OCR Bulletin: Obligations under HIPAA for Online Tracking Technologies

Dec. 2, 2022
The Office for Civil Rights at HHS issued a bulletin on Dec. 1 addressing tracking technologies, like Google Analytics or Meta Pixel, that may violate HIPPA Rules

On Dec. 1, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced via a press release that it has issued a bulletin to detail the requirements of Health Insurance Portability and Accountability Act of 1996 (HIPAA) on covered entities and business associates (“regulated entities”) under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies. The tracking technologies—such as Google Analytics or Meta Pixel—are meant to analyze information about how users are interacting with a regulated entity’s website or mobile application.

The press release states that “Some regulated entities regularly share electronic protected health information (ePHI) with online tracking technology vendors and some may be doing so in a manner that violates the HIPAA Rules.  The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes ePHI.  Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.”

“Today’s bulletin addresses potential impermissible disclosures of ePHI by HIPAA regulated entities to online technology tracking vendors,” the release adds. “The Bulletin explains what tracking technologies are, how they are used, and what steps regulated entities must take to protect ePHI when using tracking technologies to comply with the HIPAA Rules.”

The bulletin will highlight examples of:

  • Tracking on webpages
  • Tracking within mobile apps
  • HIPAA compliance obligations for regulated entities when using tracking technologies

OCR director Melanie Fontes Rainer was quoted in the release saying that “Providers, health plans, and HIPAA-regulated entities, including technology platforms, must follow the law.  This means considering the risks to patients’ health information when using tracking technologies. Our Bulletin answers questions for those using tracking technologies, importantly how to protect the privacy and security of the health information they hold.”

The bulletin can be accessed here.

HHS encourages those who believe their or another individual’s health information privacy or civil rights have been violated to file a complaint here

Sponsored Recommendations

Elevating Clinical Performance and Financial Outcomes with Virtual Care Management

Transform healthcare delivery with Virtual Care Management (VCM) solutions, enabling proactive, continuous patient engagement to close care gaps, improve outcomes, and boost operational...

Examining AI Adoption + ROI in Healthcare Payments

Maximize healthcare payments with AI - today + tomorrow

Addressing Revenue Leakage in Hospitals

Learn how ReadySet Surgical helps hospitals stop the loss of earned money because of billing inefficiencies, processing and coding of surgical instruments. And helps reduce surgical...

Care Access Made Easy: A Guide to Digital Self Service

Embracing digital transformation in healthcare is crucial, and there is no one-size-fits-all strategy. Consider adopting a crawl, walk, run approach to digital projects, enabling...