OCR & Use of Online Tracking Technologies

The Office of Civil Rights revised its guidance supporting “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates" this week. Their aim is to "...remind regulated entities and the public that the use of online tracking technologies is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (“HIPAA Rules")..."

Aside from "sharing the news", we are posting this because we wonder if covered entities or business associates even realize that they may be violating The Rules by implementing technologies (e.g. Google Analytics, Meta Pixel, etc.) without realizing the information being collected. Collecting the information isn't necessarily unauthorized disclosure, as long as The Rules are followed (e.g. business associate agreements, minimum necessary, encryption, etc.). Patient portals and other technologies that are becoming more mainstream may have these features enabled and healthcare being healthcare, is probably more focused on the patient outcome and not the underlying bits and bytes.

Click the graphic below to view the OCR's document and...

Stay (HIPAA) safe, Alan -