OCR Updates Guidance on HIPAA Tracking Technologies

The U.S. Department of Health and Human Services (HHS) recently revised its guidance on the use of online tracking technologies by Health Insurance Portability and Accountability Act (HIPAA) covered entities and business associates. The Office for Civil Rights (OCR) within HHS administers and enforces the HIPAA Rules, ensuring compliance and investigating breaches or complaints.

Tracking technologies, like cookies and web beacons, gather data on user interactions with websites or mobile apps. If this data includes protected health information (PHI), HIPAA rules apply. Regulated entities must avoid disclosing PHI to tracking technology vendors without authorization, as it can lead to identity theft, discrimination, or other serious consequences.

The guidance emphasizes the need for regulated entities to ensure PHI is disclosed only as permitted by HIPAA. User-authenticated webpages, requiring logins, and unauthenticated webpages, without logins, have different implications for PHI disclosure. Mobile apps offered by regulated entities also fall under HIPAA rules if they collect PHI.

Regulated entities must adhere to various HIPAA requirements when using tracking technologies, including:

• Only disclosing PHI to vendors with whom they have a business associate agreement (BAA).
• Ensuring proper safeguards for ePHI, including encryption and access controls.
• Notifying affected individuals, the Secretary, and the media of any breaches.

OCR prioritizes compliance with the HIPAA Security Rule, aiming to mitigate risks associated with online tracking technologies. Investigations into noncompliance are fact-specific and may involve technical assessments of tracking technology usage.

The guidance underscores the importance of safeguarding PHI in an era of widespread online tracking. Regulated entities must carefully navigate the use of tracking technologies to protect individuals’ privacy and comply with HIPAA regulations.