The US Department of Health and Human Services Office for Civil Rights (OCR) printed steerage on using on-line monitoring applied sciences by entities working as coated entities and enterprise associates below the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The steerage is related to all HIPAA-regulated entities that preserve web sites and cellular apps.

Tracking applied sciences are used to gather and analyze details about how customers work together with web sites or cellular purposes. The steerage broadly defines monitoring know-how as “a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app” that’s then “analyzed by owners of the website or mobile app … or third parties, to create insights about users’ online activities.” [1]

Examples of monitoring applied sciences embody cookies, net beacons or monitoring pixels, session replay scripts, and fingerprinting scripts. The steerage notes that using monitoring applied sciences might not be readily obvious to the consumer.

The steerage typically states that each one “individually identifiable health information” collected on a coated entity’s or enterprise affiliate’s web site or cellular app is protected well being info (PHI) as a result of when the consumer’s info is collected, the knowledge connects the consumer to the coated entity or enterprise affiliate and pertains to the consumer’s therapy or cost for care. The steerage specifies that that is true even when the consumer doesn’t have an present relationship with the entity and even when the knowledge doesn’t embody therapy or billing info.

The steerage states that, “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” The OCR distinguishes between private info collected via monitoring applied sciences in reference to user-authenticated webpages and unauthenticated webpages. A user-authenticated webpage requires a consumer to log in earlier than they will entry the web page, corresponding to a well being plan beneficiary portal or telehealth platform. Personal info collected via a cookie or pixel on a user-authenticated webpage is taken into account PHI as a result of it’s instantly related to a coated entity.

Therefore, any disclosure of PHI collected via such a monitoring know-how, together with disclosures to the monitoring know-how vendor, should adjust to HIPAA. A monitoring know-how vendor thatreceives PHI collected from a user-authenticated webpage should typically enter right into a enterprise affiliate settlement with the coated entity.

Unauthenticated webpages are webpages that don’t require customers to log in earlier than they can entry the webpage, corresponding to a webpage with basic details about the regulated entity (e.g., the homepage of a hospital or well being plan web site). Unauthenticated webpages typically don’t have entry to PHI and aren’t topic to the HIPAA guidelines. However, if an unauthenticated webpage allows customers to enter registration info or different PHI, then HIPAA guidelines apply.

The steerage stresses, “because of the proliferation of tracking technologies collecting sensitive information, now more than ever, it is critical for regulated entities to ensure that they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule.”

If a HIPAA-regulated entity makes use of monitoring know-how, the steerage signifies that it ought to take the next into consideration:

• Ensure that each one disclosures of PHI to monitoring know-how distributors are particularly permitted by the HIPAA Privacy Rule and that, except an exception applies, solely the minimal obligatory PHI is disclosed.
• Enter right into a HIPAA enterprise affiliate settlement with a know-how monitoring vendor that acts as a enterprise affiliate.
• If disclosure just isn’t permitted below a HIPAA Privacy Rule exception or if the seller just isn’t a enterprise affiliate, then get hold of the consumer’s HIPAA authorization earlier than disclosing PHI to the know-how monitoring vendor.
• Factor using monitoring applied sciences into the entity’s safety danger evaluation and danger administration plan and processes.
• Implement administrative, bodily, and technical safeguard to guard PHI as required by the HIPAA Security Rule.
• Enable and use acceptable authentication, entry, encryption, and audit controls when accessing PHI maintained within the monitoring know-how vendor’s infrastructure.
• Provide breach notification to affected customers, the OCR, and the media, as relevant, of an impermissible disclosure of PHI to a monitoring know-how vendor.

The steerage additionally notes that irrespective of the kind of monitoring know-how used, typically, privateness insurance policies, notices, phrases and situations, and web site banners that merely describe or ask customers to simply accept or reject using monitoring applied sciences don’t represent a legitimate HIPAA authorization.

The US Federal Trade Commission’s (FTC’s) March 2, 2023 proposed order with BetterHelp Inc., a supplier of on-line counseling companies, additionally centered on the disclosure of private well being info with social media platforms via on-line monitoring applied sciences, though that enforcement motion didn’t come up below HIPAA. In response to a sequence of latest courtroom circumstances, regulatory actions and steerage with respect to using on-line monitoring applied sciences, some cyberliability insurance coverage carriers have begun to submit questionnaires to HIPAA coated entity insureds relating to their use cookies and pixels.

HIPAA coated entities and enterprise associates alike ought to assessment the brand new steerage, and, in the event that they haven’t but already, provoke a dialogue between their web site and app builders and their privateness compliance workforce to guage the entities’ present use of on-line monitoring applied sciences.

[1] US Dep’t of Health and Human Servs., Off. for Civil Rights, Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, HHS (Dec. 1, 2022).

[View source.]