Health care providers, heath plans, health care clearinghouses and their business associates (covered entities) should verify that any online tracking technology used in their or their business partner websites or mobile applications comply with the Department of Health and Human Services, Office of Civil Rights (OCR) updated guidance on “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” published March 18, 2024.
The Guidance reminds covered entities that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules) apply to their use of online tracking technologies like Google Analytics or Meta Pixel, collect and analyze information about how users are interacting with a regulated entity’s website or mobile application.
The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes electronic protected health information (ePHI).
OCR’s information bulletin reminds covered entities that they can only use online tracking technologies provided that the entities comply with their obligations under the HIPAA Rules. Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.
OCR’s Bulletin provides a general overview of how the HIPAA Rules apply to covered entities use of tracking technologies. It also updates to the Bulletin include:
- Additional examples of when visits to an unauthenticated webpage may or may not involve the disclosure of ePHI.
- Additional tips for complying with the HIPAA Rules when using online tracking technologies.
- Guidance about OCR’s enforcement priorities in investigations involving regulated entities’ use of online tracking technologies.
Covered entities need to understand that online tracking technologies commonly are included in Website, mobile application, and other Internet based tools. These tools frequently include online tracking even if not specifically requested by the covered entity.
Covered entities should conduct a documented inventory of all website, mobile app, and other Internet, based tools that they or their business associates use, which includes an assessment of whether those tools include online tracking, or other technologies, covered by the guidance. For any online tools using tracking capability, cupboard entities, must ensure that the tool is designed and administered to comply with the HIPAA requirements. Overed entities also should adopt a process for regularly reevaluating and monitoring compliance with this and other HIPAA security requirements in their Internet based in other electronic applications that collect, use, store, access, or disclose electronic, protected health information.
Along with specifically evaluating the existence and compliance of any online tracking technologies, covered entities, also should reevaluate and reconfirm the adequacy of their electronic security overall. The HIPAA Rules require healthcare providers and other covered entities to regularly conduct documented risk assessments to verify the adequacy of their security safeguards, and to make updates to guard against emerging threats based on these recurrent assessments. The importance of compliance with this ongoing recurrent risk assessment obligation is repeatedly reinforced in each HIPAA settlement announced by OCR. See, e.g., OCR Nails Second HIPAA Covered For Allowing Ransomware Breach.
Covered entities should ensure that they and their business associates maintain compliance with these other HIPAA obligations.
For More Information
We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.
Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
About the Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.
A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.
Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.
For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Laws Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:
- Choice Health/UHG Breach Creates HIPAA Headaches For Impacted Health Care Providers & Other HIPAA Covered Entities
- Review & Update Medical Record Confidentiality Policies In Response To Newly Revised Federal Substance Abuse Disorder Confidentiality Rules
- OCR Nails Second HIPAA Covered For Allowing Ransomware Breach
- Nearly $900K FLSA Backpay Award Warns Other Home Health Employers
- 3/4 Dallas Bar Association Virtual Program Covers Disability Accommodation In Education, Facilities, Technology & Beyond
- Hospital System Pays $4.75 Million HIPAA Breach Settlement
- Health Care Facilities Should Ensure Their Patient, Employment and Other Operational Defensibility Against Religious Discrimination Charges Amid Rising Risks
- eBay Paying $59 Million to Settle Controlled Substances Act Allegations About Website Pill Press Sales
- FDA & CMS Partnering To Promote Accurate and Reliable Diagnostic Tests
- OCR Nails Second HIPAA Covered For Allowing Ransomware Breach
- Nearly $900K FLSA Backpay Award Warns Other Home Health Employers
- 3/4 Dallas Bar Association Virtual Program Covers Disability Accommodation In Education, Facilities, Technology & Beyond
- Hospital System Pays $4.75 Million HIPAA Breach Settlement
- Health Care Facilities Should Ensure Their Patient, Employment and Other Operational Defensibility Against Religious Discrimination Charges Amid Rising Risks
- eBay Paying $59 Million to Settle Controlled Substances Act Allegations About Website Pill Press Sales
- FDA & CMS Partnering To Promote Accurate and Reliable Diagnostic Tests
- 46th OCR HIPAA Right of Access Settlement With Optum Medical Care Warns All HIPAA Entities To Timely Deliver Required Medical Record Access
- Fee Set for Providers & Plans Using No Surprises Act Independent Dispute Resolution To Resolve Post 2/20/24 Disputes
- No Surprises Act IDR Portal Now Open For All Covered Health Claims; Added Deadline Extensions Announced
- Texas Man Charged With Filing $60 Million DME Medicare Fraud Scheme
- Federal Court Orders Manufacturer, President To Recall & Stop Making & Distributing Defective Drugs
- 1st Phishing-Related HIPAA Settlement Sends Other HIPAA Entities Phishing Warning
- New OCR/St. Joseph’s Medical Center Settlement Highlights HIPAA-Covered Entities’ Duty To Prevent Unauthorized PHI Access and Disclosure To Media & Other Third-Parties
- Advanced Practice Registered Nurse Loses License, Sentenced To Prison For Unlawful Distribution of Controlled Substances To Lovers and Others and Health Care Fraud
- Ex-Wife’s 56 Month Sentence For Using Ex-Husband’s Provider Number To Commit Medicaid Fraud Warning To Other Providers
IMPORTANT NOTICE ABOUT THIS COMMUNICATION
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™