Updated: Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates

From U.S. Department of Health and Human Services:

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) updated its guidance to regulated entities when using online tracking technologies. These technologies, used to collect and analyze user interaction with websites or mobile applications, must comply with HIPAA rules if the information gathered includes protected health information (PHI). Unauthorized disclosures of PHI to tracking technology vendors, such as for marketing purposes without compliant authorizations, are deemed impermissible.

The update emphasizes that regulated entities should ensure they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule. It provides guidance on the application of HIPAA rules to the use of tracking technologies on user-authenticated webpages, unauthenticated webpages, and within mobile apps. For instance, tracking technologies on user-authenticated webpages generally have access to PHI, and tracking technology vendors are considered business associates if they handle PHI.

Unauthenticated webpages, which do not require user login, usually do not have tracking technologies that access PHI. However, in cases where PHI is accessible, HIPAA rules apply. For mobile apps offered by regulated entities, information collected is generally considered PHI, and the entity must comply with HIPAA rules for any PHI the app uses or discloses. However, HIPAA does not protect information users voluntarily enter into non-regulated mobile apps.

Disclosures of PHI to tracking technology vendors must be specifically permitted by the Privacy Rule. If the vendor is a business associate, a business associate agreement (BAA) must be established. The use of tracking technologies should be addressed in the entity’s Risk Analysis and Risk Management processes. If there’s an impermissible disclosure of PHI, breach notification to affected individuals and the Secretary is required. OCR is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies.


Enhanced Nursing Home Ownership Data Required by Biden HHS

From Bloomberg Law, by Tony Pugh:

  • The Biden administration finalized a rule requiring nursing homes to provide more detailed information about their ownership structure, including whether they are owned by private equity firms or real estate investment trusts (REITs). 
  • The additional data collected will be made public to allow families to make more informed choices about facilities and allow outside researchers to study the impact of different ownership models on quality of care.
  • Previous research has found that private equity ownership is associated with higher mortality rates for Medicare patients in nursing homes and increased taxpayer costs per resident. 
  • The private equity industry argues that its investments help strengthen struggling nursing homes by providing capital. 
  • The new rule implements requirements under the Affordable Care Act to increase transparency around nursing home ownership and oversight structures.

HHS Renews Public Health Emergency Declaration through January 20, 2021

On Friday, October 2, the U.S. Department of Health & Human Services (HHS) announced that the Public Health Emergency (PHE) declaration for COVID‑19 will be renewed for another 90 days, beginning on October 23 (the date the PHE was previously scheduled to expire) and extending through January 20, 2021.

Source: Renewal of Determination That A Public Health Emergency Exists