Summary of article from IAPP, by John Haskell:
Misconceptions persist about the use of online tracking technologies (OTTs) for marketing under HIPAA compliance. HIPAA mandates that covered entities must obtain explicit authorization from individuals before using or disclosing their personal health information (PHI) for marketing purposes. Simply signing a Business Associate Agreement (BAA) does not ensure compliance, particularly when PHI is involved. The U.S. Department of Health and Human Services (HHS) has clarified that disclosures of PHI to tracking technology vendors without proper authorizations are impermissible. Additionally, business associates are prohibited from using PHI for their own purposes, such as marketing campaigns. Compliance with HIPAA requires obtaining valid authorizations and adhering to specific guidelines, rather than relying solely on BAAs. Understanding these requirements is crucial to avoid regulatory issues.