Agency Bulletin Applies HIPAA Obligations to Online Data Tracking

This month, the U.S. Department of Health and Human Services’ (HHS’s) Office for Civil Rights (OCR) issued a bulletin applying a covered entity’s obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to online data tracking activities. Online data tracking tools like Google Analytics or Meta Pixel collect and analyze users’ data when interacting with the covered entity’s website. This may lead to HIPAA violations if covered entities share electronic protected health information (ePHI) with online data tracking tools. Last summer, the HHS released similar guidance applying the HIPAA Privacy Rule to abortion records.

What Is the HIPAA Privacy Rule?

HIPAA is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. In turn, the HHS issued the HIPAA Privacy Rule to implement requirements under HIPAA. Standards under the HIPAA Privacy Rule address the use and disclosure of protected health information by covered entities. Additionally, it protects an individual’s rights to understand and control how covered entities use their health information. In detail, covered entities include:

• most healthcare providers,
• health plans,
• business associates, and
• healthcare clearinghouses.

These covered entities may disclose personal health information only as expressly permitted or required by the HIPAA Privacy Rule.

Applying HIPAA to Online Data Tracking Activities

The agency’s recent bulletin addressed potential HIPAA violations when performing online data tracking activities. Indeed, the HIPAA Privacy Rule applies when covered entities either collect or disclose data containing ePHI over these online data tracking tools. Overall, the bulletin covers tracking technology, how it is used, and the steps covered entities must take to protect ePHI while using the technology. Briefly, online data tracking technology is a piece of script or code on a website that gathers data on how users interact with the website. Site owners or third parties then use the data to create a profile of the user’s online activities. Ideally, the data is used beneficially to streamline or otherwise improve a user’s experience on the website. However, some parties may occasionally use the data for illegal purposes. The bulletin included guidelines for protecting ePHI when using online data tracking tools. Covered entities should consider the following:

• Configure user-authenticated webpages so that tracking technologies only use or disclose ePHI securely and in compliance with HIPAA.
• If patients share ePHI on unauthenticated web pages, it must be kept secure and protected.
• Always ensure that any ePHI disclosed to online data tracking vendors is permissible under HIPAA and represents only the minimum necessary for its intended purpose.
• Establish a business associate agreement (BAA) with the vendor if they meet the definition of a business associate under HIPAA.
• Use administrative, physical, or technological controls, like encryption or authentication, when collecting ePHI.
• Notify individuals, the media, and authorities if there is a breach of data that includes ePHI.

More Information

Employers should also remember that the HIPAA Privacy Rule protects an employee’s PHI from unlawful disclosure related to employment. Possible instances may include when offering reasonable accommodations or when interviewing and hiring. In addition, individuals may report HIPAA violations through the Office for Civil Rights complaint portal.