New HIPAA Guidance on Online Tracking Technologies
Posted February 20, 2023
On Dec. 2, 2022, the Department of Health and Human Services (HHS) issued a bulletin providing guidance on how the HIPAA Privacy, Security and Breach Notification Rules (HIPAA Rules) apply when covered entities and business associates (regulated entities) use online tracking technologies. These technologies collect and analyze information about how internet users interact with a regulated entity’s website or mobile app.
HIPAA Application
According to HHS, regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of electronic protected health information (ePHI) to tracking technology vendors or any other violations of the HIPAA Rules. However, the HIPAA Rules do not protect information that users voluntarily download or enter into mobile apps not developed or offered by or on behalf of regulated entities, regardless of where the information came from.
HIPAA Compliance
Regulated entities have the following HIPAA compliance obligations when using tracking technologies:
- Ensure that all disclosures of ePHI to tracking technology vendors are specifically permitted by the HIPAA Rules;
- Enter into business associate agreements with tracking technology vendors when the information collected includes ePHI;
- Implement appropriate safeguards to protect the security of ePHI; and
- In certain situations, provide breach notification to affected individuals, HHS and the media, if applicable, when there is an impermissible disclosure of ePHI to a tracking technology vendor.
Important Information
Regulated entities must ensure that they disclose ePHI to tracking technology vendors only as expressly permitted by the HIPAA Rules.
- Some HIPAA-regulated entities regularly share information with tracking technology vendors.
- The HIPAA Rules apply when the information collected through tracking technologies includes ePHI.
- Regulated entities may not impermissibly disclose ePHI to tracking technology vendors.
- Violations of the HIPAA Rules may result in civil penalties.