HHS OCR Issues Bulletin on HIPAA Requirements for Tracking Health Information When Using Online Technologies | health law

The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) recently issued a bulletin to highlight the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) about entities regulated under the HIPAA Privacy, Security and Safety Act. Violate notice rules when using online tracking technologies. The bulletin defines tracking technologies, provides examples of potential unauthorized disclosures of electronic protected health information (ePHI) by HIPAA-regulated entities to online tracking technology providers, and outlines the procedures that entities must follow to protect ePHI when using tracking technologies to comply with HIPAA. rules.

Regulated entities use tracking technologies on websites or mobile applications to collect and analyze information about how users interact with a regulated entity’s website or mobile application and may engage a technology provider to perform analytics on user activity. HIPAA rules apply when information that regulated entities collect through tracking technologies or disclose to tracking technology providers includes protected health information (PHI). In the bulletin, OCR points out that regulated entities are not permitted to use tracking technologies in any way that would result in impermissible disclosures by PHI to tracking technology providers or any other violation of HIPAA rules. OCR notes that failure to comply with HIPAA rules may result in a civil monetary penalty.

ISPs and Tracking Technologies

OCR explains that when HIPAA-regulated entities use tracking technologies on their websites or mobile apps, the data collected by the tracking technologies is often PHI. Specifically, information such as an individual’s medical record number, home or email address, or appointment dates, as well as an individual’s IP address or geographic location, identifiers medical device or any unique identification code may be RMP, even if the data does not include specific treatment or billing information such as dates and types of healthcare services. The OCR notes that when the information links the person to the regulated entity (that’s to sayis indicative that the person has received or will receive health care services or benefits from the covered entity), it will relate to the person’s past, present or future health or health care or payment for care even without specific healthcare or billing information.

Applicability for various tracking technologies

The OCR provides information and examples on how HIPAA rules would apply to regulated entities’ use of tracking technologies through user-authenticated web pages, unauthenticated web pages, and mobile applications. .

• Tracking on user-authenticated web pages: OCR states that regulated entities must set up all user-authenticated web pages (i.e. sites that require a user to log in to access the web page, such as a patient or beneficiary portal health plan or telehealth platform) that includes tracking technologies to allow such technologies to only use and disclose PHI in accordance with the HIPAA Privacy Rule and shall ensure that ePHI collected through its site Web are protected and secured according to the HIPAA security rule. In addition, regulated entities that contract with tracking technology providers to transmit PSI or provide certain services on behalf of a regulated entity must ensure that disclosures made to such providers are permitted by the Privacy Rule. , including entering into a Business Association Agreement (BAA) with these tracking technology providers to ensure that PHI is protected in accordance with HIPAA rules.
  • For example, if a person books an appointment through the website of a covered health clinic and that website uses third-party tracking technologies, then the website may automatically transmit information regarding the appointment and the individual’s IP address to a tracking technology provider. In this case, the tracking technology provider is a business associate and a BAA is required.

• Tracking on unauthenticated web pages: OCR states that since tracking technologies on unauthenticated web pages of regulated entities, in general, do not have access to individuals’ PHI, HIPAA rules would not apply to the use of such tracking technologies. monitored by a regulated entity. However, OCR provides examples of tracking technologies on unauthenticated web pages that may have access to PHI, in which case HIPAA rules apply to use of tracking technologies by regulated entities and disclosures to vendors. tracking technologies. For instance:
  • HIPAA rules apply when tracking technologies on a regulated entity’s patient portal login page or patient portal registration page collect an individual’s login or registration information.
  • HIPAA rules apply when tracking technologies collect an individual’s email address and/or IP address when the individual visits a regulated entity’s web page to search for available appointments with a health care provider. OCR notes that this may apply when the website discusses specific symptoms or health conditions, such as pregnancy or miscarriage.

• Tracking on mobile apps: The OCR states that regulated entities must comply with HIPAA rules for any PHI that individuals disclose on mobile apps, including any subsequent disclosure to the mobile app provider, tracking technology provider, or any other third party who receives this information. OCR notes that HIPAA rules do not protect the privacy and security of information that users voluntarily download or enter into mobile applications that are not developed or offered by or on behalf of regulated entities. In such cases, OCR states that other laws, including the Federal Trade Commission (FTC) Act and the FTC’s Health Breach Notification Rule (HBNR), may apply when a mobile health app discloses unlawfully a user’s health information.
  • For example, HIPAA rules apply to all PHI collected by a covered health clinic through the clinic’s mobile app used by patients to track health-related variables associated with pregnancy (e.g., menstrual cycle , body temperature, information on the prescription of contraceptives).

Compliance obligations for regulated entities

The OCR outlines the HIPAA privacy, security, and breach notification requirements that regulated entities must adhere to when using tracking technologies with access to PHI. The OCR states that regulated entities must ensure that all disclosures of PHI to tracking technology providers are specifically authorized by the privacy policy and that only the minimum PHI necessary to achieve the intended purpose is disclosed. OCR also explicitly states that it is not sufficient for a tracking technology provider to agree to remove PHI from information it receives or to anonymize PHI before the provider logs the information and any disclosure from PHI to the vendor can only be done with a person’s authorization or where the vendor has signed a BAA and the disclosure is for permitted purposes.

OCR notes that the privacy policies, notices, or terms and conditions of the website or mobile application are not sufficient to meet the requirements of HIPAA.

Take away food

Regulated entities should assess their relationships with tracking technology providers to determine whether the data being disclosed is PSR, determine whether that provider meets the definition of a business associate, and ensure that disclosures made to that provider are authorized by the rule of confidentiality.

The OCR recommends that regulated entities address the use of tracking technologies in the regulated entity’s risk analysis and management processes and implement other safeguards in accordance with the security rule, including including encryption of ePHI that is transmitted to the tracking technology provider. The OCR also recommends that regulated entities provide breach notification to affected individuals, HHS, and the media of an inadmissible disclosure of PHI to a tracking technology provider in situations where there is no requirement no privacy policy or permission to disclose PHI and there is no BAA with the seller.

Notably, a number of examples focus on reproductive health information. As we previously discussed, the Biden administration and OCR have taken steps to ensure that privacy protections for sensitive reproductive health information, including under HIPAA, are upheld. We await further clarification from the administration on the protection of health information, particularly as it relates to reproductive health services, and we will continue to monitor these developments.

For more information or to better understand the impact of this advice on your organization, please contact the professionals listed below or your usual Crowell & Moring contact.