In response to the ever-evolving landscape of online data privacy, on March 18, 2024, the Department of Health and Human Services Office for Civil Rights (“OCR”), released updates to its December 2022 bulletin on the “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” The bulletin emphasized that HIPAA-regulated entities must maintain HIPAA compliance in their use of these technologies, which commonly collect and redisclose individually identifiable health information (“IIHI”) from users of websites and mobile applications. The collected information might include an individual’s medical record number, home or email address, and dates of appointments, as well as their IP address or geographic location, medical device IDs, and other unique identifying codes. Most IIHI collected on a regulated entity’s website or mobile app will be categorized as protected health information (“PHI”). The bulletin emphasizes that regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or violate any other aspects of HIPAA. For example, except as otherwise provided, HIPAA requires that regulated entities obtain individual authorization for disclosure of PHI for any marketing purpose. Therefore, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures. Further, regulated entities must ensure that any tracking technology vendors have signed, and are operating pursuant to, adequate business associate agreements (“BAA”s).
OCR’s bulletin reinforces that covered entities and their business associates must evaluate their use of tracking technologies on websites and applications to ensure that any data collected and shared is done so permissibly and is not overlooked in the context of the organization’s regular risk assessment. With the increased agency attention to data privacy, security, and breach penalties, businesses with access to PHI or health data can expect greater scrutiny. It is recommended that HIPAA regulated entities review and revise their policies and procedures to ensure compliance and avoid penalties.
How Frier Levitt Can Help
Data privacy regulations continue to evolve, including the implementation and enforcement of various state privacy regimes. Organizations with access to PHI or other health data must ensure their practices are consistent with applicable federal and state laws and agency guidance that govern how such data is accessed, used, and shared. Contact Frier Levitt for assistance in determining how HIPAA and other data privacy rules may impact your business model. Additionally, contact us to learn what measures you must take to ensure your business is complying with these rules and how to avoid, mitigate, or respond in the event of a breach.
