OCR Outlines Proper Use of Tracking Tech to Maintain HIPAA Compliance

December 2, 2022 CynergisTek, Inc.

Covered entities and business associates using tracking tech such as Google Analytics and Meta Pixel should pay close attention to whether PHI is being handled in accordance with HIPAA.

 - Following reports that patient data was transmitted to Facebook through the use of tracking technology on hospital websites and within password-protected patient portals, the HHS Office for Civil Rights (OCR) issued a bulletin outlining the dos and don’ts of using tracking tech as a HIPAA-covered entity or business associate.

Covered entities and business associates using tracking tools such as Google Analytics and Meta Pixel should pay close attention to their obligations under HIPAA, OCR noted.

“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules,” OCR stated. 

“For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures.”

Covered entities must also ensure that they have business associate agreements (BAAs) in place with tracking technology vendors if those vendors create, maintain, or receive PHI on behalf of the covered entity for a covered function such as healthcare operations.

“For example, if an individual makes an appointment through the website of a covered health clinic for health services and that website uses third party tracking technologies, then the website might automatically transmit information regarding the appointment and the individual’s IP address to a tracking technology vendor,” OCR noted. “In this case, the tracking technology vendor is a business associate and a BAA is required.”

OCR clarified that whether the tracking tech is present on user-authenticated or unauthenticated webpages, if PHI is involved, HIPAA rules apply. When it comes to mobile apps, OCR noted that apps offered by regulated entities are covered by HIPAA. However, HIPAA rules do not protect information that users voluntarily provide to mobile apps that are not developed or offered by covered entities.

OCR encouraged covered entities to ensure that “all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.”

Covered entities should also ensure that a tracking technology vendor meets the definition of a “business associate” and that the BAA explicitly specifies the vendor’s permitted uses and disclosures of PHI.

“Further, it is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information,” the bulletin continued.

“Any disclosure of PHI to the vendor without individuals’ authorizations requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure.”

Lastly, OCR reminded covered entities to provide breach notifications to HHS in the event that the use of tracking tech leads to an impermissible disclosure of PHI.

"Organizations should ask themselves about the risks and ethical concerns associated with tracking services, as improper use of this technology poses significant risks to the organization and its patients," Andrew Mahler, VP of privacy and compliance at CynergisTek, a Clearwater company, told HealthITSecurity.

Continue reading here.

About the Author

CynergisTek, Inc.

CynergisTek is a top-ranked cybersecurity consulting firm dedicated to serving the information assurance needs of healthcare. CynergisTek offers specialized services and solutions to help organizations achieve privacy, security, and compliance goals. The company has been recognized by KLAS in the 2016 and 2018 Cybersecurity reports as a top performing firm in healthcare cybersecurity, as well as the 2017 Best in KLAS winner for Cybersecurity Advisory Services.

Follow on Twitter Follow on Linkedin Visit Website More Content by CynergisTek, Inc.
Previous Article
Community Health Network reports online tracking data breach affecting 1.5 million
Community Health Network reports online tracking data breach affecting 1.5 million

The provider says pixels used to collect information about website users may have transferred certain types...

Next Article
HHS: Web Trackers in Patient Portals Violate HIPAA
HHS: Web Trackers in Patient Portals Violate HIPAA

Andrew Mahler discusses the recent HHS warning on the use of tracking code in many healthcare websites and...