On March 18, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) updated its guidance for covered entities and business associates regarding the use of online tracking technologies under the HIPAA Privacy, Security, and Breach Notification Rules. The guidance[1], entitled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” clarifies the application of the HIPAA Rules to these technologies.
What are Tracking Technologies?
Tracking technologies are online methods used to collect information about users through their interaction with websites or mobile applications. Often, users are unaware of these tracking methods. The information gathered can include visited websites, duration of visits, user locations, IP addresses, and personal information. Mobile applications typically use embedded tracking codes to collect data entered by users as well as information related to the user’s mobile device, such as device IDs and email addresses. Websites employ various tracking methods including these and others:
- Cookies: Text files that store data such as usernames and passwords to identify users and enhance their browsing experiences. For instance, when a website prompts a user to “Accept all cookies,” it enables the server to access user IDs and tailor the browsing experience based on the user’s previous online activity.
- Web Beacons: Graphic pixels that track when a user accesses part of a webpage. These, combined with cookies, help website owners understand user behavior and preferences.
- Session Replay Scripts: Third-party tools that record user activities like mouse movements, keystrokes, and clicks. These scripts are valuable for analyzing how users interact with a website but can potentially access sensitive information.
How Do the HIPAA Rules Apply to Tracking Technologies?
While tracking technologies can be beneficial, the OCR emphasizes that HIPAA-regulated entities must not use these technologies in ways that improperly disclose Protected Health Information (PHI) or otherwise violate the HIPAA Rules. For example:
- User-authenticated Webpages: Regulated entities must ensure these webpages only use tracking technologies in ways that comply with the HIPAA Privacy Rule and ensure any collected electronic PHI (ePHI) is secure, as required by the HIPAA Security Rule. Vendors handling ePHI on behalf of a regulated entity are considered business associates, necessitating a business associate agreement (BAA).
- Unauthenticated Webpages: If tracking technologies on such webpages can access ePHI, regulated entities must ensure their use complies with the HIPAA Rules and that the ePHI is encrypted and secured.
- Mobile Applications: For apps provided by regulated entities, the collected information must be protected under the HIPAA Security Rule and any disclosures must comply with the Privacy Rule. Voluntarily provided information in other apps would not be regulated by HIPAA.
What are the Key Takeaways?
Regulated entities must ensure compliance with the HIPAA Rules when using tracking technologies. Compliance can be achieved by these and other strategies:
- Ensuring all ePHI disclosures to vendors comply with the HIPAA Privacy Rule: Regulated entities complying with HIPAA Privacy who wish to share ePHI with vendors must go beyond simply informing users and requesting individuals’ acknowledgment that tracking technologies are in use.
- Reviewing relationships with vendors to determine if they qualify as business associates: If a vendor creates, maintains, or transmits ePHI on behalf of a covered entity, a BAA is required, and any disclosures made to the vendor must be permitted by the Privacy Rule.
- Implementing appropriate safeguards as specified in organizational policies and procedures: Procedures should include encryption, access, authentication, and audit controls used to protect the associated ePHI.
- Conducting regular risk analyses and management processes to address the use of tracking technologies.
- Ensuring breach notification procedures are in place to notify affected individuals, the HHS secretary, and the media (if applicable) when an impermissible disclosure of PHI to a tracking technology vendor occurs.
The OCR’s updated guidance highlights necessary cybersecurity measures and risk management strategies to help regulated entities adhere to HIPAA requirements. These entities must thoroughly evaluate their processes and business agreements to ensure compliance.
If you would like assistance with cybersecurity, compliance with HIPAA, information technology (IT) infrastructure, or any matter related to compliance, operations, or strategy, our executives are happy to help. Please contact them via email or by calling (800) 270-9629.
Learn about PYA’s IT risk management program, PYA Overwatch™.
[1] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html#ftn37
