OCR Bulletin Addresses HIPAA’s Application to Online Tracking Technologies

HHS’s Office for Civil Rights (OCR) has issued a bulletin to highlight the HIPAA privacy, security, and breach notification obligations imposed on covered entities (including health plans and most health care providers) and business associates (together “regulated entities”) when using online tracking technologies. As background, a tracking technology is a script or code on a website or mobile application used to collect and analyze information about users as they interact with the website or mobile application. The bulletin addresses potential impermissible disclosures of protected health information (PHI) by focusing on regulated entities’ obligations when using third party tracking technologies. Specifically, the bulletin addresses:

• Tracking on Webpages. The bulletin explains that tracking technologies on a regulated entity’s user-authenticated webpages, which require a user to log in, generally have access to PHI such as identifying information. Thus, a regulated entity is required to configure any user-authenticated webpages that include tracking technologies to allow such technologies to only use and disclose PHI in compliance with the HIPAA privacy rule. Similarly, it must ensure that any electronic PHI collected through its website is protected and secured in accordance with the HIPAA security rule. Tracking technologies on regulated entities’ unauthenticated webpages, which do not require a user to log in, generally do not have access to individuals’ PHI. However, the bulletin includes specific examples of unauthenticated webpages that may have access to PHI—in which case, the HIPAA rules would apply.
• Tracking Within Mobile Applications. Mobile applications or “apps” that regulated entities commonly offer to individuals to help manage their health information collect a variety of information provided by the user that is considered PHI and, therefore, is subject to the HIPAA rules. The bulletin notes, however, that the HIPAA rules do not protect the privacy and security of information that users voluntarily download or enter into mobile apps that are not developed or offered by or on behalf of regulated entities, regardless of where the information came from.
• HIPAA Compliance Obligations. The bulletin provides several examples of the HIPAA requirements that regulated entities must meet when using tracking technologies with access to PHI. These requirements include: (1) ensuring that all disclosures of PHI to tracking technology vendors are specifically permitted by the HIPAA privacy rule and that, unless an exception applies, only the minimum necessary PHI is disclosed to achieve the intended purpose; (2) establishing a business associate agreement with a tracking technology vendor that qualifies as a business associate; (3) addressing the use of tracking technologies in the regulated entity’s risk analysis and risk management processes; and (4) providing breach notification when there has been an impermissible disclosure of PHI to a tracking technology vendor that compromises the privacy or security of PHI.

EBIA Comment: OCR points out that the proliferation of tracking technologies has made it critical “now more than ever,” for covered entities and business associates to ensure that they only disclose PHI as permitted under the HIPAA rules. The bulletin provides an overview of tracking technologies, as well as insight and examples of potential impermissible disclosures. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXII (“Privacy, Security, and EDI: What Information Is Protected and Which Entities Must Comply”), XXIV (“Business Associate Contracts”), and XXV (“Breach Notification for Unsecured PHI”).

Contributing Editors: EBIA Staff.