On December 1, 2022, the Office for Civil Rights at the U.S. Department of Health and Human Services (“HHS”) released a Bulletin on the obligations of HIPAA covered entities and business associates under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies. 

In the Bulletin, HHS warned, for example, that some HIPAA-regulated entities may be sharing electronic protected health information (“PHI”) with online tracking technology vendors in violation of the HIPAA Privacy Rule. Tracking technologies used by regulated entities may have access to PHI, such as an individual’s IP address, medical record number, home or email address, appointment dates, diagnosis and treatment information, prescription information and billing information. According to HHS, some regulated entities may routinely share PHI with tracking technology vendors through mobile apps and webpages.

The Bulletin notes that compliance with the HIPAA Privacy, Security and Breach Notification Rules when using tracking technologies requires, for example, providing appropriate notification in case of a breach, implementing technological and administrative safeguards, ensuring that vendors can access only the minimum PHI necessary for their services, and establishing a Business Associate Agreement with tracking technology vendors that qualify as “business associates” under HIPAA.