On December 1, 2022, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) announced that: preliminary report when using “online tracking technologies” or what OCR describes as “scripts or code on our website or mobile app used to collect information about users who interact with our website or mobile app”; Highlight the obligations of HIPAA covered entities and business associates, which may be analyzed by website owners, app operators, or third parties to create user profiles and provide insight into users’ online activities can be obtained.
These may include cookies, web beacons, pixels, session replay software, and fingerprinting scripts that track and profile your web activity. This, in some cases, discloses information collected, whether it is a web portal behind an authentication wall, or an unauthenticated web page or mobile app. Providing User Data to Technology Her Vendors for Marketing Purposes without HIPAA Compliant Approval. As OCR stated:Regulated entities are not permitted to use tracking technology in a manner that results in unauthorized disclosure Send Protected Health Information (PHI) to tracking technology vendors or otherwise violate HIPAA regulations.”
Beyond provider and vendor health privacy concerns, this bulletin brings to mind several topics I discussed in my October post about Amazon’s recent acquisition (One Medical’s potential strategic value, “People-Centered, Technology-Enabled Primary Care Organizations”). . Bottom 45 CFR 160.103, a “covered entity” is a health plan, healthcare provider, or medical clearinghouse. Therefore, as a primary care organization, One Medical falls into his category of HIPAA Covered Entities and is within this data-worthy environment where OCR issued a bulletin on PHI disclosed to tracking technology vendors.
OCR bulletin overview
PhiOCR reiterates throughout the bulletin that HIPAA applies when covered entities collect user data containing PHI via tracking technologies and when such data is shared with technology vendors. increase. But what exactly is PHI? As Bulletin explains, PHI may include an individual’s medical record number, home or email address, appointment date, an individual’s IP address or location, medical device ID, or a unique online or mobile identification code. . The Bulletin emphasizes that “his IIHI collected on a regulated organization’s website or mobile app is generally her PHI.” appointment date or type of medical service).
User authentication web pagePatient portals and telemedicine platforms typically collect and have access to PHI, including diagnostic and treatment information, billing information, and other sensitive data. Accordingly, a covered entity may configure user-authenticated web pages containing tracking technologies so that such technologies can only use and disclose (and protect) his HIPAA-compliant PHI. need to, the bulletin said. OCR also allows tracking technology vendors to identify “features of interest (for example, provide certain services involving disclosure of PHI to a Covered Entity (or another business party).” . Bulletin understands that individuals make medical appointments through a covered clinic’s website, and that website uses third-party tracking technologies (PHI and other consumer data that may be automatically transferred to outside vendors). ), the tracking technology vendor requires a Business Associate and Business Associate Agreement (BAA).
Unauthenticated web pageOCR takes a slightly different stance on collecting consumer data on unauthenticated web pages. An unauthenticated web page is a public page whose content is accessible to anyone and typically contains only basic information about the entity of interest. As a result, and according to the Bulletin, tracking on such web pages is generally not regulated under HIPAA. However, OCR may, in some cases, allow such unauthenticated web page tracking technologies to access a user’s PHI and disclose such data to outside vendors, triggering HIPAA rules. said to be sexual. For example, if a covered entity’s patient portal login page requires a user to enter registration information such as name and email her address, such web page would include her PHI and would be subject to HIPAA. When targeted, the bulletin said. Alternatively, OCR is a web browser that allows users to search for doctors, view appointment availability, make appointments, and view information about certain symptoms or conditions (such as pregnancy) without logging in first. Points to a page and warns that such web pages may collect personal emails. Addresses, IP addresses, or both can be used to disclose PHI to tracking technology vendors, triggering HIPAA rules.
mobile trackingMobile tracking often occurs when tracking technologies and mobile software development kits (SDKs) are developed by outside marketers and embedded in mobile apps. Bulletin states that user-entered information and device-level data collected by covered entities (such as network location, location information, device IDs, and advertising IDs) must be HIPAA compliant for PHI in mobile apps. says that there is use or disclose.Respect for the Supreme Court decision Dobbs With this decision, the publication stated that HIPAA “applies to PHI collected by covered clinics through the clinic’s mobile app used by patients to track health-related variables related to pregnancy.” I’m here. However, the bulletin makes it clear that HIPAA rules do not protect data that users voluntarily enter into “is a mobile app.” No Developed or provided by or on behalf of a regulated entity, regardless of where the information comes from. ” [emphasis added]This includes health information entered into lifestyle or fitness related mobile apps operated by entities not regulated by HIPAA. However, such data collection is still regulated by the FTC and may be subject to applicable state privacy laws and, if passed by Congress, possibly under comprehensive federal privacy laws.
Compliance obligationThe Bulletin restates that regulated entities must comply with the HIPAA rule when using tracking technology, and advises covered entities that “all PHI to tracking technology vendors. The disclosure of is expressly permitted by the Privacy Regulations, and unless an exception applies, the minimum amount of PHI disclosed is necessary to achieve the intended purpose.” Also, a regulated entity may: “Need to evaluate relationships with tracking technology vendors to determine whether such vendors meet the definition of a business associate and to confirm that disclosures to such vendors are permitted by the Privacy Regulations. It also suggests that there is OCR closes the bulletin with a few compliance reminders.
- The HIPAA Privacy Rule does not permit a regulated entity to disclose PHI to tracking technology vendors solely on the basis of notifying the individual of this likelihood or occurrence in a privacy policy or privacy notice (“Regulatory Covered entities must ensure that all tracking technology vendors have signed the BAA and have applicable authorization prior to disclosure of PHI”).
- Use of the cookie consent banner does not constitute a valid HIPAA authorization for the vendor if PHI is collected, disclosed, used or stored by the vendor.
- It is not sufficient for technology vendors to merely agree to remove PHI from information they receive or to anonymize PHI before the vendor stores the information (see “Disclosing PHI to Vendors Without Individual Authorization”). If so, the vendor must have a signed BAA, subject to disclosure permission for applicable privacy regulations”).
In addition to Bulletin, technology and healthcare companies collecting health data must also ensure they comply with state privacy and consumer protection laws. HIPAA is often the basis for healthcare privacy compliance, but states may choose to pass and enforce more onerous privacy and consumer protection laws.
