:quality(75)/cloudfront-us-east-1.images.arcpublishing.com/elcomercio/NHDRQCEIVRBQFPCUCYHOKLTQMI.jpg)
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has released an updated bulletin on the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates. The bulletin highlights that regulated entities are prohibited from using tracking technologies for impermissible disclosures of protected health information (PHI) to tracking technology vendors or for any violations of the HIPAA Rules.
Tracking technology is defined in the bulletin as a script or code on a website or mobile app that collects information about users or their actions as they interact with the platform. The bulletin identifies three areas where entities may be using tracking technology: user-authenticated pages, unauthenticated pages, and mobile apps, and explains how the information gathered in these places can lead to the disclosure of PHI.
Regulated entities are reminded in the bulletin of their obligations for HIPAA compliance when using tracking technologies, including obtaining individuals’ authorizations and ensuring vendor business associate agreements are in place. The bulletin also provides guidance on OCR’s enforcement priorities in this area, emphasizing the importance of assessing and mitigating risks to electronic PHI when using online tracking technologies and implementing necessary Security Rule requirements to protect confidentiality, integrity, and availability.
This updated bulletin follows OCR’s December 2022 bulletin, which is currently being challenged by a lawsuit brought by the American Hospital Association v. Rainer (Case No. 4:23-cv-01110-P (N.D. Tex., 2023)). The lawsuit alleges substantive and procedural defects in the previous bulletin, which could impact its enforcement and potentially lead to legal challenges downstream. Monitoring for OCR’s enforcement of this updated bulletin and its potential impact on ongoing litigation is essential for all regulated entities using online tracking technologies.
In conclusion, regulated entities must be aware of their obligations under HIPAA compliance when using online tracking technologies such as scripts or codes on websites or mobile apps that collect information about users’ actions or interactions with platforms
