| | |

HHS OCR Issues Bulletin on Requirements under HIPAA for Online Tracking Technologies

The bulletin highlights the obligations of covered entities and business associates when using online tracking technologies like Google Analytics or Meta Pixel. These technologies are designed to collect and analyze information about how users interact with a regulated entity’s website or mobile application.

Does your organization share electronic protected health information (ePHI) with online tracking technology vendors? If so, you might be doing it in a way that violates HIPAA. “The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes ePHI.  Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.”

The bulletin addresses potential impermissible disclosures of ePHI by HIPAA regulated entities to online technology tracking vendors. An impermissible disclosure of an individual’s PHI violates the Privacy Rule and “makes the individual vulnerable to additional harms such as identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s PHI.” Additionally, impermissible disclosures may reveal “incredibly sensitive information about an individual, including diagnoses, frequency of visits to a therapist or other health care professionals, and where an individual seeks medical treatment.”

The Bulletin explains what tracking technologies are, how they are used, and what steps regulated entities must take to protect ePHI when using tracking technologies to comply with the HIPAA Rules.  Specifically, the Bulletin provides insight and examples of:

  • Tracking on webpages
  • Tracking within mobile apps
  • HIPAA compliance obligations for regulated entities when using tracking technologies

Covered entities and business associates, “including technology platforms, must follow the law. This means considering the risks to patients’ health information when using tracking technologies.”

If you use tracking technologies, this bulletin answers important questions about protecting the privacy and security of the health information you hold.

You can read the entire Bulletin here: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html

Leave a Reply