The Office for Civil Rights (OCR) recently issued a bulletin (the “Bulletin”) addressing the use of online tracking technologies by HIPAA-covered entities and business associates (collectively “regulated entities”). The Bulletin highlights the regulated entities’ obligations under the HIPAA Privacy, Security, and Breach Notification Rules (collectively the “HIPAA Rules”) when using tracking technologies. This blog post provides the key information regulated entities should know about their obligations under HIPAA when they, or their business associates, use tracking technologies.

Third-party Tracking

The Bulletin specifically focused on the use of third-party tracking technologies. Tracking technologies collect and track information from users of websites and mobile applications in many ways. Generally speaking, tracking technologies are automated and implemented by website owners and contracted third parties to perform a certain function on a website, such as targeted advertising or sharing analytics about a visitor’s actions. For example, the technologies might track which web pages were accessed by the visitor, where the visitor clicked on the website, and how long a visitor spent on a particular page. Tracking technologies may also enable the website owner and the third party to track the last website the visitor accessed prior to coming to the owner’s website and where the visitor went after visiting the owner’s website.

When regulated entities operate websites or mobile apps utilizing third-party tracking technologies in supporting their healthcare services to patients, information that is collected and shared with these contracted third parties may also contain patient data regulated by the Health Insurance Portability and Accountability Act (HIPAA). In particular, these platforms may track and collect individually identifiable health information (IIHI) or what is more commonly called protected health information (PHI) when subject to HIPAA’s protections. PHI tracked through such technologies might include a medical record number, home address, email address, date of appointment, IP address, geographic location, medical device ID, or any unique identifying code. The Bulletin states that all IIHI collected from a patient user on a regulated entity’s website or mobile app is considered PHI, even if it does not include specific treatment details. Even if the user does not have a relationship with the regulated entity, the information, by virtue of being collected from the regulated entity’s website, connects the individual user to the regulated entity. If such information is shared with a third party through such a tracking technology service, the HIPAA Rules may apply just as they would in traditional information sharing between regulated entities.

The Bulletin reminds regulated entities that any third-party tracking technologies utilized on these platforms must be configured so that:

  1. PHI is only used or disclosed in compliance with the HIPAA Privacy Rule;

  2. Any electronic PHI collected is protected and secured according to the HIPAA Security Rule.

Furthermore, by using third-party tracking technologies, regulated entities may be disclosing information that is also PHI to the tracking technology vendors. If so, the tracking technology vendors may be considered “business associates” per the Bulletin “if they create, receive, maintain, or transmit PHI on behalf of a regulated entity for a covered function (e.g., health care operations) or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI.” When a tracking technology vendor is considered a business associate, the regulated entities must enter into a business associate agreement (BAA) to ensure tracking technology vendors are safeguarding PHI under HIPAA Rules.

HIPAA’s Applicability

The HIPAA Rules, which are made up of the Privacy, Security, and Breach Rules, set out requirements for covered entities to properly collect, process, and safeguard PHI. As discussed above, regulated entities must adhere to the HIPAA Rules when utilizing tracking technologies that can access PHI. A few requirements of the HIPAA Rules include:

  • Ensuring any disclosures to tracking technology vendors are allowed under the HIPAA Privacy Rule and only provide the minimum necessary PHI to fulfill the purpose of the disclosure;
  • Entering into BAA’s with tracking technology vendors that are considered “business associates;”
  • Implementing administrative, physical, and technical safeguards to protect PHI; and
  • Complying with the requirements of the Data Breach Rule in the event of an impermissible disclosure of PHI to a tracking technology vendor.

The Bulletin’s guidance is vital for regulated entities to understand and implement, to the extent applicable. Regulated entities should review current practices on websites and mobile apps to ensure current practices do not violate HIPAA Rules. Furthermore, regulated entities should account for such technology in their regular risk analysis and risk management procedures. Regulated entities seeking to implement new technologies should also ensure future practices align with this guidance and the HIPAA Rules.

Taft’s Privacy and Data Security attorneys can assist in answering any questions or advising on how to manage, train, and mitigate risks associated with privacy, data management, and cybersecurity, as well as what to do after a breach or other cyberattack occurs. Stay tuned to our Taft Privacy and Data Security Insights or download our mobile app for more news and information.