OCR Highlights Requirements for Online Tracking



Last month, the OCR released a bulletin to highlight healthcare organizations’ requirements under HIPAA regarding different forms of online tracking. 

We’ve seen major patient privacy concerns show up in this area over the past year, as different healthcare websites utilize Google Analytics or Meta Pixel to collect information on their visitors. Some providers have been sharing electronic PHI with online tracking third parties, in several cases violating HIPAA rules. This has resulted in HIPAA security and privacy breaches, as protected data is being shared to third parties. 

How Do I Prevent This?

How do you know for sure that you’re meeting HIPAA requirements for online data security? In the Bulletin some potential vulnerabilities are explained, as well as the ins and outs of how these common tracking technologies work. 

“Specifically, the Bulletin provides insight and examples of:

- “Tracking on webpages
- “Tracking within mobile apps
- “HIPAA compliance obligations for regulated entities when using tracking technologies”

500,000 patients were affected by a recent breach in this category, the second online tracking breach to be recorded. The first involved 3 million patients, reported to the HHS by a large midwestern health system. 

There is a lot of utility in these tracking tools for understanding your patient’s online journey and preferences, but you need to make sure that no protected health information is being fed to Facebook and Google. The OCR said regarding the data gathered by these scripts or codes:

“Such insights could be used in beneficial ways to help improve care or the patient experience. However, this tracking information could also be misused to promote misinformation, identity theft, stalking, and harassment.”

From OCR Director Melanie Fontes Rainer: “Providers, health plans, and HIPAA-regulated entities, including technology platforms, must follow the law. This means considering the risks to patients’ health information when using tracking technologies.”

How Do I Ensure I Am Taking the Necessary Precautions?

Several practical implementation steps for following privacy law were outlined, including:

-    All PHI disclosures must be in compliance with the Privacy Rule, and providers must disclose only the minimum necessary amount of data.
-    Providers must establish and regularly update a Business Associate Agreement with any tracking technology vendor that meets the HIPAA definition of a “business associate.”
-    Tracking technologies must be addressed in an organization’s regular Security Risk Assessment and continual risk management activities. 
-    If PHI is compromised, the affected individuals, the Secretary, and when appropriate, the media, must be provided with a breach notification. 

If you have questions about how to ensure your patients’ data is safe from online tracking, please reach out to your team at Medcurity. We exist to help you with compliance, so that you can focus on providing the best patient care. The work you’re doing for your patients is so important, and we’re honored to be working with you to keep their data secure in 2023. 


Read the Bulletin here: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html