HHS Issues Bulletin to Highlight Online Tracking Technology Obligations Under HIPAA Rules
Online tracking technologies such as Google Analytics or Meta Pixel collect and analyze information about how Internet users are interacting with a regulated entity’s website or mobile application.
- By BSTQ Staff
In December, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a bulletin to highlight the obligations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) on covered entities and business associates (“regulated entities”) under the HIPAA Privacy, Security and Breach Notification Rules (HIPAA Rules) when using online tracking technologies. Online tracking technologies such as Google Analytics or Meta Pixel collect and analyze information about how Internet users are interacting with a regulated entity’s website or mobile application.
The bulletin is in response to some regulated entities that regularly share electronic protected health information (ePHI) with online tracking technology vendors in a manner that violates the HIPAA Rules, which apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes ePHI. Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.
The bulletin addresses potential impermissible disclosures of ePHI by HIPAA-regulated entities to online technology tracking vendors. It explains what tracking technologies are, how they are used and what steps regulated entities must take to protect ePHI when using them to comply with the HIPAA Rules. Specifically, the bulletin provides insight and examples of tracking on webpages and within mobile apps, along with HIPAA compliance obligations for regulated entities when using tracking technologies.
“Providers, health plans and HIPAA-regulated entities, including technology platforms, must follow the law. This means considering the risks to patients’ health information when using tracking technologies,” said OCR Director Melanie Fontes Rainer. “Our bulletin answers questions for those using tracking technologies, importantly how to protect the privacy and security of the health information they hold.”
The bulletin can be read at www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html.
References
HHS Office for Civil Rights Issues Bulletin on Requirements Under HIPAA for Online Tracking Technologies to Protect the Privacy and Security of Health Information. U.S. Department of Health and Human Services press release, Dec. 1, 2022. Accessed at www.hhs.gov/about/
news/2022/12/01/hhs-office-for-civil-rights-issues-bulletin-on-requirements-under-hipaa-for-online-tracking-technologies.html
