New Guidance on Tracking Technologies and HIPAA

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently issued a Bulletin emphasizing the obligations of HIPAA covered entities and business associates regarding the use of online tracking technologies. These technologies, used to gather data on users’ interactions with websites or mobile apps, are subject to the HIPAA Privacy, Security, and Breach Notification Rules when dealing with a covered entity. Failure to comply with these rules may lead to civil penalties.

When tracking technologies collect or disclose protected health information (PHI), it’s important that entities subject to HIPAA (health plans, health care providers, health care clearinghouses and business associates) ensure compliance with HIPAA regulations. While some entities may share sensitive data with tracking technology vendors, it’s important to avoid unauthorized disclosures of PHI. For instance, sharing PHI with tracking technology vendors for marketing purposes without individuals’ HIPAA-compliant authorization is prohibited.

Impermissible disclosures of PHI not only breach the Privacy Rule but also pose various risks, including identity theft, financial loss, discrimination, and mental anguish. Such disclosures can release sensitive information about an individual’s health history, treatment frequency, and medical facilities visited.

Given the proliferation of tracking technologies collecting sensitive data, OCR underscores the importance of regulated entities disclosing PHI only as expressly permitted or required by the HIPAA Privacy Rule. The Bulletin provides guidance on how the HIPAA Rules apply to the use of tracking technologies, including considerations for authenticated and unauthenticated webpages, as well as within mobile apps.

A copy of the bulletin may be accessed by clicking here.