Noncompliant Use of Website Tracking Technologies is an Enforcement Priority for OCR
If you are a HIPAA-covered entity and use tracking technologies on your websites or apps, you must ensure that they are HIPAA-compliant. The Director of the HHS’ Office for Civil Rights has confirmed that this aspect of compliance with the HIPAA Rules is now an enforcement priority for OCR and the department is actively looking into noncompliance by HIPAA-covered entities.
OCR Director, Melanie Fontes Rainer, confirmed in an interview with Information Security Media Group that enforcement actions will be taken very soon against HIPAA-regulated entities that use tracking technologies that disclose protected health information to third parties without authorization or business associate agreements. OCR has recently undergone restructuring to improve efficiency which will allow it to undertake more enforcement actions against HIPAA-regulated entities for non-compliance with the HIPAA Rules.
Tracking technologies, often referred to as pixels, are snippets of code that are added to websites and apps that collect the data of website users and are typically used for website analytics to improve the quality of websites and services. While there is nothing wrong with improving services for website and app users, these tools often pass the data they collect to the third-party providers of the code. When an individual visits a healthcare website, the information collected may include data classed as protected health information, and disclosing that information to third parties not authorized to receive that data is a HIPAA violation.
The disclosure of PHI via tracking technologies is not permitted by the HIPAA Privacy Rule unless the third party to which the information is disclosed is a business associate under HIPAA, the disclosure is permitted by the HIPAA Privacy Rule, and a HIPAA-compliant business associate agreement is in place. Alternatively, authorization must be obtained from website visitors prior to the collection and transmission of PHI.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Over the past two years, analyses have been conducted on the use of these technologies by healthcare organizations such as hospitals, counseling providers, and telehealth companies which suggest they have been extensively used. One study indicates 99% of hospitals had added the tools to their websites.
Last year, OCR issued guidance to HIPAA-regulated entities on the use of these tools and confirmed how HIPAA applies to these tools. HIPAA-regulated entities have had several months to assess their websites and apps and either remove tracking code or ensure it is used in a manner compliant with the HIPAA Rules. The continued use of these tools and/or failure to send breach notifications when there have been confirmed disclosures of PHI to third parties will likely result in enforcement actions. The Federal Trade Commission is also cracking down on the use of these tools by non-HIPAA-regulated entities.
If you are a HIPAA-regulated entity, it is important to conduct an audit of your websites and apps to identify if any tracking code is in use and if there is the potential for PHI to be impermissibly disclosed to third parties. If such code is identified, it must be made HIPAA-compliant or be removed. If unauthorized disclosures of PHI have occurred breach notifications must be issued to OCR and the affected individuals.