Health care providers, heath plans, health care clearinghouses and their business associates (covered entities) should verify that any online tracking technology used in their or their business partner websites or mobile applications comply with the Department of Health and Human Services, Office of Civil Rights (OCR) updated guidance on “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” published March 18, 2024.

The Guidance reminds covered entities that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules) apply to their use of online tracking technologies like Google Analytics or Meta Pixel, collect and analyze information about how users are interacting with a regulated entity’s website or mobile application.

The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes electronic protected health information (ePHI).

OCR’s information bulletin reminds covered entities that they can only use online tracking technologies provided that the entities comply with their obligations under the HIPAA Rules. Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.

OCR’s Bulletin provides a general overview of how the HIPAA Rules apply to covered entities use of tracking technologies. It also updates to the Bulletin include:

• Additional examples of when visits to an unauthenticated webpage may or may not involve the disclosure of ePHI.
• Additional tips for complying with the HIPAA Rules when using online tracking technologies.
• Guidance about OCR’s enforcement priorities in investigations involving regulated entities’ use of online tracking technologies.

Covered entities need to understand that online tracking technologies commonly are included in Website, mobile application, and other Internet based tools. These tools frequently include online tracking even if not specifically requested by the covered entity. 

Covered entities should conduct a documented inventory of all website, mobile app, and other Internet, based tools that they or their business associates use, which includes an assessment of whether those tools include online tracking, or other technologies, covered by the guidance. For any online tools using tracking capability, cupboard entities, must ensure that the tool is designed and administered to comply with the HIPAA requirements. Overed entities also should adopt a process for regularly reevaluating and monitoring compliance with this and other HIPAA security requirements in their Internet based in other electronic applications that collect, use, store, access, or disclose electronic, protected health information.

Along with specifically evaluating the existence and compliance of any online tracking technologies, covered entities, also should reevaluate and reconfirm the adequacy of their electronic security overall. The HIPAA Rules require healthcare providers and other covered entities to regularly conduct documented risk assessments to verify the adequacy of their security safeguards, and to make updates to guard against emerging threats based on these recurrent assessments. The importance of compliance with this ongoing recurrent risk assessment obligation is repeatedly reinforced in each HIPAA settlement announced by OCR. See, e.g., OCR Nails Second HIPAA Covered For Allowing Ransomware Breach.

Covered entities should ensure that they and their business associates maintain compliance with these other HIPAA obligations.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297. 

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author 

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here. 

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

• California Fast Food Minimum Wage Jumps To $20/Hour 4/1
• Manage Health Plan HIPAA, ERISA & Other Exposures From Change Healthcare Ransomware Attack
• Wage & Hour Takes Aim At Restaurant & Other Hospitality Employers
• Prepare Defenses Against Rising Religious Discrimination Exposures
• Restaurant Pays $167K In Back Wages & Damages For Overtime Violation
• ICE Updates Forms I-942 and I-881
• $160K HIPAA Penalty Warns Health Plans & Other Covered Entities Deliver Timely Protected Health Information Access
• IRS Warns Of Fraudulent Promotion of COVID Employee Retention Credits
• OSHA Enforces Whistleblower Rights Of Worker Terminated For Expressing COVID-19 Safety Concerns
• Children’s Hospital Pays $45K To Resolve COVID Vaccine Religious Discrimination Suit
• Prepare Feedback! Tri-Agencies Plan To Reopen Surprise Billing Proposed Dispute Resolution Rule Comment Period
• EEOC Sexual Harassment Suit Against Texas Car Dealership Warns Other Employers To Manage Risks
• No Surprises Act Independent Dispute Resolution Portal Fully Reopened, New Fees Announced
• No Surprises Act Dispute Resolution Portal For All Covered Health Claims
• Health Plans Warned To Prevent Phishing By 1st Phishing-Related HIPAA Settlement
• Employer’s Overzealous I-9 Documentation Demand Triggers Civil Monetary Penalty
• Texas Private Employer COVID-19 Vaccination Mandates Prohibited Effective February 6, 2024
• Pizza Operator Faces Prison Time For Failing To Pay Employment Taxes;
• New HIPAA Resolution Agreement Warns Health Plans & Other HIPAA-Covered Entities To Manage Media Relations, Access & Disclosure
• IRS Announces 2024 HFSA, MSA, HDHP & Other Tax Inflation Adjustments Impacting 2024 Benefit, Withholding & Other Tax Planning
• Reviewing Newly Released 2024 Income Tax Tables Helpful For 2024 Benefit & Withholding Planning
• IRS Announces 2024 HFSA, MSA, HDHP & Other Tax Inflation Adjustments Impacting 2024 Benefit, Withholding & Other Tax Planning
• OCR Video Touts HIPAA Compliance To Avoid Costly HIPAA Penalties & Manage Cybersecurity Risks
• Work Opportunities Tax Credit Available For Certain Hires Through 2025
• DOL Sues 7-11 Franchise Owners Association Head for FLSA Pay, Record Keeping Violations
• IRS Shares Voluntary Correction Program Updates & Tips
• $80,000 Penalty Confirms Health Plans Exposure For Violating HIPAA Access Rights
• $4.4 Million Warning About Proper Billing On Government Projects
• OSHA Proposing To Expand Third Parties Allowed To Accompany Employees During Inspections
• Employers Should Prepare for Proposed DOL Rules To Disqualify Additional 4 Million Workers For FLSA Exempt Status
• Use Of New Form I-9 Employment Eligibility Verification Form Released 8/1 Permitted Now; Mandatory After 11/1
• Remote Work Role Not Justification For Failure To Accommodate Deaf Applicant, EEOC Charges
• Tri-Agencies Announce New Surprise Billing IDR Fees While Continuing IDR Suspension After Federal Court Ruling
• Surprise Billing IDR Health Plan Dispute Resolution Suspension After Federal Court Ruling Could Impact Plan Renewal Underwriting and Stop-Loss Coverage
• Accommodating Client Racial Preferences, No Excuse For Discriminatory Assignment Of Workers
• Employer’s Refusal To Allow Employee To Undergo Dialysis At Work Triggers EEOC ADA Discrimination & Retaliation Lawsuit
• OSHA Electronic Injury Reporting Requirements Changing January 1, 2024; Confirm Your Organization’s Status and Responsibilities Under New Rules
• Businesses Risk Out-Of-State Lawsuits, Regulation From Registering In Consent To Jurisdiction States and Contractual Consents To Jurisdiction
• EEOC “Level The Playing Field” Campaign Encourages Equal Pay Awareness and Enforcement
• Employers Face 8/30 Deadline To Complete & Document In-Person Inspections Of I-9 Documentation Examined Remotely During COVID-19 Emergency
• $350K Settlement Highlights Need For Plans & Plan Service Providers To Ensure Security, Business Associate & Other HIPAA Requirements Met
• EEOC COVID Guidance, Enforcement Highlights Need To Brace For COVID-Related ADA & Other Claims
• Austin Bar Faces EEOC Pregnancy Discrimination Suit Before Added PWFA Protections Take Effect June 27
• Education Association Union Sued For Race Discrimination
• Biden-⁠Harris Administration Ending COVID-⁠19 Vaccination Requ

This entry was posted on Tuesday, March 19th, 2024 at 9:00 AM and is filed under Corporate Compliance. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.