HIPAA Implications of Using Web and App Data Tracking Tech

Stevens & Lee
Contact

Stevens & Lee

The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) updated its guidance in mid-March on the “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” to highlight and better clarify the responsibilities of entities subject to the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”)—namely Covered Entities and Business Associates—which use tracking technologies. These technologies, such as Google Analytics or Meta Pixel, may implicate certain prohibitions, restrictions and obligations under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”). The guidance is also aimed at better informing the public about protections afforded under HIPAA when their data is collected and analyzed by these services to determine how users interact with a regulated entity’s website or app.

Regulated entities may use these tracking technologies subject to the HIPAA Rules, which are implicated when the collected information includes electronic protected health information (“ePHI”). A regulated entity would be prohibited from using tracking tech in such a way that results in ePHI being impermissibly disclosed. This much is obvious, but in light of the ubiquity of such tracking technology, OCR wanted to make sure this updated guidance was front-of-mind for HIPAA-regulated entities.

The guidance provides a description of tracking technology, an explanation of how the HIPAA Rules apply to such tech, and tips for maintaining HIPAA compliance while tracking on apps, authenticated websites, and unauthenticated websites. As updated, the guidance also provides:

  • More examples of when unauthenticated webpage visits may involve the disclosure of ePHI;
  • Additional tips for complying with the HIPAA Rules when using online tracking technologies; and
  • A section describing OCR’s enforcement priorities in investigations involving this topic.

OCR makes clear that the HIPAA Rules are not compliance ends in themselves, but that a violation of the Privacy Rule through impermissible disclosure may lead to knock-on effects including “identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s PHI.” The guidance provides links to helpful materials regarding various topics such as health apps, cybersecurity, and Business Associate Agreements.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Stevens & Lee

Written by:

Stevens & Lee
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Stevens & Lee on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide