HHS-OCR Issues Bulletin Regarding Use of Online Tracking by HIPAA Covered Entities

Posted on Health Care Law News by Sydney Madow

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently updated a Bulletin regarding the use of online tracking technologies by HIPAA covered entities, as well as business associates such as mobile app or website developers. OCR updated the Bulletin “because of the proliferation of tracking technologies collecting sensitive information” about users online.  This Bulletin updated a December 2022 Bulletin and clarifies OCR’s interest in ensuring that covered entities have assessed the risks of collecting electronic PHI and taken steps to mitigate said risks to ensure compliance with HIPAA.

Online tracking technologies include scripts or code on a website or within a mobile app designed to gather and track information about individuals using the website or app. This information is often used by third parties or creators of the website or app in order to conduct data analytics or improve the functionality of websites and apps, but could lead to inadvertent HIPAA breaches, among other negative consequences for healthcare entities and their patients. These online tracking methods are often not disclosed to users and involve cookies, tracking pixels (an HTML code snippet imperceptible to users that is automatically loaded when the user visits a website or completes an action on the website), scripts that enable website or app designers to replay user sessions, or the use of “fingerprinting scripts” to collect and track specific information about users.  Although these technologies are typically not used for nefarious purposes, they can potentially contain sensitive information that could be used by hackers or other criminals to commit identity theft. The information gathered by tracking technologies could be considered individually identifiable health information, for example medical records, dates of appointments, the user’s device ID or geographic location, or their home address.

OCR also clarified that de-identified PHI or removal of PHI by a technology vendor is insufficient to comply with HIPAA without authorization by the users, or without a signed business associate agreement (BAA) along with an applicable Privacy Rule permission. HIPAA covered entities and business associates are cautioned to determine whether website and app developers meet the definition of a business associate. If covered entities do not want to create a business relationship that meets the definition of a business associate, it must obtain individual users’ authorizations before disclosing any individually identifying information or PHI with that technology vendor. If an information breach involving online tracking technology occurs, the reporting process is the same as any other type of breach – HIPAA covered entities must notify the affected individuals and the OCR as soon as possible, which can be a significant and expensive undertaking.  The Bulletin can be accessed directly by visiting the HHS webpage.

The attorneys of Nicholson & Eastin routinely advise health care providers in HIPAA compliance matters and HIPAA breach notifications to patients and HHS/OCR. If you are a health care provider, covered entity or business associate and would like regulatory and compliance advice regarding HIPAA, please do not hesitate to contact us.