Summary: OCR's bulletin on online tracking by HIPAA covered entities

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has issued a bulletin to explain the responsibilities of HIPAA covered entities and business associates regarding online tracking technologies. This guidance aims to clarify the obligations outlined in the HIPAA Privacy, Security, and Breach Notification Rules in the context of digital data collection.

The use of tracking technologies by HIPAA covered entities

The bulletin defines tracking technologies as scripts or codes embedded in websites or mobile applications (apps) to gather and analyze user interactions. While these technologies offer insights into user behavior, they also raise concerns regarding safeguarding protected health information (PHI) and individually identifiable health information (IIHI). Regulated entities, including healthcare providers and their business associates, often use tracking technologies to understand user engagement and improve service delivery. 

Overview of tracking technologies

Various tracking technologies, including cookies, web beacons, and session replay scripts, collect user data. These technologies can capture a wide range of information, including user preferences, browsing habits, and device identifiers. While such data collection may serve beneficial purposes, such as improving healthcare services and enhancing user experience, it poses risks like identity theft and privacy breaches. Furthermore, the proliferation of tracking technologies has raised concerns about the potential misuse of sensitive health information for marketing or other unauthorized purposes.

How HIPAA rules apply to tracking technologies

Regulated entities must comply with HIPAA rules when tracking technologies involve the collection or disclosure of PHI or IIHI. Impermissible disclosures of PHI can result in severe consequences, including civil penalties and additional harm to individuals. HIPAA regulations impose strict requirements on the use and disclosure of PHI, requiring security measures and risk management strategies to safeguard patient information. Additionally, regulated entities must ensure that third-party vendors or service providers involved in data collection adhere to HIPAA standards and enter into appropriate business associate agreements (BAAs).

Read more: Understanding and implementing HIPAA rules

Tracking on user-authenticated webpages

User-authenticated webpages often contain PHI accessible to tracking technologies. Regulated entities must configure these pages to ensure HIPAA compliance and establish BAAs with tracking technology vendors. Furthermore, entities must implement access controls and encryption protocols to protect the confidentiality and integrity of PHI collected through these platforms.

Tracking on unauthenticated webpages

While tracking on unauthenticated webpages may not always involve PHI disclosure, certain circumstances may trigger HIPAA compliance requirements. According to the bulletin, regulated entities must assess whether the information collected constitutes PHI and act accordingly. Moreover, entities should provide clear notice to users regarding tracking technologies and obtain appropriate consent to ensure transparency and compliance with HIPAA regulations.

Tracking within mobile apps

Mobile apps offered by regulated entities may collect PHI from users, requiring compliance with HIPAA rules. However, apps developed by entities not covered by HIPAA are subject to other privacy regulations. The bulletin states that regulated entities must implement robust security measures, such as encryption and access controls, to protect PHI collected through mobile apps and ensure compliance with HIPAA requirements.

HIPAA compliance obligations for regulated entities

According to the OCR, regulated entities must comply with the HIPAA Rules when using tracking technologies. Some examples of the HIPAA Privacy, Security, and Breach Notification requirements that regulated entities must meet when using tracking technologies with access to PHI include:

1. Ensuring permitted disclosures: All disclosures of PHI to tracking technology vendors must be permitted by the Privacy Rule, and only the minimum necessary PHI to achieve the intended purpose should be disclosed. Regulated entities may identify the use of tracking technologies in their website or mobile app’s privacy policy, notice, or terms and conditions of use. Regulated entities must ensure that all tracking technology vendors have signed a BAA and that there is applicable permission before disclosing PHI.
2. Establishing business associate relationships: Regulated entities should evaluate their relationships with tracking technology vendors to determine whether they meet the definition of a business associate. A tracking technology vendor is a business associate if it meets the definition, regardless of whether the required BAA is in place. The BAA must specify the vendor’s permitted and required uses and disclosures of PHI and provide that the vendor will safeguard the PHI and report any security incidents, including breaches of unsecured PHI, to the regulated entity.
3. Risk analysis and management: Address the use of tracking technologies in the regulated entity’s risk analysis and risk management processes. Regulated entities must implement administrative, physical, and technical safeguards per the Security Rule to protect the electronic PHI. This includes encrypting PHI transmitted to tracking technology vendors and enabling appropriate authentication, access, encryption, and audit controls when accessing PHI maintained in the tracking technology vendor's infrastructure.
4. Breach notification: Regulated entities must provide breach notification to affected individuals, the OCR, and the media (when applicable) of an impermissible disclosure of PHI to a tracking technology vendor that compromises the security or privacy of PHI.