The HHS has released a statement regarding covered entities’ obligations regarding the use of tracking technology. Tracking technology is used to get information regarding how users interact with an entity’s website or app. HIPAA rules apply when HIPAA-covered entities are using tracking to collect information that is protected health information, PHI. Covered entities may not use tracking technology if it could result in the disclosure of PHI to vendors or violate any other HIPAA Rules. A violation of the disclosure of a patient’s PHI violates the privacy rule, as well as can cause personal harm to an individual. Disclosure of PHI can result in identity theft, financial loss, discrimination, and more. Covered entities have never been allowed to disclose PHI without permission to third-party vendors. Now, due to how much and how sensitive the information involved; this is more important.
What is Tracking Technology?
Tracking technology is a code or script used to gather information about users as they interact with a website or mobile app. Website and app owners use this information to create insights about users’ online activities. There are different types of tracking technologies, including cookies, web beacons, session replay scripts, and fingerprinting scripts. Mobile apps may use a unique identifier from the app user’s mobile device to collect information and create individual profiles about each app user.
How Does HIPAA Apply to Regulated Entities’ Use of Tracking Technologies?
Regulated entities disclose a variety of information to tracking technology vendors through tracking technologies placed on their website or mobile app, including individually identifiable health information (IIHI) that the individual provides when they use regulated entities’ websites or mobile apps. IIHI collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity.
Tracking on User-Authenticated Web Pages
Regulated entities may have user-authenticated web pages that require a user to log in before they can access the webpage. Tracking technologies on regulated entities user-authenticated web pages generally have access to PHI, including diagnosis and treatment information, prescription information, billing information, or other information within the portal. Therefore, a regulated entity must ensure that the electronically protected health information (ePHI) collected through its website is protected and secured by the HIPAA Security Rule.
Tracking on Unauthenticated Web Pages
Regulated entities may also have unauthenticated web pages that do not require users to log in before they can access the webpage. Tracking technologies on regulated entities’ unauthenticated web pages generally do not have access to individuals’ PHI. However, in some cases, tracking technologies on unauthenticated webpages may have access to PHI, in which case the HIPAA Rules apply to the regulated entities’ use of tracking technologies and disclosures to the tracking technology vendors.
Tracking technology is a powerful tool used by website and mobile app owners to gather information about user’s online activities. However, it can be misused to promote identity theft, stalking, and harassment. Regulated entities must ensure that the electronically protected health information (ePHI) collected through their website is protected and secured by the HIPAA Security Rule and that the disclosures made to tracking technology vendors are permitted by the HIPAA Privacy Rule.
Resources:
If you want to make sure your practice is HIPAA compliant visit: HIPAA Diagnostic® – $100 Challenge
Sources:
“Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” HHS.Org, 1 Dec. 2022, www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html. Accessed 16 Feb. 2023.