New Warning for Providers: U.s. Department of Health and Human Services Issues New Guidance on Data Risks Associated With Websites and Portals

• Jurisdiction: United States,Federal
• Citation: Vol. 1 No. 4
• Publication year: 2023

[Page 287]

Shannon K. Cohall and Susan R. Huntington ^*

In this article, the authors discuss a bulletin issued by the U.S. Department of Health and Human Services' Office for Civil Rights that provides a broad interpretation of what constitutes electronic protected health information and how "Regulated Entities" may gather, use, and disclose, knowingly and unknowingly, that information using online tracking technologies through websites and portals.

The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) issued a bulletin (the Bulletin) highlighting the obligations of Health Insurance Portability and Accountability Act of 1996 (HIPAA)-covered entities and their business associates (collectively, the Regulated Entities) when using online tracking technologies that collect and analyze information about users through websites, portals, or mobile applications. ¹ The Bulletin addresses potential impermissible disclosures of electronic protected health information (ePHI) by Regulated Entities to online tracking technology vendors and provides steps for protecting ePHI when using these technologies. This article summarizes the requirements of the Bulletin and provides practical recommendations to mitigate HIPAA exposures associated with the tracking features of websites and the like.

Background

Online tracking technologies associated with websites and apps provide ² insightful information regarding the behaviors of users,

[Page 288]

including what content or features attract visitors and which pages they frequently browse. For website and app owners, these insights are used to enhance the website and app functionalities and design and to provide updates that enrich the user experience. These technologies may allow health care providers to offer more robust, remote, and interactive services to patients. For example, scheduling an appointment with a doctor, ordering online prescription refills, direct messaging, paying bills online, or receiving services through a telehealth visit are now all immensely simpler using an app or a website. The COVID-19 pandemic further empowered ³ this necessary reliance on technology services in health care. However, even with all these benefits to health care access, online tracking technologies also open the door to data misuse through data breaches or identity theft through the software or application vendor.

Defining Tracking Technologies

The OCR released the Bulletin in response to the growing data...