On March 18, 2024, OCR revised its guidance on “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” to remind regulated entities and the public that the use of online tracking technologies is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (“HIPAA Rules”). These online tracking technologies, like Google Analytics or Meta Pixel, collect and analyze information about how users are interacting with a regulated entity’s website or mobile application.
OCR’s information bulletin reminds regulated entities that they can use online tracking technologies provided that the entities comply with their obligations under the HIPAA Rules. The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes electronic protected health information (ePHI). Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.
OCR’s Bulletin provides a general overview of how the HIPAA Rules apply to covered entities’ and business associates’ use of tracking technologies. Today’s updates to the Bulletin include:
- Additional examples of when visits to an unauthenticated webpage may or may not involve the disclosure of ePHI.
- Additional tips for complying with the HIPAA Rules when using online tracking technologies.
- Guidance about OCR’s enforcement priorities in investigations involving regulated entities’ use of online tracking technologies.
To view OCR’s updated guidance, click here.