On March 18, 2024, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance on the “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” This guidance serves as a reminder to regulated entities about their obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules) when utilizing online tracking technologies.
Online tracking technologies, such as Google Analytics or Meta Pixel, are commonly used to collect and analyze information about how users interact with a regulated entity’s website or mobile application. The HIPAA Rules come into play when regulated entities collect information through tracking technologies or disclose data to tracking technology vendors. Specifically, these rules apply when the information collected or shared includes electronic protected health information (ePHI).
The updates include:
- Additional examples of when visits to an unauthenticated webpage may or may not involve the disclosure of ePHI.
- Additional tips for complying with the HIPAA Rules when using online tracking technologies.
- Guidance about OCR’s enforcement priorities in investigations involving regulated entities’ use of online tracking technologies.
To view the updated guidance, click here.
Compliance Perspective
Issue
Regulated entities are allowed to use tracking technologies, but only if they comply with their obligations under the HIPAA Rules. It is crucial to avoid any use of tracking technologies that would lead to impermissible disclosures of ePHI to tracking technology vendors or violate other aspects of the HIPAA Rules. Improper handling of ePHI can have serious consequences, including civil penalties.
Discussion Points
- Review policies and procedures related to the HIPAA Rules and business associate agreements. Ensure that they address the use of online tracking technologies. Update as new information becomes available.
- Train appropriate staff on the use of online tracking technologies and HIPAA. Train all staff on HIPAA, ePHI, and the HIPAA Rules. Document that the trainings occurred and file in each employee’s education file. Provide additional training as new information becomes available.
- Periodically audit to ensure that tracking technologies are not being used in a manner that results in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules. Also audit to ensure that the facility’s policies and procedures for HIPAA, ePHI, and the HIPAA Rules are being followed by staff, and that each person demonstrates understanding and competency.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
