Recently, lawsuits have been filed against Duke and WakeMed regarding their use of Meta’s Meta Pixel tracking product and the alleged improper disclosure of patients’ protected health information (“PHI”). The U.S. Department of Health and Human Services’ Office of Civil Rights (“OCR”) recently weighed in regarding the use of tracking technology by covered entities and business associates covered by HIPAA.

The OCR on December 2, 2022, issued a bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” in order to give entities covered by HIPAA guidance on how to use online tracking technology and still protect patients’ PHI. The OCR decided to issue the bulletin after reports that patient PHI was transmitted to Facebook through tracking technology installed on hospital websites and within password protected patient portals. The OCR instructed covered entities and business associates that they are not permitted to use tracking technologies that would result in an impermissible disclosure of patient PHI. The bulletin also included the requirement that covered entities enter into business associate agreements with tracking technology vendors if those vendors create, maintain, or receive PHI. Additionally, “it is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information.” Accordingly, a disclosure of PHI to a tracking technology vendor requires the vendor to have executed a business associate agreement with the covered entity and that there is an applicable Privacy Rule permission for the disclosure. If patient PHI is disclosed to a tracking technology vendor in the absence of these two requirements, then that disclosure would be considered a breach and HIPAA notification requirements would apply, including notifying the OCR.