On December 1, 2022, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) issued a 12-page Bulletin highlighting the obligations of HIPAA covered entities (including providers and health plans) and business associates that use online tracking technologies on websites or mobile applications. The Bulletin cautions that HIPAA-regulated entities are not permitted to use tracking technologies in a manner that results in impermissible disclosures of protected health information (PHI) to tracking technology vendors or any other violations of the HIPAA Privacy, Security and Breach Notification Rules. To that end, regulated entities must ensure that such disclosures are permitted by the Privacy Rule and enter into a business associate agreement (BAA) with these tracking technology vendors “to ensure PHI is protected in accordance with HIPAA Rules.” 

For a detailed overview of the Bulletin, including technical steps you can take, please see the following blog post, "HHS: Online trackers without prior authorization and BAAs can violate HIPAA," produced by Norton Rose Fulbright’s dedicated Information Governance, Privacy and Cybersecurity practice group.



Contacts

Head of NRF Digital Analytics and Technology Assessment Platform, United States
Senior Counsel

Recent publications

Subscribe and stay up to date with the latest legal news, information and events . . .