In a December 2022 bulletin published by the Office for Civil Rights at the U.S. Department of Health and Human Services (HHS), HHS made clear that the use of third-party tracking technologies by covered entities and business associates is subject to HIPAA privacy and security rules. The use of tracking technologies developed by third-party vendors is increasingly common, and much of the LTCi industry is subject to HIPAA privacy and security rules as either covered entities or business associates. HHS noted in the bulletin that covered entities and business associates “are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of [protected health information (“PHI”)] to tracking technology vendors or any other violations of the HIPAA Rules.” And, as applied to the use of tracking technologies, HHS’s view of what constitutes PHI may be broader than expected.
What Are Tracking Technologies?
Tracking technologies (including cookies, pixels, and other similar technologies) collect information about individuals who interact with an entity’s website or mobile application (“mobile app”). Businesses use a variety of tracking technologies on websites and mobile apps to improve functionality and learn more about users’ activities. Tracking technologies developed by third parties generally involve the sharing of data back to that third party, so when a HIPAA-covered entity or business associate uses these tracking technologies, they must be cognizant of what data is being shared, to who, and for what purpose.