On December 1, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued a Bulletin entitled ”Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates“ that addresses the responsibilities of HIPAA covered entities and business associates (“regulated entities”) when using online tracking technologies. Regulated entities need to consider these issues carefully when rolling out websites and mobile applications if using tracking technologies to collect and analyze information about users that may contain protected health information (PHI). The Bulletin reminds regulated entities that prior to utilizing third-party tracking technologies on their websites and apps, they must first ensure that the disclosures to tracking technology vendors are permitted under the HIPAA Privacy Rule (for example, regulated entities must first obtain patient consent if a disclosure is for marketing purposes), and must enter into a business associate agreement (BAA) with the vendor.
OCR distinguishes tracking on user-authenticated webpages, such as a patient portal or telehealth platform that requires a unique username and password, from tracking on unauthenticated webpages, which do not require users to log in before accessing the webpage. Generally, authenticated websites collect and use PHI and are required to comply with HIPAA; conversely, unauthenticated webpages do not have access to individuals’ PHI, and therefore utilization of tracking technologies would not be regulated by HIPAA. However, in certain limited cases, unauthenticated websites may collect PHI, such as a registration page to create a portal username and password, a website targeting specific health conditions, or a website that permits individuals to search for doctors or schedule appointments without entering credentials. In those cases, regulated entities should ensure compliance with HIPAA regarding the use and disclosure of PHI collected, which may include obtaining prior patient authorization and entering into a BAA with the tracking technology vendor.
Failure to comply with HIPAA requirements may result in civil monetary penalties being assessed against covered entities and business associates found to have violated HIPAA. All regulated entities that collect patient data on their websites or with apps are urged to review the tracking technology that they use and any agreements they have with web-based data collection vendors. The potential risks and vulnerabilities of these technologies should also be reviewed when a covered entity or business associate performs its periodic security risk assessments, as required by HIPAA.