E Point Perfect
Law \ Legal

HHS Releases Bulletin on Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates


On December 1, 2022, the Office for Civil Rights at the U.S. Department of Health and Human Services (“HHS”) released a Bulletin on the obligations of HIPAA covered entities and business associates under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies. 

In the Bulletin, HHS warned, for example, that some HIPAA-regulated entities may be sharing electronic protected health information (“PHI”) with online tracking technology vendors in violation of the HIPAA Privacy Rule. Tracking technologies used by regulated entities may have access to PHI, such as an individual’s IP address, medical record number, home or email address, appointment dates, diagnosis and treatment information, prescription information and billing information. According to HHS, some regulated entities may routinely share PHI with tracking technology vendors through mobile apps and webpages.

The Bulletin notes that compliance with the HIPAA Privacy, Security and Breach Notification Rules when using tracking technologies requires, for example, providing appropriate notification in case of a breach, implementing technological and administrative safeguards, ensuring that vendors can access only the minimum PHI necessary for their services, and establishing a Business Associate Agreement with tracking technology vendors that qualify as “business associates” under HIPAA.


Source link

Related posts

Even picking them out is not without danger, but Colorado voters favor making them legal


Another discouraging dispatch about BOP’s shaky First Step Act steps

Highlights from COP27: Decarbonization Day

Advisory Opinion 22-19: OIG Warns That Proposed Drug Cost Subsidization Arrangement May Warrant Sanctions

FSA sets out plan to fill gaps in lab system