The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) recently issued a Bulletin emphasizing the obligations of HIPAA covered entities and business associates regarding the use of online tracking technologies. These technologies, used to gather data on users' interactions with websites or mobile apps, are subject to the HIPAA Privacy, Security, and Breach Notification Rules when dealing with a covered entity. Failure to comply with these rules may lead to civil penalties.
When tracking technologies collect or disclose protected health information (PHI), it's important that entities subject to HIPAA (health plans, health care providers, health care clearinghouses and business associates) ensure compliance with HIPAA regulations. While some entities may share sensitive data with tracking technology vendors, it's important to avoid unauthorized disclosures of PHI. For instance, sharing PHI with tracking technology vendors for marketing purposes without individuals' HIPAA-compliant authorization is prohibited.
Impermissible disclosures of PHI not only breach the Privacy Rule but also pose various risks, including identity theft, financial loss, discrimination, and mental anguish. Such disclosures can release sensitive information about an individual's health history, treatment frequency, and medical facilities visited.
Given the proliferation of tracking technologies collecting sensitive data, OCR underscores the importance of regulated entities disclosing PHI only as expressly permitted or required by the HIPAA Privacy Rule. The Bulletin provides guidance on how the HIPAA Rules apply to the use of tracking technologies, including considerations for authenticated and unauthenticated webpages, as well as within mobile apps.
A copy of the bulletin may be accessed by clicking here.
Benefit Allocation Systems (BAS) provides best-in-class, online solutions for: Employee Benefits Enrollment; COBRA; Flexible Spending Accounts (FSAs); Health Reimbursement Accounts (HRAs); Leave of Absence Premium Billing (LOA); Affordable Care Act Record Keeping, Compliance & IRS Reporting (ACA); Group Insurance Premium Billing; Property & Casualty Premium Billing; and Payroll Integration.
MyEnroll360 can Integrate with any insurance carrier for enrollment eligibility management (e.g., Blue Cross, Blue Shield, Aetna, United Health Care, Kaiser, CIGNA and many others), and integrate with any payroll system for enrollment deduction management (e.g., Workday, ADP, Paylocity, PayCor, UKG, and many others).
