Kriti PatelThe US Department of Health and Human Services has issued a bulletin for healthcare providers, explaining how they can ensure they are adhering to HIPAA (Health Insurance Portability and Accountability Act) regulations when using tracking technologies. The guidance includes information on third-party cookies, pixels, and other tracking technologies and provides clarification on the definition of protected health information (PHI). The guidance comes after several class-action lawsuits were filed against major health systems and hospitals, alleging improper disclosure of patient information. The bulletin advises healthcare providers to evaluate how they use tracking technologies and outlines the steps they should take to achieve HIPAA compliance.
The guidance defines tracking technology as “a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app.” Examples of tracking technologies include cookies, web beacons, session replay scripts, and fingerprinting scripts. The guidance explains that healthcare providers disclose various pieces of information to tracking technology vendors through these technologies. Some of this information may be individually identifiable health information (IIHI), such as medical record numbers, home or email addresses, and IP addresses.
The guidance also clarifies that certain pages on healthcare providers’ websites or apps may contain PHI, such as user-authenticated pages and pages addressing specific symptoms or health conditions. It emphasizes the importance of disclosing the use of tracking technologies in privacy policies, signing business associate agreements with tracking technology vendors, ensuring the appropriate safeguards are in place to protect ePHI (electronic protected health information), and providing breach notifications when necessary.
In order to achieve HIPAA compliance, healthcare providers must:
- Disclose the use of tracking technologies in their website or app’s privacy policy, terms and conditions, and other relevant documents.
- Sign business associate agreements with tracking technology vendors that meet the definition of a business associate.
- Ensure that all disclosures of PHI to tracking technology vendors are permitted by HIPAA and that only the minimum necessary PHI is shared.
- Address the use of tracking technologies in their risk analysis and risk management processes.
- Implement appropriate administrative, physical, and technical safeguards when accessing ePHI stored in tracking technology vendor’s infrastructure.
- Provide breach notifications when PHI is disclosed to a tracking technology vendor in a manner that violates HIPAA requirements.
The guidance highlights the importance of healthcare providers staying up-to-date with HIPAA regulations and changes in the digital health industry to ensure that
