OCR Revises Guidance for Using Tracking Technologies

Revised Tracking Technology Guidelines Aim to Provide Clarity

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services released updated guidance on March 18 to make it perfectly clear to HIPAA-covered entities and business associates (BA) that using online tracking technologies is subject to HIPAA Rules.  

While regulated entities can use online tracking technologies—like Google Analytics or Meta Pixel that collect and analyze information about how users are interacting with a regulated entity’s website or mobile app—the updated bulletin reminds regulated entities that they must comply with their obligations under the HIPAA Rules.  

Basically, HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes PHI. For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures. Breaking that rule can lead to a costly fine. 

More Examples and Tips for Using Tracking Technologies

The OCR’s original bulletin in 2022 provides a general overview of how the HIPAA Rules apply; the 2024 revisions include more details, including: 

  • Additional examples of when visits to an unauthenticated webpage may or may not involve the disclosure of PHI, such as: 
    • If a student is writing a term paper about oncology services, the collection and transmission of information showing that the student visited a hospital’s webpage listing the oncology services would not constitute a disclosure of PHI, even if the information could be used to identify the student. 
    • However, if an individual were looking at a hospital’s webpage listing its oncology services to seek treatment options for their brain tumor, the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI to the extent that the information is both identifiable and related to the individual’s health or future health care. 
  • Additional tips for complying with the HIPAA Rules, such as: 
    • Website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization.  
    • Address the use of tracking technologies in the regulated entity’s Risk Analysis and Risk Management processes. 
    • Establish a BAA with a tracking technology vendor that meets the definition of a business associate. 
  • Guidance about OCR’s enforcement priorities in investigations involving regulated entities’ use of online tracking technologies, like: 
    • OCR investigations are fact-specific and may involve the review of technical information regarding a regulated entity’s use of any tracking technologies 
    • OCR considers all available evidence in determining compliance and remedies for potential noncompliance. 

Prioritize HIPAA Compliancy When Using Tracking Technologies 

Learn how you can keep your website HIPAA compliant in our recent blog about the New HIPAA Requirements for Website Analytics. 

PrivaPlan Associates is here to help you with Risk Analysis and Risk Management. We also offer custom scans of websites to find third-party trackers and can review vendors to determine if they meet the definition of a business associate requiring a BAA. Contact us today! 

Related Posts

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.