USA: OCR publishes bulletin on HIPAA requirements for online tracking technologies
The U.S. Department of Health and Human Services ('HHS') Office for Civil Rights ('OCR') announced, on 1 December 2022, the release of its new bulletin, highlighting the obligations of Health Insurance Portability and Accountability Act of 1996 Rules ('HIPAA') covered entities regulated under the HIPAA Privacy, Security, and Breach Notification Rules ('the HIPAA Rules') when using online tracking technologies. In particular, the OCR noted that these technologies collect and analyse information about how internet users interact with a website or mobile app of a regulated entity, and that the same regulated entities under HIPAA may share electronic protected health information with online tracking technology vendors in ways that violate the HIPAA Rules.
Furthermore, the OCR explained that its bulletin addresses impermissible disclosures of electronic protected health information by HIPAA regulated entities to online technology tracking vendors, and outlines what tracking technologies are, how they are used, and what steps the same regulated entities must take to protect electronic protected health information when using tracking technologies to comply with the HIPAA Rules. Specifically, the OCR mentioned that its bulletin provides examples of tracking on webpages and within mobile apps, and answers questions on how to protect the privacy and security of the health information processed by HIPAA regulated entities.