HIPAA Regulation of Online Tracking Technologies

In a December 2022 bulletin published by the Office for Civil Rights at the U.S. Department of Health and Human Services (HHS), HHS made clear that the use of third-party tracking technologies by covered entities and business associates is subject to HIPAA privacy and security rules. The use of tracking technologies developed by third-party vendors is increasingly common, and much of the LTCi industry is subject to HIPAA privacy and security rules as either covered entities or business associates. HHS noted in the bulletin that covered entities and business associates “are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of [protected health information (“PHI”)] to tracking technology vendors or any other violations of the HIPAA Rules.” And, as applied to the use of tracking technologies, HHS’s view of what constitutes PHI may be broader than expected.