On December 1, 2022, the Office for Civil Rights (OCR) at the HHS issued a bulletin to remind HIPAA covered entities and business associates (“regulated entities”) of their obligations when using online tracking technologies. The bulletin emphases that regulated entities must disclose PHI only as expressly permitted or required under the HIPAA Privacy Rule.
These online tracking technologies (e.g., cookies), used by third-party tracking technologies like Google Analytics or Meta Pixel, collect and analyze information about how internet users are interacting with a regulated entity’s website or mobile application. HHS indicated in their press release that some regulated entities regularly share electronic protected health information (ePHI) with third-party online tracking technology vendors, and some may be doing so in a way that violates the HIPAA Rules. The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes ePHI. Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.
The collected information through tracking technologies from websites or mobile apps might include an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, medical device IDs or any unique identifying code. The bulletin clarifies that all such individually identifiable health information collected on a regulated entity’s website or mobile app is protected health information (PHI), even if the individual does not have an existing relationship with the regulated entity and even if the individually identifiable health information, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of healthcare services.
The HIPAA Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. PHI is information, including demographic data that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. HIPAA covered entities include health plans, clearinghouses and certain healthcare providers.
Though the bulletin addresses many issues that apply to providers and insurance companies, employers should conduct routine risk assessments and review their HIPAA obligations with their advisers and outside counsel when developing a comprehensive strategy for adhering to HIPAA’s privacy, security and breach response requirements incorporating this latest bulletin on online tracking technologies.
HHS OCR Bulletin » HHS Press Release »
This material was created by NFP Corp. (NFP), its subsidiaries, or affiliates for distribution by their registered representatives, investment advisor representatives, and/or agents. Compliance, regulatory and related content is for general informational purposes and is not guaranteed to be accurate or complete. You should consult an attorney or tax professional regarding the application or potential implications of laws, regulations or policies to your specific circumstances. NFP and its subsidiaries do not provide legal or tax advice.