Complying with HIPAA in the Context of Tracking Technologies – The National Law Review

abbeycolton353
Abbey Colton December 7, 2022

Most companies operating websites and mobile apps use some form of tracking technologies on these digital properties. While these types of technologies have been used for some time and serve a variety of purposes, the use of them by organizations regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has garnered more recent attention within the past year. In the wake of recent public concerns, the Office of Civil Rights (OCR) at HHS recently released guidance on the use of these tools by HIPAA-regulated entities. OCR’s guidance distinguishes between tracking on authenticated and unauthenticated websites and on mobile apps. We summarize this guidance below.
Tracking technologies include cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts. These tools can be developed internally (i.e., first party) or by third parties. Companies use these tools to better understand their website visitors. Sometimes this is an at aggregate level. Other times, these tools may collect information about unique visitors in order to develop a profile about the visitor. Mobile apps can capture similar details about users through code directly embedded in the app.
When a regulated entity uses a tracking technology, it may be disclosing individually identifiable health information to vendors. This information could be an email address, IP address, dates of appointment, among other information. When users visit websites that require them to login (e.g., a patient portal), tracking technologies may have access to these visitors’ protected health information (PHI). This collection and disclosure of information must be done in accordance with HIPAA.
Tracking technology vendors are business associates if they create, receive, maintain, or transmit PHI on behalf of a regulated entity for a covered function or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI. Regulated entities must ensure that the disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement (BAA) with these tracking technology vendors. By way of example, OCR’s guidance notes that if a regulated entity’s site permits users to make appointments, a BAA should be in place with any tracking technologies used on that site that is collecting PHI such as dates of appointment or IP addresses.
Even on sites that do not require users to login, HIPAA may still apply to the use of any tracking technologies on these types of sites. For example, tracking technologies may be collecting information on sites that permit users to search for doctors based on specific conditions and that otherwise collect PHI such as an email and/or IP address. In those instances, such disclosures must be done in accordance with the HIPAA Privacy Rule, including the use of BAAs with the tracking tool vendor.
In the context of mobile apps, the OCR guidance reminds companies that HIPAA does not apply to health information entered into a mobile app by an entity that is not otherwise regulated by HIPAA. In instances where HIPAA does not apply to such information, other laws may apply. For example, the FTC Act, the FTC’s Health Breach Notification Rule, and other state laws such as the California Privacy Rights Act, may apply.
When regulated entities use tracking technologies, several obligations of the HIPAA Privacy, Security, and Breach rule apply. For example, disclosures must be permitted by HIPAA and only the minimum necessary PHI should be disclosed. Regulated entities must ensure that all tracking technology vendors have signed a BAA and that there is an applicable permission prior to a disclosure of PHI. If there is not an applicable permission or if the vendor is not a business associate of the regulated entity, a HIPAA-compliant authorization is required. OCR notes that website cookie banners do not constitute a valid HIPAA authorization. Further, use of tracking technologies should be addressed in an organization’s risk analysis and risk management process.
HIPAA regulated entities should carefully audit the use of any tracking technologies on websites and mobile apps to understand whether any PHI is being disclosed to these vendors. If so, these organizations should be taking the steps outlined by OCR to ensure such use complies with HIPAA.
About this Author
Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm’s Chicago office.
Areas of Practice
Julia’s practice focuses on data breach response and preparedness, reviewing clients’ products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional…
 
As a woman owned company, The National Law Review is a certified member of the Women's Business Enterprise National Council
You are responsible for reading, understanding and agreeing to the National Law Review’s (NLR’s) and the National Law Forum LLC’s  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  
Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 
Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.
The National Law Review – National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521  Telephone  (708) 357-3317 or toll free (877) 357-3317.  If you would ike to contact us via email please click here.

source

Categories: Uncategorized
abbeycolton353
Abbey Colton

Related Articles