Paubox blog: HIPAA compliant email made easy

What you need to know about the HHS HIPAA web-tracking guidance

Written by Tshedimoso Makhene | July 18, 2024

On March 18, 2024, the Office for Civil Rights (OCR) of the Department of Health and Human Services reacted to legal concerns from healthcare organizations, including the American Hospital Association (AHA), which filed a lawsuit in November 2023. As a result, OCR updated its advice on web tracking technologies for covered entities. The web-tracking guidance ensures that the data collected online by healthcare organizations and their partners complies with HIPAA’s privacy and security rules. Here’s a breakdown of what this means for you.

 

HHS HIPAA web-tracking guidance

The U.S. Department of Health and Human Services (HHS) issued guidance on December 1, 2022, regarding the use of online tracking technologies by entities covered under the Health Insurance Portability and Accountability Act (HIPAA). Here are the key points from the guidance:

  • Applicability of HIPAA: The guidance applies to HIPAA-covered entities, such as health plans, healthcare providers, and their business associates, which includes entities that handle protected health information (PHI) on behalf of covered entities.
  • Types of tracking technologies: The guidance addresses various tracking technologies, including cookies, web beacons, and pixels, which collect information about users’ interactions with websites and mobile apps.
  • PHI and online tracking: If data obtained through tracking technologies on websites or apps is linked to an individual, including but not limited to IP addresses, device IDs, and geographical locations, it may qualify as PHI if it pertains to the person's past, present, or future health conditions or healthcare payment.
  • Use and disclosure of PHI: HIPAA-covered entities must ensure that any use or disclosure of PHI collected via tracking technologies complies with HIPAA’s privacy, security, and breach notification rules.
    • Privacy Rule: Requires obtaining individuals’ authorization before disclosing PHI to third parties, except for certain permitted purposes.
    • Security Rule: Requires implementing safeguards to protect the confidentiality, integrity, and availability of electronic PHI.
    • Breach Notification Rule: Requires notification to affected individuals, HHS, and sometimes the media in the event of a breach of unsecured PHI.
  • Business associate agreements (BAAs): Covered entities must have business associate agreements (BAAs) with vendors providing tracking technology services if these vendors have access to PHI.
  • Consent requirements: Explicit user consent may be required for the collection and use of PHI through tracking technologies. Covered entities must ensure that individuals are aware of the data being collected and how it will be used.
  • Enforcement actions: The HHS Office for Civil Rights (OCR) may take enforcement actions against covered entities and business associates that fail to comply with HIPAA regulations concerning tracking technologies.
  • Transparency and disclosure: Covered entities should provide clear notices about the use of tracking technologies and obtain necessary consent. This includes updating privacy policies and ensuring that any tracking activities are transparent to users.

 

How the guidance helps maintain HIPAA compliance

The HHS HIPAA Web-Tracking Guidance helps organizations maintain HIPAA compliance by providing clear instructions and best practices for using tracking technologies in a manner that protects the privacy and security of PHI. Here’s how the guidance assists organizations:

 

Clarifying HIPAA rules application

  • Understanding scope: The guidance clarifies that HIPAA rules apply to any information collected through tracking technologies that qualifies as PHI. This helps organizations identify which data falls under HIPAA protection.
  • PHI identification: It assists in determining when information gathered through tracking technologies, like IP addresses or geographic locations, is considered PHI.

Permissible use and disclosure

  • Defining permissible uses: The guidance specifies when PHI can be shared with tracking technology vendors, emphasizing the need for proper authorizations and ensuring disclosures are permitted under the HIPAA Privacy Rule.
  • Business associate agreements (BAAs): It mandates that organizations must have BAAs in place with vendors that handle PHI, outlining the responsibilities and safeguards required to protect the data.

Risk management and safeguards

  • Risk analysis and management: The guidance advises organizations to include tracking technologies in their risk analysis and management processes, helping them identify and mitigate potential risks associated with PHI.
  • Implementing safeguards: It emphasizes the importance of administrative, physical, and technical safeguards, such as encryption, access controls, and audit controls, to protect PHI collected through tracking technologies.

Breach notification

  • Breach response: The guidance outlines the requirements for notifying affected individuals, the Secretary, and the media in the event of a breach involving PHI disclosed to tracking technology vendors. This ensures organizations are prepared to respond effectively to breaches and maintain compliance.

Examples and scenarios

  • Practical examples: The guidance provides practical examples of when and how PHI may be disclosed through tracking technologies, offering organizations concrete scenarios to understand compliance requirements better.
  • Use cases: By illustrating use cases for both authenticated and unauthenticated webpages, as well as mobile apps, it helps organizations navigate complex situations and apply the rules correctly.

Compliance priorities

  • Enforcement focus: The guidance indicates OCR’s enforcement priorities, particularly the emphasis on compliance with the HIPAA Security Rule. This helps organizations focus on key compliance areas that are likely to be scrutinized.

Education and awareness

  • Raising awareness: By issuing this guidance, OCR raises awareness about the potential risks and compliance obligations associated with tracking technologies, encouraging organizations to review and update their practices accordingly.
  • Training and policies: It encourages organizations to educate their staff about the proper use of tracking technologies and to update privacy policies, notices, and terms of use to reflect compliance requirements.

See also: HIPAA Compliant Email: The Definitive Guide

 

FAQs

What are tracking technologies?

Tracking technologies are scripts or codes on websites or mobile apps used to gather information about users and their interactions. Common examples include cookies, web beacons, tracking pixels, and session replay scripts.

 

When does HIPAA apply to information collected by tracking technologies?

HIPAA applies when the information collected through tracking technologies includes PHI, such as medical record numbers, email addresses, IP addresses, or any other data that can identify an individual and is related to their health.

 

What steps should organizations take to ensure compliance with the guidance?

Organizations should:

  1. Conduct risk analysis and management for tracking technologies.
  2. Implement administrative, physical, and technical safeguards.
  3. Ensure BAAs are in place with relevant vendors.
  4. Train staff on compliance requirements.
  5. Update privacy policies and notices to reflect the use of tracking technologies