Printer Friendly, PDF & Email

OCR Issues Guidance, Checklist on Web-Tracking Technologies

In the wake of several reported breaches involving web-tracking technologies such as Meta Pixel, the HHS Office for Civil Rights (OCR) has clarified that covered entities (CEs) and business associates (BAs) are not permitted to use the technologies “in a manner that would result in impermissible disclosures of PHI [protected health information] to tracking technology vendors or any other violations of the HIPAA Rules.”[1]

In addition, the guidance said regulated entities must ensure that all vendors of tracking technology have signed a business associate agreement (BAA) “and that there is an applicable permission prior to a disclosure of PHI.”

These will be major issues in 2023, considering the proliferation of these trackers on health care organizations’ websites and the ensuing public uproar, which has led to queries from federal lawmakers, breach disclosures and lawsuits, said David Harlow, chief compliance and privacy officer for Insulet Corporation.

“Covered entities should be paying attention to this given the news stories, the potential class-action lawsuits and the OCR guidance,” Harlow said. “Some are able to dedicate the resources to remediate any outstanding issues promptly. Unfortunately, it is likely that not all covered entities will deal with this issue proactively, given competing priorities and resource constraints. The monetization of our digital exhaust is a pervasive issue. As has been getting more coverage lately, digital health companies that are not covered entities may be using and sharing health information as well.”

Rebecca Herold, president of and CEO of The Privacy Professor, said she knows attorneys who have health care clients coming to them to discuss the possibility of civil suits. “It is going to become an even greater issue in 2023, when the concern goes from Meta Pixel tracking, which is already widespread, to the use of other types of web beacons, which multiplies the digital tracking instances dramatically,” she explained.

“Very few covered entities are putting enough attention to this issue,” Herold said. “And virtually no business associates are proactively addressing this issue—they are simply continuing using them until they hear from their CE clients to direct them to stop.”

This document is only available to subscribers. Please log in or purchase access.

Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field