The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) recently passed the HIPAA Privacy, Security, and Breach Notification Rule when Using Online Tracking Technologies. This bulletin defines tracking technologies, provides examples of potentially impermissible disclosures of Electronic Protected Health Information (ePHI) to online technology tracking vendors by HIPAA-regulated entities, and helps regulated entities comply with HIPAA. provides an overview of the steps that must be taken to protect ePHI when using tracking technologies. rule.
A Regulated Entity may use tracking technologies on its website or mobile app to collect and analyze information about how users interact with the Regulated Entity’s website or mobile application and provide it to technology vendors. We may let you perform analysis of user activity. The HIPAA rule applies when information a regulated entity collects through tracking technology or discloses to a tracking technology vendor contains Protected Health Information (PHI). In this bulletin, OCR emphasizes that regulated entities are not permitted to use tracking technology in ways that lead to unauthorized disclosure of PHI to tracking technology vendors or other violations of his HIPAA rules. doing. Please note that OCR may be subject to civil penalties for non-compliance with HIPAA regulations.
PHI and tracking technology
OCR explains that when a HIPAA-regulated entity uses tracking technology on its website or mobile app, the data collected by the tracking technology is often PHI. Specifically, information such as an individual’s medical record number, home or email address, appointment date, an individual’s IP address or geographic location, medical device ID, or unique identification code, even if the data is PHI. , which may be PHI. Do not include specific treatment or billing information, such as dates or types of medical services. OCR is where information links an individual to a regulated entity (i.e.which indicates that the individual has received or will receive health care services or benefits from the covered entity), it indicates that the individual’s past, present, or information related to future health care or payments for health care or care.
Applicability to various tracking technologies
OCR provides insight and examples of how HIPAA regulations apply to the use of tracking technologies by regulated entities through user-authenticated web pages, unauthenticated web pages, and mobile apps. provide.
- Tracking on user-authenticated web pages: OCR allows regulated entities to access user-authenticated web pages (i.e. sites that require users to be logged in to access the web page, e.g. patient or health insurance beneficiary portals, telemedicine platforms, etc.) is said to need to be configured. You must use and disclose PHI only in compliance with the HIPAA Privacy Rules and ensure that ePHI collected through its website is protected and secured in accordance with his HIPAA Security Rules. In addition, a regulated entity that contracts with a tracking technology vendor to transmit his PHI, or to provide certain services on behalf of a regulated entity, may not be permitted by privacy regulations to disclose to such vendors. must be verified. These tracking technology vendors ensure that her PHI is protected according to HIPAA regulations.
- For example, if an individual makes an appointment at a covered clinic’s website and that website uses third-party tracking technology, that website may share information about the appointment and the individual’s IP address with the tracking technology vendor. It may be sent automatically. In this case, the tracking technology vendor is a business associate and requires a BAA.
- Tracking unauthenticated web pages: The OCR states that HIPAA rules do not apply to the use of such tracking technologies by regulated entities because tracking technologies on unauthenticated web pages of regulated entities generally cannot access a person’s PHI. . However, OCR provides an example of tracking technology on unauthenticated web pages that may access PHI. In this case, HIPAA regulations apply to the use of tracking technology by regulated entities and disclosure to tracking technology vendors. for example:
- HIPAA regulations apply when tracking technologies on a regulated organization’s patient portal login or registration page collect individual login or registration information.
- HIPAA rules apply when tracking technologies collect an individual’s email address or IP address when the individual visits a regulated entity’s web page to find available appointments with healthcare providers. will be OCR please note that this may apply if the website deals with certain conditions or conditions such as pregnancy or miscarriage.
- Mobile app tracking: The OCR says regulated entities must comply with HIPAA rules for PHI that individuals disclose in their mobile apps. This includes subsequent disclosure to mobile app vendors, tracking technology vendors, or other third parties that receive such information. OCR notes that HIPAA regulations do not protect the privacy and security of information users voluntarily download or enter into mobile apps not developed or provided by or on behalf of a regulated entity. doing. In such cases, the OCR believes that other laws, including Federal Trade Commission (FTC) law and the FTC’s Health Breach Notification Rule (HBNR), may apply when a mobile health app discloses a user’s health information without permission. said to be sexual.
- For example, the HIPAA rule collects by covered clinics via the clinic’s mobile app that patients use to track pregnancy-related health-related variables such as menstrual cycle, body temperature, and contraceptive prescription information. Applies to PHI that is
Compliance Obligations for Regulated Entities
The OCR outlines the HIPAA privacy, security, and breach notification requirements that regulated entities must meet when using tracking technologies to access PHI. The OCR requires regulated entities to ensure that all disclosures of PHI to tracking technology vendors are specifically permitted by privacy rules, and that only the minimum amount of PHI necessary to achieve the intended purpose is disclosed. It states that you need to make sure that It is also not sufficient for OCR to simply agree that tracking technology vendors remove or anonymize PHI from the information they receive before storing the information, and disclosure of PHI to vendors Individual authorization or if the vendor has a signed BAA and the disclosure is for a permissible purpose.
OCR notes that a website’s or mobile app’s privacy policy, notice, or terms of use are not sufficient to meet HIPAA requirements.
Takeaway
Regulated entities may evaluate relationships with tracking technology vendors to determine whether disclosed data is PHI, determine whether such vendors meet the definition of a business associate, and You must ensure that disclosure to such vendors is permitted by your privacy rules.
OCR allows regulated entities to address the use of tracking technology in their risk analysis and management processes and implement other safeguards in accordance with security regulations, including encryption of ePHI transmitted to tracking technology vendors. Recommended to implement. OCR also requires that regulated entities, in situations where there is no requirement of the Privacy Rule or permission to disclose PHI and the BAA does not disclose PHI, to allow affected individuals, HHS, and the media to obtain PHI permission from tracking technology vendors. We encourage you to provide notice of non-disclosure violations. vendor.
In particular, many examples focus on reproductive health information. As previously explained, the Biden administration and her OCR have taken steps to ensure compliance with privacy protections for sensitive reproductive health information, including HIPAA. We expect further clarification from the government on the protection of health information, particularly in relation to reproductive health services, and will continue to follow these developments.
For more information, or to better understand how this guidance may affect your organization, please contact the experts listed below or your usual Crowell & Moring contacts.
