New HIPAA Guidance on Use of Online Tracking Technologies

On December 2, 2022, the Department of Health and Human Services (HHS) issued a bulletin providing guidance on how the HIPAA Privacy, Security and Breach Notification Rules (HIPAA Rules) apply when covered entities and business associates (regulated entities) use online tracking technologies.

These technologies collect and analyze information about how internet users interact with a regulated entity’s mobile app or website.

HIPAA Application

According to HHS, regulated entities are not authorized to use tracking technologies in a manner that would result in impermissible disclosures of electronic protected health information (ePHI) to tracking technology vendors or any other violations of the HIPAA Rules. However, the HIPAA Rules do not protect information that users voluntarily download or enter into mobile apps not developed or offered by or on behalf of regulated entities, regardless of where the information came from.

HIPAA Compliance

Regulated entities have the following HIPAA compliance obligations when using tracking technologies:

• Enter into business associate agreements with tracking technology vendors when the information collected includes ePHI;
• Ensure that all disclosures of ePHI to tracking technology vendors are specifically permitted by the HIPAA Rules;
• Implement appropriate safeguards to protect the security of ePHI; and
• In certain situations, provide breach notification to affected individuals, HHS and the media, if applicable, when there is an impermissible disclosure of ePHI to a tracking technology vendor.

Important Information

• The HIPAA Rules apply when the information collected through tracking technologies includes ePHI.
• Some HIPAA-regulated entities regularly share information with tracking technology vendors.
• Regulated entities may not impermissibly disclose ePHI to tracking technology vendors.
• Violations of the HIPAA Rules may result in civil penalties.