On Dec. 2, 2022, the Department of Health and Human Services (HHS) issued a bulletin providing guidance on how the HIPAA Privacy, Security and Breach Notification Rules (HIPAA Rules) apply when covered entities and business associates (regulated entities) use online tracking technologies. These technologies collect and analyze information about how internet users interact with a regulated entity’s website or mobile app.
According to HHS, regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of electronic protected health information (ePHI) to tracking technology vendors or any other violations of the HIPAA Rules. However, the HIPAA Rules do not protect information that users voluntarily download or enter into mobile apps not developed or offered by or on behalf of regulated entities, regardless of where the information came from.
Regulated entities have the following HIPAA compliance obligations when using tracking technologies:
-Ensure that all disclosures of ePHI to tracking technology vendors are specifically permitted by the HIPAA Rules;
-Enter into business associate agreements with tracking technology vendors when the information collected includes ePHI;
-Implement appropriate safeguards to protect the security of ePHI; and
-In certain situations, provide breach notification to affected individuals, HHS and the media, if applicable, when there is an impermissible disclosure of ePHI to a tracking technology vendor.
For a copy of this notice, click here: New HIPAA Guidance on Use of Online Tracking Technologies