The bulletin discusses how the HIPAA rules apply to different types of online tracking technology, including tracking on user-authenticated webpages, unauthenticated webpages, and within mobile apps. The topic of appropriate use of online tracking technology and HIPAA is discussed in greater detail below.
Online Tracking Technology on User-Authenticated Webpages: Permitted?
A user must first log in to access a user-authenticated webpage, such as a patient or health plan beneficiary portal. The provider’s user-authenticated webpage generally has access to PHI. To protect user privacy, HIPAA covered entities must configure user-authenticated webpages that include tracking technologies to allow those technologies to only use and disclose PHI as permitted by the Privacy Rule. HIPAA covered entities must ensure that any ePHI collected by such technologies is protected and secured in compliance with the Security Rule.
Also, a tracking technology vendor may be a business associate, if that vendor creates, maintains, receives, or transmits PHI on behalf of a HIPAA regulated entity for covered functions (e,g., healthcare operations). When an online tracking technology performs business associate functions for a HIPAA regulated entity, the regulated entity must ensure that any disclosures made to the technology vendor are permitted by the Privacy Rule.
The regulated entity and the business associate must (surprise!) also enter into a business associate agreement (BAA). The BAA provides contractual assurances that the online tracking technology vendor will protect patient PHI. For example, if a patient uses a provider’s website to make an appointment, and that site uses third-party tracking technologies, the website might automatically transmit appointment information (and other protected information, such as the user’s IP address) to an online tracking technology vendor. Such a vendor would be a business associate, and would need to enter into a business associate agreement with the provider.