HHS issues guidance on the use of online tracking tools in healthcare CRM

The agency issued a bulletin clarifying that a notice of pixel use does not permit PHI disclosure, and when HIPAA-compliant authorizations for pixels are required.
By Andrea Fox
11:13 AM

Credit: U.S. Department of Health and Human Services

The U.S. Department of Health and Human Services issued a bulletin to highlight the obligations on covered entities and business associates under HIPAA's Privacy, Security and Breach Notification Rules when using online tracking technologies.

These tracking tools have caused a number of patient data security concerns and there are several class-action lawsuits, creating a new challenge for healthcare organizations.

In a new bulletin, HHS is addressing how online tracking technologies, like Google Analytics or Meta Pixel, collect and analyze information on how internet users are interacting with a HIPAA-regulated entity’s websites or mobile applications.

"Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules," the agency says. 

The bulletin explains what tracking technologies are, how they are used and what steps healthcare organizations and others must take to protect protected health information when using tracking technologies under HIPAA.

Specifically, the Bulletin provides insight and examples of:

  • Tracking on webpages.
  • Tracking within mobile apps.
  • HIPAA compliance obligations for regulated entities when using tracking technologies.

The HHS bulletin clarifies that notice of pixel use for the organization's customer relationship management practices does not permit PHI disclosure. It also provides guidance on when HIPAA-compliant authorizations are required.

Further, it's "insufficient" for tracking-technology vendors to be charged with removing or de-identifying PHI, the agency says.

"Providers, health plans, and HIPAA-regulated entities, including technology platforms, must follow the law. This means considering the risks to patients’ health information when using tracking technologies," said Melanie Fontes Rainer, HHS Office of Civil Rights director. 

"Our bulletin answers questions for those using tracking technologies, importantly how to protect the privacy and security of the health information they hold."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS publication.

 

Brought to you by Canon Medical

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.