On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a bulletin to highlight the obligations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) on covered entities and business associates under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies. These online tracking technologies, like Google Analytics or Meta Pixel, collect and analyze information about how internet users are interacting with a regulated entity’s website or mobile application.
The bulletin addresses potential impermissible disclosures of ePHI by HIPAA regulated entities to online technology tracking vendors. The Bulletin explains what tracking technologies are, how they are used, and what steps regulated entities must take to protect ePHI when using tracking technologies to comply with the HIPAA Rules. Specifically, the Bulletin provides insight and examples of:
* Tracking on webpages
* Tracking within mobile apps
* HIPAA compliance obligations for regulated entities when using tracking technologies
* * *
Some examples of the HIPAA Privacy, Security, and Breach Notification requirements that regulated entities must meet when using tracking technologies with access to PHI include:
- Ensuring that all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.
- Addressing the use of tracking technologies in the regulated entity’s Risk Analysis and Risk Management processes, as well as implementing other administrative, physical, and technical safeguards in accordance with the Security Rule (e.g., encrypting ePHI that is transmitted to the tracking technology vendor; enabling and using appropriate authentication, access, encryption, and audit controls when accessing ePHI maintained in the tracking technology vendor’s infrastructure) to protect the ePHI.
- Providing breach notification to affected individuals, the Secretary, and the media (when applicable) of an impermissible disclosure of PHI to a tracking technology vendor that compromises the security or privacy of PHI when there is no Privacy Rule requirement or permission to disclose PHI and there is no BAA with the vendor. In such instances, there is a presumption that there has been a breach of unsecured PHI unless the regulated entity can demonstrate that there is a low probability that the PHI has been compromised.