New HIPAA Guidance on Online Tracking Technologies

On Dec. 2, 2022, the Department of Health and Human Services (HHS) issued a bulletin providing guidance on how the HIPAA Privacy, Security and Breach Notification Rules (HIPAA Rules) 3d rendering of medical desktop with hipaa on screenapply when covered entities and business associates (regulated entities) use online tracking technologies. These technologies collect and analyze information about how internet users interact with a regulated entity’s website or mobile app.

HIPAA Application

According to HHS, regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of electronic protected health information (ePHI) to tracking technology vendors or any other violations of the HIPAA Rules. However, the HIPAA Rules do not protect information that users voluntarily download or enter into mobile apps not developed or offered by or on behalf of regulated entities, regardless of where the information came from.

HIPAA Compliance

Regulated entities have the following HIPAA compliance obligations when using tracking technologies:

  • Ensure that all disclosures of ePHI to tracking technology vendors are specifically permitted by the HIPAA Rules;
  • Enter into business associate agreements with tracking technology vendors when the information collected includes ePHI;
  • Implement appropriate safeguards to protect the security of ePHI; and
  • In certain situations, provide breach notification to affected individuals, HHS and the media, if applicable, when there is an impermissible disclosure of ePHI to a tracking technology vendor.

Important Information

Regulated entities must ensure that they disclose ePHI to tracking technology vendors only as expressly permitted by the HIPAA Rules.

  • Some HIPAA-regulated entities regularly share information with tracking technology vendors.
  • The HIPAA Rules apply when the information collected through tracking technologies includes ePHI.
  • Regulated entities may not impermissibly disclose ePHI to tracking technology vendors.
  • Violations of the HIPAA Rules may result in civil penalties.