In the wake of several reported breaches involving web-tracking technologies such as Meta Pixel, the HHS Office for Civil Rights (OCR) has clarified that covered entities (CEs) and business associates (BAs) are not permitted to use the technologies “in a manner that would result in impermissible disclosures of PHI [protected health information] to tracking technology vendors or any other violations of the HIPAA Rules.”[1]
In addition, the guidance said regulated entities must ensure that all vendors of tracking technology have signed a business associate agreement (BAA) “and that there is an applicable permission prior to a disclosure of PHI.”
These will be major issues in 2023, considering the proliferation of these trackers on health care organizations’ websites and the ensuing public uproar, which has led to queries from federal lawmakers, breach disclosures and lawsuits, said David Harlow, chief compliance and privacy officer for Insulet Corporation.
“Covered entities should be paying attention to this given the news stories, the potential class-action lawsuits and the OCR guidance,” Harlow said. “Some are able to dedicate the resources to remediate any outstanding issues promptly. Unfortunately, it is likely that not all covered entities will deal with this issue proactively, given competing priorities and resource constraints. The monetization of our digital exhaust is a pervasive issue. As has been getting more coverage lately, digital health companies that are not covered entities may be using and sharing health information as well.”
Rebecca Herold, president of SIMBUS360.com and CEO of The Privacy Professor, said she knows attorneys who have health care clients coming to them to discuss the possibility of civil suits. “It is going to become an even greater issue in 2023, when the concern goes from Meta Pixel tracking, which is already widespread, to the use of other types of web beacons, which multiplies the digital tracking instances dramatically,” she explained.
“Very few covered entities are putting enough attention to this issue,” Herold said. “And virtually no business associates are proactively addressing this issue—they are simply continuing using them until they hear from their CE clients to direct them to stop.”