By adhering to HIPAA requirements and regularly monitoring and adapting their practices, healthcare organizations can use online tracking technologies while safeguarding patient information.
How do online tracking technologies impact healthcare providers?
Through online tracking, organizations can gain valuable insights into patient behavior and preferences. Analyzing user data within their websites and patient portals allows healthcare providers to tailor their websites and mobile apps to provide personalized content, making it easier for patients to access vital healthcare information, schedule appointments, and navigate their health records.
Online tracking technologies can significantly impact healthcare providers in the context of HIPAA compliance and patient privacy. These technologies, such as cookies and web beacons, are commonly used to collect data about user interactions with websites and mobile apps. The following online tracking technologies could be used by healthcare providers, requiring the necessary protections before accessing protected health information (PHI):
- User-authenticated webpages: HIPAA applies to online tracking on user-authenticated webpages when they collect and potentially disclose protected health information (PHI) during the user's interaction. This includes PHI, such as diagnosis and treatment information, prescription and billing information.
- Unauthenticated webpages: Even on unauthenticated webpages, HIPAA rules come into play if tracking technologies have access to PHI. For instance, tracking technologies on a login or registration page that collect PHI trigger HIPAA compliance.
- Mobile apps by regulated entities: Mobile apps offered by healthcare providers that collect PHI, whether entered by the user or generated by the device, must adhere to HIPAA rules.
See also: Is online tracking HIPAA compliant?
HHS guidance on online tracking
The U.S. Department of Health and Human Services (HHS) has issued guidance on the use of online tracking technologies in the context of healthcare, particularly with regard to HIPAA. This guidance underscores the obligations of HIPAA covered entities and their business associates when employing tracking technologies on their websites and mobile applications. Online tracking technologies, such as cookies and web beacons, are used to collect user data, including PHI.
HHS emphasizes that any collection or disclosure of PHI through these technologies must adhere to HIPAA regulations. For healthcare providers, this guidance highlights the necessity of configuring user-authenticated webpages and mobile apps with tracking technologies to comply with HIPAA's Privacy and Security Rules.
See also: BetterHelp fined $7.8M and banned from sharing sensitive data
Are IP addresses PHI?
According to the guidance issued by the U.S. Department of Health and Human Services, all such IIHI collected on a regulated entity's website or mobile app is generally considered PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as IP address or geographic location, does not include specific
treatment or billing information.
When a regulated organization gathers an individual's IIHI via its online platform or mobile application, it establishes a link between the person and the organization. This suggests that the individual has received or is likely to receive healthcare services or benefits from that entity.
How to ensure compliance in healthcare organizations using online tracking
Implement strong data governance
Develop and enforce clear data governance policies and procedures specific to online tracking. It is beneficial to also designate a data steward or privacy officer responsible for overseeing tracking technology compliance. Their role could include creating a data inventory to catalog all PHI collected, processed, or disclosed through tracking technologies.
Configure user-authenticated webpages and mobile apps
Ensure tracking technologies on user-authenticated webpages or mobile apps comply with HIPAA Privacy and Security Rules. Regularly review and update access permissions based on the principle of least privilege.
Execute business associate agreements (BAAs)
Establish BAAs with tracking technology vendors or third parties that may handle PHI. Ensure that these agreements stipulate how PHI will be protected and specify vendor responsibilities under HIPAA. Furthermore, conduct due diligence to confirm that vendors have appropriate security measures.
Minimum necessary standard
Adhere to the minimum necessary standard when disclosing PHI through tracking technologies. This means avoiding excessive collection or sharing of patient information; only collect and disclose what is required for the intended purpose.
Security safeguards
Implement technical safeguards to protect ePHI, including encryption, access controls, authentication measures, and audit logs. Regularly audit and monitor tracking technology systems for security breaches or unauthorized access.
Privacy policies and notices
Transparently communicate the use of tracking technologies in your organization's privacy policy, terms of use, or notices. However, ensure that mere disclosure does not serve as authorization for PHI disclosure; proper permissions must be obtained.
See also: HIPAA Compliant Email: The Definitive Guide
Kirsten Peremore
