On March 18, 2024, The Office for Civil Rights OCR revised its guidance on “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” and issued a bulletin to remind regulated entities and the public that the use of online tracking technologies is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (“HIPAA Rules”). OCR confirmed that these online tracking technologies, like Google Analytics or Meta Pixel, collect and analyze information about how users are interacting with a regulated entity’s website or mobile application. See the link below:

Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates | HHS.gov

OCR administers and enforces the HIPAA Rules, including by investigating breach reports and complaints about regulated entities’ noncompliance with the HIPAA Rules. A regulated entity’s failure to comply with the HIPAA Rules may result in a civil money penalty. Significantly, the bulletin makes quite clear that Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules. For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures. An impermissible disclosure of an individual’s PHI not only violates the Privacy Rule¹⁰ but also may result in a wide range of additional harms to the individual or others. For example, an impermissible disclosure of PHI may result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s PHI. Such disclosures can reveal highly sensitive information about an individual, including diagnoses, frequency of visits to a therapist or other health care professionals, and where an individual seeks medical treatment, all in violation of both HIPAA and state privacy laws.

OCR is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies. OCR’s principal interest in this area is ensuring that regulated entities have identified, assessed, and mitigated the risks to ePHI when using online tracking technologies and have implemented the Security Rule requirements to ensure the confidentiality, integrity, and availability of ePHI. OCR investigations are fact-specific and may involve the review of technical information regarding a regulated entity’s use of any tracking technologies. OCR considers all the available evidence in determining compliance and remedies for potential noncompliance.

Regulated entities should closely follow the OCR guidance. Importantly, health insurers and health plans must audit any third-party vendors and brokers and agents or other business associates as to web trackers used in connection with plan marketing to assure compliance with this guidance.