The United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a bulletin to clarify existing requirements regarding the use of third-party tracking technologies in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) under the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules), which apply to regulated entities-covered entities and business associates.
The bulletin notes that regulated entities “are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” Tracking technologies are used to collect information and track users in different ways, including cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts. Mobile apps sometimes include or embed a tracking code within the app to allow the app to collect information directly provided by the user and/or may capture the user’s mobile device-related information.
Additionally, HHS OCR notes that while regulated entities have never been able to impermissibly disclose PHI to tracking technology vendors, because of the proliferation of tracking technologies collecting sensitive information, the Agency believes it is now critical for regulated entities to ensure that they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule. It’s important to note that a regulated entity’s failure to comply with the HIPAA Rules may result in a civil monetary penalty.
The bulletin states that a regulated entity may actually violate the HIPAA Rules even if its website or app only collects the IP address of a web visitor, without collecting any treatment or billing information. It also states that information gathered through tracking technologies – including individually identifiable health information – is “generally” protected health information, even if the individual does not have an existing relationship with the regulated entity.
HIPAA Compliance Obligations
The bulletin sets forth guidance to ensure compliance with HIPAA rules and provides examples of impermissible disclosures of electronic protected health information to technology tracking vendors.
One thing regulated entities must do is to ensure all disclosures of protected health information to tracking technology vendors are specifically permitted by the HIPAA Privacy Rule and that only the minimum necessary protected health information is disclosed to achieve the intended purpose (unless an exception applies). Additionally, while a regulated entity may disclose the use of tracking technologies in their privacy policy, notice, or terms and conditions of use, the Privacy Rule does not allow disclosures of protected health information to a tracking technology vendor based solely on a regulated entity informing individuals in its privacy policy, notice, or terms and conditions of use that it plans to make such disclosures.
Tracking technology vendors must also have signed a business associate agreement if they meet the definition of a business associate. The business associate agreement must specify the permitted and required uses and disclosures of protected health information and provide that the vendor will safeguard the information and report any security incidents to the regulated entity. If the regulated entity does not wish to create a business associate relationship with the vendor or if the chosen vendor cannot provide “written satisfactory assurances” that it will appropriately safeguard protected health information, the entity cannot disclose protected health information to vendors without individual authorizations.
Filing a Complaint
If you believe health privacy rights have been violated – including through tracking technology vendors – you can file a complaint online with the Office of Civil Rights.