Over 20 Total Lots Up For Auction at One Location - TX Cleansweep 06/25

Use of online tracking technologies by HIPAA covered entities and business associates

Press releases may be edited for formatting or style | March 21, 2024

Furthermore, tracking technology vendors are business associates if they create, receive, maintain, or transmit PHI on behalf of a regulated entity for a covered function (e.g., health care operations25) or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI. In these circumstances, regulated entities must ensure that the disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement (BAA) with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules.26 27 For example, if an individual makes an appointment through the website of a covered health clinic28 for health services and that website uses third party tracking technologies, then the website might automatically transmit information regarding the appointment and the individual’s IP address to a tracking technology vendor. In this case, the tracking technology vendor is a business associate, and a BAA is required.

Tracking on unauthenticated webpages

Regulated entities may also have unauthenticated webpages, which are webpages that do not require users to log in before they are able to access the webpage, such as a webpage with general information about the regulated entity like their location, visiting hours, employment opportunities, or their policies and procedures. Tracking technologies on many unauthenticated webpages do not have access to individuals’ PHI; in this case, a regulated entity’s use of such tracking technologies is not regulated by the HIPAA Rules. However, in some cases, tracking technologies on unauthenticated webpages may have access to PHI, in which case the HIPAA Rules apply to the regulated entities’ use of tracking technologies and disclosures to the tracking technology vendors. Regulated entities are required to “[e]nsure the confidentiality, integrity, and availability of all electronic PHI the [regulated entity] creates, receives, maintains, or transmits.”29 Thus, regulated entities that are considering the use of online tracking technologies should consider whether any PHI will be transmitted to a tracking technology vendor, and take appropriate steps consistent with the HIPAA Rules.

The examples below illustrate when certain visits to an unauthenticated webpage may or may not involve the disclosure of PHI.

Visits to unauthenticated webpages do not result in a disclosure of PHI to tracking technology vendor if the online tracking technologies on the webpages do not have access to information that relates to any individual’s past, present, or future health, health care, or payment for health care.

You Must Be Logged In To Post A Comment