On March 18, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services released an updated bulletin on the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates. The bulletin emphasized that regulated entities are prohibited from using tracking technologies for impermissible disclosures of protected health information (PHI) to tracking technology vendors or for any violations of the HIPAA Rules.
Tracking technology is defined in the bulletin as a script or code on a website or mobile app that collects information about users or their actions as they interact with the platform. The bulletin highlighted three areas where entities may be using tracking technology: user-authenticated pages, unauthenticated pages, and mobile apps, and explained how the information gathered in these places can lead to the disclosure of PHI.
Regulated entities were reminded in the bulletin of their obligations for HIPAA compliance when using tracking technologies, which includes obtaining individuals’ authorizations and ensuring tracking technology vendor business associate agreements are in place. The bulletin also provided guidance on OCR’s enforcement priorities in this area, focusing on ensuring that entities have assessed and mitigated risks to electronic PHI when using online tracking technologies and that they have implemented the necessary Security Rule requirements to protect the confidentiality, integrity, and availability of electronic PHI.
This updated bulletin follows OCR’s December 2022 bulletin, which is currently the subject of a lawsuit by the American Hospital Association v. Rainer. The lawsuit, Case No. 4:23-cv-01110-P (N.D. Tex. 2023), alleges substantive and procedural defects in the previous bulletin. Monitoring for OCR’s enforcement of the updated bulletin and its potential impact on the lawsuit is ongoing.
In summary, regulated entities must comply with HIPAA Rules when using online tracking technologies to ensure that they do not disclose sensitive PHI to third parties or violate any rules related to these technologies’ use. They must obtain individuals’ authorizations before collecting data through these technologies and ensure that vendors with whom they share data are bound by business associate agreements that meet HIPAA requirements.
Furthermore, OCR has identified three areas where entities may be using tracking technology: user-authenticated pages, unauthenticated pages, and mobile apps.
Entities must assess risks associated with these areas carefully and take appropriate measures to protect electronic PHI from unauthorized access or disclosure.
Finally, OCR’s enforcement priorities focus on ensuring compliance with Security Rule requirements related to online tracking technologies’ use.
Monitoring for any potential legal challenges related to this topic is ongoing as there are currently lawsuits challenging previous guidance issued by OCR regarding online tracking technologies use under HIPAA regulations.