OCR Issues Warning Bulletin on Website and App Tracking Technologies

Rivkin Radler LLP
Contact

Rivkin Radler LLP

On December 1, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued a Bulletin entitled ”Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates“ that addresses the responsibilities of HIPAA covered entities and business associates (“regulated entities”) when using online tracking technologies. Regulated entities need to consider these issues carefully when rolling out websites and mobile applications if using tracking technologies to collect and analyze information about users that may contain protected health information (PHI). The Bulletin reminds regulated entities that prior to utilizing third-party tracking technologies on their websites and apps, they must first ensure that the disclosures to tracking technology vendors are permitted under the HIPAA Privacy Rule (for example, regulated entities must first obtain patient consent if a disclosure is for marketing purposes), and must enter into a business associate agreement (BAA) with the vendor.

OCR distinguishes tracking on user-authenticated webpages, such as a patient portal or telehealth platform that requires a unique username and password, from tracking on unauthenticated webpages, which do not require users to log in before accessing the webpage. Generally, authenticated websites collect and use PHI and are required to comply with HIPAA; conversely, unauthenticated webpages do not have access to individuals’ PHI, and therefore utilization of tracking technologies would not be regulated by HIPAA. However, in certain limited cases, unauthenticated websites may collect PHI, such as a registration page to create a portal username and password, a website targeting specific health conditions, or a website that permits individuals to search for doctors or schedule appointments without entering credentials. In those cases, regulated entities should ensure compliance with HIPAA regarding the use and disclosure of PHI collected, which may include obtaining prior patient authorization and entering into a BAA with the tracking technology vendor.

Failure to comply with HIPAA requirements may result in civil monetary penalties being assessed against covered entities and business associates found to have violated HIPAA. All regulated entities that collect patient data on their websites or with apps are urged to review the tracking technology that they use and any agreements they have with web-based data collection vendors. The potential risks and vulnerabilities of these technologies should also be reviewed when a covered entity or business associate performs its periodic security risk assessments, as required by HIPAA.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Rivkin Radler LLP

Written by:

Rivkin Radler LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Rivkin Radler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide