United States of America: Issued Updated Guidance on Online Tracking Technologies for HIPAA Covered Entities and Business Associates

On 18 March 2024, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) issued an updated Guidance outlining the responsibilities of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities and their business associates when using online tracking technologies. These technologies, necessary for collecting and analysing user interactions with websites and apps, must comply with HIPAA privacy, security, and breach notification rules when handling protected health information (PHI). The guidance emphasises the importance of preventing unauthorised disclosures of PHI, which could result in severe consequences such as identity theft, discrimination, and damage to an individual's reputation or safety. Regulated entities must ensure that the Privacy Rule expressly permits all disclosures of PHI to tracking technology vendors and that proper security measures are implemented to protect ePHI from unauthorised access. In addition, regulated entities are required to provide breach notifications for any impermissible disclosure of unsecured PHI. Finally, OCR offers channels for filing privacy complaints.