Tracking Devices & HIPAA

We've known for years that personally owned health devices (e.g. FitBit, etc.) aren't regulated by HIPAA and we concluded that in the event a doctor or other medical professional uses one for treatment that the device and the processes need to be HIPAA compliant. On December 1st, HHS Office of Civil Rights (OCR) issued a requirements bulletin for online tracking technologies that provides guidance beyond wearable items and includes (as examples) Google Analytics or Meta Pixel.

This information is important for organizations developing or using technology to track patient activities, including mobile apps. To be clear, HIPAA applies to ePHI being shared as part of using online tracking technologies (e.g. a patient using their healthcare portal, etc.). OCR summarized this by saying "...Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules..."

Some ways that tracking could cause harm if impermissibly used include monitoring the frequency that someone uses a system (e.g. mental health telehealth), diagnosis, where treatment is sought, etc. For those that don't understand tracking, OCR states, "...Generally, a tracking technology is a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app. After information is collected through tracking technologies from websites or mobile apps, it is then analyzed by owners of the website or mobile app (“website owner” or “mobile app owner”), or third parties, to create insights about users’ online activities..." All of these processes must comply with The Rules, including and especially when a third party (i.e. a business associate) is involved.

Just remember to keep ePHI as private as you'd expect your closest secrets to be kept. Click the link to read the source material.

Stay (HIPAA) safe,

Alan -