OCR Issues Guidance, Checklist on Web-Tracking Technologies

By Jane Anderson

In the wake of several reported breaches involving web-tracking technologies such as Meta Pixel, the HHS Office for Civil Rights (OCR) has clarified that covered entities (CEs) and business associates (BAs) are not permitted to use the technologies “in a manner that would result in impermissible disclosures of PHI [protected health information] to tracking technology vendors or any other violations of the HIPAA Rules.”[1]

In addition, the guidance said regulated entities must ensure that all vendors of tracking technology have signed a business associate agreement (BAA) “and that there is an applicable permission prior to a disclosure of PHI.”

These will be major issues in 2023, considering the proliferation of these trackers on health care organizations’ websites and the ensuing public uproar, which has led to queries from federal lawmakers, breach disclosures and lawsuits, said David Harlow, chief compliance and privacy officer for Insulet Corporation.

“Covered entities should be paying attention to this given the news stories, the potential class-action lawsuits and the OCR guidance,” Harlow said. “Some are able to dedicate the resources to remediate any outstanding issues promptly. Unfortunately, it is likely that not all covered entities will deal with this issue proactively, given competing priorities and resource constraints. The monetization of our digital exhaust is a pervasive issue. As has been getting more coverage lately, digital health companies that are not covered entities may be using and sharing health information as well.”

Rebecca Herold, president of SIMBUS360.com and CEO of The Privacy Professor, said she knows attorneys who have health care clients coming to them to discuss the possibility of civil suits. “It is going to become an even greater issue in 2023, when the concern goes from Meta Pixel tracking, which is already widespread, to the use of other types of web beacons, which multiplies the digital tracking instances dramatically,” she explained.

“Very few covered entities are putting enough attention to this issue,” Herold said. “And virtually no business associates are proactively addressing this issue—they are simply continuing using them until they hear from their CE clients to direct them to stop.”

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings