A recent US government, Health and Human Services (HHS) bulletin calls for all covered entities to review the tracking technology on their websites. Using cookies, pixels, and other tracking technologies on healthcare websites raises concerns about protecting personal health information and compliance with HIPAA. HIPAA is a federal law that sets forth requirements for covered entities, including healthcare providers, health plans, and business associates. Given the recent steep rise in cybersecurity events, this article will summarize the HHS bulletin and provide resources for interested parties who wish to maintain a HIPAA-compliant website.
If a covered entity or business associate uses tracking technologies on their HIPAA-compliant website that involves the collection, use, or disclosure of protected health information (PHI), they must ensure that the technologies are used in compliance with the HIPAA Privacy Rule. This means implementing appropriate safeguards to protect the personal health information collected through tracking technologies and obtaining individuals’ consent for collecting, using, and disclosing their PHI.
Failure to comply with HIPAA can result in penalties for covered entities and business associates, including fines and possible criminal prosecution. Therefore, it is important for covered entities and business associates to understand their obligations under HIPAA when using online tracking technologies to protect the privacy of personal health information and avoid potential penalties.
HHS Bulletin Calls for Review of Tracking Technology on HIPAA-Compliant Websites
The recent HHS bulletin explains how the use of tracking technologies by regulated entities is governed by the HIPAA Rules, as explained below.
- Tracking technology is any tool or mechanism used to collect, store, or analyze data about an individual’s online activities. This can include cookies, web beacons, and other similar technologies. Tracking technologies are widespread and commonly used for various purposes, including advertising, analytics, and customer relationship management.
- The HIPAA Rules apply to tracking technologies by regulated entities, such as healthcare providers, health plans, and their business associates. Regulated entities must ensure that any use of tracking technologies complies with the HIPAA Rules, including the requirements for notice and authorization, as well as the safeguards for protecting the privacy and security of PHI.
- Tracking on user-authenticated web pages refers to the use of tracking technologies that require the user to log in with a username and password. Regulated entities must ensure that any tracking technologies used on these web pages do not collect or disclose PHI without the individual’s authorization.
- Tracking on unauthenticated web pages refers to using tracking technologies that do not require the user to log in. Regulated entities must ensure that any tracking technologies used on these web pages do not collect or disclose PHI without the individual’s authorization.
- Tracking within mobile apps refers to the use of tracking technologies within mobile applications. Regulated entities must ensure that any tracking technologies used in their mobile apps do not collect or disclose PHI without the individual’s authorization.
- HIPAA compliance obligations for regulated entities when using tracking technologies include ensuring that notice and authorization requirements are met and that appropriate safeguards are in place to protect the privacy and security of PHI. Regulated entities must also carefully review and monitor the practices of their business associates to ensure that they comply with HIPAA.
To be considered HIPAA compliant, a website must meet these requirements set forth by the HIPAA Privacy Rule:
- Implementing appropriate administrative, physical, and technical safeguards to protect the privacy of personal health information collected, used, or disclosed through the website.
- Obtaining individuals’ consent for collecting, using, and disclosing their personal health information through the website.
- Ensuring that the website is secure and that personal health information is not accessible to unauthorized individuals.
- Providing individuals with a clear and concise notice about the website’s privacy practices, including how their personal health information will be collected, used, and disclosed.
- Providing individuals with the ability to access, correct, or update their personal health information through the website.
- Ensuring that any third-party service providers or business associates who may have access to personal health information through the website are also HIPAA compliant.
- Staying current with HIPPA requirements is required by law for all practitioners and other covered entities. See other Telehealth.org articles below or consider taking a Telehealth.org Basic Telehealth Legal Issues professional training program for a roadmap to HIPAA compliance for your telehealth practice.
Other Telehealth.org HIPAA-Related News
HIPAA Compliant Cybersecurity for Professionals
Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.
HIPAA Compliant Social Media for Professionals
Tips and tricks for using social media to grow your practice without violating legal requirements.