The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals' personal health information, otherwise known as protected health information (PHI).
As we've previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
This post will recap an announcement about online tracking compliance under HIPAA. It was released earlier this month by U.S. Department of Health and Human Services (HHS).
See also: HIPAA Compliant Email: The Definitive Guide
HIPAA online tracking technologies
One area covered by HIPAA is the use of online tracking technologies, such as cookies, web beacons, and similar technologies. These technologies are often used by websites and online services to collect information about an individual's online activity, including the websites they visit, the links they click on, and other information.
Under HIPAA, covered entities and their business associates must take steps to protect the privacy of individuals' PHI when using online tracking technologies.
As per guidance from HHS: "Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules."
This includes providing notice to individuals about the use of these technologies, as well as obtaining individuals' consent before collecting or using their PHI through online tracking technologies.
See related: Facebook Is Receiving Sensitive Medical Information from Hospital Websites
In addition, covered entities and their business associates must also take steps to secure the PHI they collect through online tracking technologies. This includes implementing appropriate safeguards to protect against unauthorized access, use, or disclosure of the information.
Covered entities and their business associates are also required to adhere to certain limitations on the use and disclosure of PHI collected through online tracking technologies. This includes only using the information for the purposes for which it was collected, and only disclosing it to parties who have a legitimate need for it.
It is important for covered entities and their business associates to be aware of these requirements when using online tracking technologies, as failure to comply with HIPAA can result in significant fines and penalties.
Additionally, covered entities and their business associates should be aware that state laws may also impose additional requirements on the use of online tracking technologies. It is important to ensure compliance with all applicable laws and regulations when using online tracking tools.
Conclusion
In summary, HIPAA requires covered entities and their business associates to protect the privacy of individuals' PHI when using online tracking technologies. This includes providing notice and obtaining consent, implementing appropriate safeguards, and adhering to limitations on the use and disclosure of the information.
It's vital for covered entities and their business associates to be aware of these requirements in order to avoid fines and penalties and ensure compliance with all applicable laws and regulations.
See also: Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.