Are You Unknowingly Violating HIPAA?

Being fully HIPAA compliant is more complex than many people expect. HIPAA regulations cover certain processes and procedures that entities may not expect. You could violate HIPAA and not even know it. Companies that use certain websites, or mobile applications may use tracking technology that violates HIPAA. A business will be held liable for any HIPAA breach, even if committed by a business associate that is just a third-party contributor. Keep reading to find out how HIPAA breaches through tracking technology may affect you.

So, what happened?

December 1, 2022, HHS services issued a bulletin to highlight the obligations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) on covered entities and business associates under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies. These online tracking technologies, like Google Analytics or Meta Pixel, collect and analyze information about how internet users are interacting with a regulated entity’s website or mobile application. Some regulated entities regularly share electronically protected health information (ePHI) with online tracking technology vendors, and some may be doing so in a manner that violates HIPAA Rules.

Does this affect me?

The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes ePHI. Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.

Bulletin details

The bulletin addresses potential impermissible disclosures of ePHI by HIPAA-regulated entities to online technology tracking vendors. The Bulletin explains what tracking technologies are, how they are used, and what steps regulated entities must take to protect ePHI when using tracking technologies to comply with the HIPAA Rules.