These days, HIPAA and online tracking are crucial subjects. On March 18, 2024, OCR updated its guidelines on “HIPAA Covered Entities and Business Associates’ Use of Online Tracking Technologies.” Reminding the public and regulated entities that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) apply to the use of internet monitoring technologies is the goal. These web-based monitoring tools, such as Google Analytics or Meta Pixel, gather and examine data regarding user behavior on a regulated entity’s website or mobile application.
OCR recently reminded regulated businesses that, as long as they follow the HIPAA Rules, they are permitted to utilize online tracking tools. When regulated organizations gather information using tracking technologies or provide tracking technology vendors with information that contains electronic protected health information (ePHI), the HIPAA Rules come into play. Regulated entities are not allowed to employ tracking technologies in a way that would violate the HIPAA Rules or lead to the unlawful disclosure of ePHI to tracking technology suppliers.
A recent OCR Bulletin gave a broad summary of how the HIPAA Rules relate to tracking technology use by covered businesses and business partners.
What is meant by tracking technology?
It’s the code or script on a website or mobile application that allows users’ information to be collected. While this data could be utilized to enhance customer care, there is a risk that it could be abused to spread false information, commit identity theft, engage in harassment, stalking, and other forms of misinformation.
To track and gather user data, websites frequently utilize technologies like cookies, web beacons or tracking pixels, session replay scripts, and fingerprint scripts. Applications for mobile devices may also gather information about the user’s mobile device and employ an integrated tracking code to get information directly from the user.
Application of HIPAA Regulations to Tracking
A person’s IP address or geographic location, device IDs, any unique identifying code, medical record number, home or email address, or appointment dates may all be included in the information revealed. When sent or stored by a regulated body, the information exposed may frequently be regarded as individually identifiable health information (IIHI), which is a step toward fulfilling the definition of PHI. This information must now adhere to HIPAA privacy regulations if it has any bearing on the person’s past, present, or future health, medical treatment, or payment for medical care.
Tracking on Websites Authenticated by Users
According to the HIPAA Privacy Rule, a regulated business must set up any user-authenticated webpage with tracking technology such that they can only use and disclose PHI. The HIPAA Security Rule requires it to guarantee the security and protection of any electronic protected health information (ePHI) gathered via its website.
The fact that tracking technology vendors are business associates is an important consideration. These tracking technology vendors must sign a business associate agreement (BAA) with a regulated entity to guarantee that PHI is safeguarded in compliance with the HIPAA Regulations.
Tracking on Unauthenticated Websites
Additionally, websites belonging to regulated entities might not be authenticated. These are websites that users can view without first logging in. These pages provide general details about the regulated entity, including its address, hours of operation, and job openings. Because of sign-in requirements, tracking technology may occasionally have access to PHI; in these cases, the HIPAA Rules must be followed. When using tracking technologies, regulated organizations need to think about whether the vendor will utilize any PHI and take the necessary precautions to make sure the HIPAA Rules are strictly followed.
Tracking in Mobile Applications
Mobile apps give people the ability to pay their bills and manage their health information. They gather various data that is supplied by the user of the app in addition to data that is supplied by the user’s device, including fingerprints, device ID, geolocation, network location, and advertising ID. Generally speaking, this data is PHI and needs to be safeguarded in accordance with the HIPAA regulations.
However, the security and privacy of data that users willingly download or input into mobile applications that are not created or provided by or on behalf of regulated companies are not protected by the HIPAA Rules, regardless of the source of the data. The Privacy Rules of HIPAA do not apply to these.
It’s also important to keep in mind that the Federal Trade Commission’s (FTC) Act and its Health Breach Notification Rule (HBNR) can be applicable in cases when a mobile health app improperly divulges a user’s medical records.
The Enforcement Priorities of OCR
OCR is currently concentrating on HIPAA & online tracking technology compliance with the HIPAA Security Rule. OCR’s primary focus in this area is making sure that regulated entities have applied the Security Rule standards to guarantee the confidentiality, integrity, and availability of ePHI and have recognized, evaluated, and reduced the risks to ePHI when employing online monitoring technology.
