The Office of Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”) have issued a letter, dated July 20, 2023 (the “Letter”), warning of potentially serious privacy and security risks related to the use of online tracking technologies by hospitals, insurers, TPAs, group health plans and other covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Letter also discusses what tracking technologies are and reminds regulated entities of their obligations to comply with HIPAA when using tracking technologies.
Law. The HIPAA Privacy Rule establishes standards to protect individuals’ medical records and other protected health information (“PHI”). This rule applies to group health plans and their business associates, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. It requires regulated entities to implement appropriate safeguards to protect the privacy of PHI, and sets limits and conditions on the uses and disclosures of PHI by covered entities without individual authorization.
The HIPAA Security Rule applies to regulated entities that transmit PHI in electronic form (“e-PHI”). It requires regulated entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, regulated entities must ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit, and identify and protect against reasonably anticipated threats to the security or integrity of the information.
According to OCR, “a tracking technology is a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app. After information is collected through tracking technologies from websites or mobile apps, it is then analyzed by owners of the website or mobile app… or third parties, to create insights about users’ online activities. Such insights could be used in beneficial ways to help improve care or the patient experience. However, this tracking information could also be misused to promote misinformation, identity theft, stalking, and harassment.”
HHS/FTC Letter. The Letter explains that, “The HIPAA Rules apply when the information that a regulated entity collects through tracking technologies or discloses to third parties (e.g., tracking technology vendors) includes PHI. HIPAA regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to third parties or any other violations of the HIPAA Rules.”
The Letter also notes that, “Even if you are not covered by HIPAA, you still have an obligation to protect against impermissible disclosures of personal health information under the FTC Act and the FTC Health Breach Notification Rule. This is true even if you relied upon a third party to develop your website or mobile app and even if you do not use the information obtained through use of a tracking technology for any marketing purposes.”
The Letter concludes that, “As recent FTC enforcement actions demonstrate, it is essential to monitor data flows of health information to third parties via technologies you have integrated into your website or app. The disclosure of such information without a consumer’s authorization can, in some circumstances, violate the FTC Act as well as constitute a breach of security under the FTC’s Health Breach Notification Rule.”
The Letter is available at: https://www.hhs.gov/sites/default/files/use-online-tracking-technologies.pdf