privacy Rule allows.
Companies not covered by HIPAA still must protect health information under the FTC Act (which prohibits unfair or deceptive practices), even when a third party built their website or app.
In February 2025 HHS OCR imposed a $1.5 million penalty on Warby Parker for violating the HIPAA Security Rule after a 2018 credential-stuffing attack exposed about 200,000 customers' information. OCR found Warby Parker failed to conduct a risk analysis, implement security measures such as multi-factor authentication, and review system activity logs.