On March 18, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services updated its bulletin on the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates. The bulletin emphasizes that regulated entities are not permitted to use tracking technologies for impermissible disclosures of protected health information (PHI) to tracking technology vendors or for any other violations of the HIPAA Rules.
The bulletin describes tracking technology as a script or code on a website or mobile app used to gather information about users or their actions as they interact with a website or mobile app. It identifies three places where entities may be using tracking technology: (1) user-authenticated pages (e.g., a patient portal entered with login credentials), (2) unauthenticated pages (e.g., a webpage with hospital visiting hours), and (3) mobile apps (e.g., for paying bills), and describes how information gathered in those places can prompt disclosure of PHI.
The bulletin reminds regulated entities of their HIPAA compliance obligations when using tracking technologies (including obtaining individuals’ authorizations and tracking technology vendor business associate agreements) and advises the entities about OCR’s enforcement priorities. Specifically, OCR’s principal interest in this area is ensuring that regulated entities have identified, assessed, and mitigated the risks to electronic PHI when using online tracking technologies and have implemented HIPAA’s Security Rule requirements to ensure the confidentiality, integrity, and availability of electronic PHI.
This bulletin updates OCR’s December 2022 bulletin, which is the subject of a lawsuit, American Hospital Association v. Rainer, Case No. 4:23-cv-01110-P (N.D. Tex. 2023), whereby AHA alleges substantive and procedural defects of that bulletin. We continue to monitor for OCR’s enforcement of its bulletin and the update’s impact on the lawsuit.