Over 100 Washington Auctions End Today - Bid Now

Spanish Spanish

Use of online tracking technologies by HIPAA covered entities and business associates

Press releases may be edited for formatting or style | March 21, 2024
Share

Furthermore, tracking technology vendors are business associates if they create, receive, maintain, or transmit PHI on behalf of a regulated entity for a covered function (e.g., health care operations25) or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI. In these circumstances, regulated entities must ensure that the disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement (BAA) with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules.26 27 For example, if an individual makes an appointment through the website of a covered health clinic28 for health services and that website uses third party tracking technologies, then the website might automatically transmit information regarding the appointment and the individual’s IP address to a tracking technology vendor. In this case, the tracking technology vendor is a business associate, and a BAA is required.

Tracking on unauthenticated webpages

Regulated entities may also have unauthenticated webpages, which are webpages that do not require users to log in before they are able to access the webpage, such as a webpage with general information about the regulated entity like their location, visiting hours, employment opportunities, or their policies and procedures. Tracking technologies on many unauthenticated webpages do not have access to individuals’ PHI; in this case, a regulated entity’s use of such tracking technologies is not regulated by the HIPAA Rules. However, in some cases, tracking technologies on unauthenticated webpages may have access to PHI, in which case the HIPAA Rules apply to the regulated entities’ use of tracking technologies and disclosures to the tracking technology vendors. Regulated entities are required to “[e]nsure the confidentiality, integrity, and availability of all electronic PHI the [regulated entity] creates, receives, maintains, or transmits.”29 Thus, regulated entities that are considering the use of online tracking technologies should consider whether any PHI will be transmitted to a tracking technology vendor, and take appropriate steps consistent with the HIPAA Rules.

The examples below illustrate when certain visits to an unauthenticated webpage may or may not involve the disclosure of PHI.

Visits to unauthenticated webpages do not result in a disclosure of PHI to tracking technology vendor if the online tracking technologies on the webpages do not have access to information that relates to any individual’s past, present, or future health, health care, or payment for health care.
Sign up for Weekly Top stories

You Must Be Logged In To Post A Comment

Sign up for Weekly Top stories

 

advertisement

U.S. Healthcare Homepage

Continued Medicare reimbursement declines could threaten access to physicians
AMA responds to UnitedHealth confirmation of stolen data from Change Healthcare
Anesthesiologist, emergency physician, and radiologist groups back Texas Medical Association challenge to No Surprises Act
New AAMC report shows continuing projected physician shortage
Eskenazi Health announces upcoming opening of new Eastside location
IU Health upsizes downtown hospital project to better serve Indiana
The IAEA joins forces with US Radiological Society RSNA to advance radiology capacities in low- and middle-income countries
ACP survey finds that physicians are concerned about private equity investment in the healthcare sector
Hackensack Meridian Health to break ground on first in the nation health & wellness center at a transit hub
INFINITT North America earns 2024 great place to work certification